Busy. Please wait.
or

show password
Forgot Password?

Don't have an account?  Sign up 
or

Username is available taken
show password

why


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.


Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove Ads
Don't know
Know
remaining cards
Save
0:01
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
Retries:
restart all cards




share
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

securityCHPT3

terms

QuestionAnswer
zero day attacks exploit previously unknown vulnerabilities.no time to defend
securing web applications hardening the web server
securing web applications protecting the network
most common web application attacks cross site scripting
most common web application attacks sql injection
most common web application attacks xml injection
most common web application attacks command injection/directory traversal
cross site scripting injects script into a web application server to direct attacks at its clients
attacks that target applications web application attacks
attacks that target applications client side attacks
attacks that target applications buffer overflow attacks
cross site scripting refers to an attack using scripting that or
xss attack requires a web site to meet two criteria accepts user input without a validating it
xss attack requires a web site to meet two criteria uses input in a response without encoding it
sql injection targets sql servers by injecting commands
sql used to view and manipulate data that is stored in a relational data base
zero day attacks exploit previously unknown vulnerabilities so victims have zero days to prepare
because the content of http transmissions is not examined attackers use this protocol to target flaws in web application software
cross site scripting xss
xss attack injects script into a web application server that will then direct attacks at clients
cross site scripting attacks uses the server as a platform to launch attacks on other computers that access it
cross site scripting attack a person visits an injected web site ,the malicious instructions are sent to the victims web browser and executed
other xss attacks designed to steal sensitive information that was retained when visiting sites
buffer overflow occurs when a process attempts to store data in ram beyond the boundaries of a fixd length storage buffer
xml xtensible markup language
markup language method for adding annotations to the text so that the additions can be distinguished from the text itself
html markup language designed to display data with the primary focus on how the data looks
xml injection an attack that injects xlm tags and data intoa data base
xpath injection operate on web sites that uses user-supplied information to construct an XPath query for XML data.
sql used to manipulate data stored in relational data base
sql injection targets sql servers by injecting commands
directory transversal attack an attack that takes advantage of a vulnerability in the web application program
command injection injecting and executing commands to execute on a server
to perform a directory transversal attack an attackers needs only a web browser,location of default files,directories on the system under attack
email address unknown indicates that user input is being properly filtered
server failure indicates that the user input is not being filtered,instead all user input is being sent directly to the database
xml designed to carry data instead of indicating how to display it
xml user defines their own tags
XML tags begin with the less-than character (“<”) and end with the greater-than character (“>”). You use tags to mark the start and end of elements, which are the logical units of information in an XML document tags
An element consists of a start tag, possibly followed by text and other complete elements, followed by an end tag. The following example highlights the tags to distinguish them from the text elements
markup language method for adding annotations to text
html uses tags surrounded by brackets
html instructor browser to display text in specific format
xpath injection attempts to exploit the xml path language queries that are built from user input
annotation note that is made while reading any form of text
html displays data
xml carries data
client side attacks targets vulnerabilities in client applications that interact with a compromised server or process malicious data
server side attacks web application attacks
drive by download a users computer becoming compromised just by viewing a web page and not even clicking any content
IFrame inline frame
iframe an html element that allows for embedding another html document inside the main document
common client side attacks header manipulation
common client side attacks cookies and attachments
common client side attacks session hijacking
common client side attacks malicious add ons
directory traversal attack attacker moves from root directory to restricted directories
command injection attack attackers enter commands to execute on a server
http header composed of fields that contain the different characteristics of the data that is being transmitetd
http header attacks referer
http header attacks accept language
drive by download attackers craft a zero pizel frame to avoid visual detection
zero pixel iframe allows for embedding another html document inside the main document
http header fields referer
http header fields accept language
http header fields server
http header fields set cookie
types of cookies first party
types of cookies third party
types of cookies session
types of cookies persistent
types of cookies secure
types of cookies flash
arp part of the tcp/ip prptocol for determining the mac address based on the ip address
first party cookie created from the web site that is currently being viewed
flash cookie local shared objects
flash cookie cannot be deleted thru the browsers normal configuration settings
persistent cookie tracking cookie
persistent cookie recored on the hard drive and doent expire when the browser closes
secure cookie used when a browser is visiting a server using a secure connection
session cookie stored in ram and only lasts for duration of the visit
syn flood attack takes advantage of the procedures for initiating a tcp sessions
transitive access an attack involving a third party to gain access rights
smurf attack broadcasts a ping to all computers on the network yet changes the address from which the request came to that of the target
type of dos attack ping flood
type of dos attack smurf attack
type of interception attack man in the middle
type of interception attack replay attack
distributed denial of service attack may use hundreds or thousands of zombie computers in a botnet to flood a device with requests
man in the middle attack makes it appear that two computers are communicating with each other when actually they are sending and receiving data with a pc in between
replay attack similiar to man in the middle except a copy is made before transmitting
arp poisoning attack that corrupts the arp cache
dns poisoning attack that substitutes dns addresses so that the computer is automatically redirected to another device
types of attacks generated from arp poisoning steal data
types of attacks generated from arp poisoning prevent internet access
types of attacks generated from arp poisoning man in the middle
types of attacks generated from arp poisoning dos attack
cache temporary storage
domain name system a hierarchial name system for matching computer names and numbers
cookie a file on a local pc in which a server stores user specific information
cookie used to identify repeat visitors,only site created the cooklie can read it
first party cookie created from the web site that a user is currently viewing
third party cookie site advertisers use these to record user preferences
flash cookie named after adobe flash player
respawning used to reinstate regular cookies that a user has deleted or blocked
flash cookies stored in multiple locations
session token used when a browser is visiting a server using a secure connection
session hijacking attackers attempt to impersonate user by stealing or guessing session token
session token random string assigned used for verification purposes
malicious addons programs that provide additional functionality to web browsers
Active X method to make programs interactive using a set of rules and controls
ping flood attack uses the internet control message protocol to flood a victim with packets
buffer overflow attack data overflows into adjacent memory locations
buffer overflow attack attackers can change return address
network attacks denial of service
network attack interception
network attack poisoning
network attack attack on access rights
spoofing impersonation of another computer or device
smurf attack ping request with originating address changed
syn flood attack uses the three way handshake to attack
man in the middle accept legitimate information and respond with counterfeit information
ddos virtually impossible to identify and block source of attack
most common dos attack distributed denial of service
man in the middle passive attack captures the data and uses it later
arp poisoning modify the mac address in the arp cache so that the corresponding ip address points to a different computer
arp the ip address is known but not the mac address,the sending pc sends out and arp packet to all pcs asking if this is your ip address
host table lists the mappings of names to computer numbers
location for dns poisoning local host table
location for dns poisoning external dns server
domain name system expaneded to a hierarchial name system for matching computer names and numbers
symbolic name
host table name system
zone transfers dns servers exchange information among t hemselves
access right attacks privilege escalation
access right attacks transitive access
Created by: cgeaski