CEH Certified Ethical Hacker Practice Exams by Matt Walker

CEH Certified Ethical Hacker Practice Exams by Matt Walker

Author:Matt Walker
Language: eng
Format: epub
Tags: -
Publisher: McGraw-Hill Education
Published: 2014-06-17T16:00:00+00:00


What is the attacker attempting to perform?

A. A SQL injection attack against the blog’s underlying database

B. A cross-site scripting attack

C. A buffer overflow DoS attack

D. A file injection DoS attack

 B. This is a classic (an overly simplified but classic nonetheless) example of cross-site scripting. In a blog, the post entry field is intended to take text entry from a visitor and copy it to a database in the background. What’s being attempted here is to have more than just the text copied—the <script> indicator is adding a nice little pointer to a naughty website. If it works, the next visitor to the site who clicks that news story will be redirected to the bad site location.

 A, C, and D are all incorrect because this example contains nothing to indicate a SQL injection or a buffer overflow. Additionally, the idea here is not to perform a denial of service. Actually, it’s quite the opposite: The attacker wants the site up and operational so more and more users can be sent to badsite.com.

26. An attacker attempts to manipulate an application by advancing the instruction pointer with a long run of instructions containing no action. What is this attack called?

A. File injection

B. Stack flipping

C. NOP-sled

D. Heap based

 C. Computer languages usually contain a command most CPUs will recognize as “do nothing.” This no-operation (NOP) instruction serves to advance an instruction pointer to a known memory area. The idea behind it is to provide time for unknown activities to occur until it’s time to execute the main code (avoiding an exception code and a halt to the system or application). For a ridiculously over-simplified example, if you were “coding” a human’s morning routine and wanted them to brush their teeth, you might provide a whole bunch of “do nothings” in front and behind the “pick up toothbrush, put toothpaste on brush, and so on” steps—to provide space for things you may not be aware of.

When it comes to attacks, hackers will send tons of NOP instructions in an effort to move the pointer to an area they control—and to execute the naughty payload there. This NOP-sled is relatively easy to see in action, and all IDSs will pick it up.

 A is incorrect because file injection occurs when the attacker injects a pointer in a web form input to an exploit hosted on a remote site. There is no file injection occurring in this example.

 B is incorrect because the term stack flipping is not a recognized term on the CEH exam and is included here as a distractor.

 D is incorrect because a heap-based buffer overflow deals with a buffer overflow specifically aimed at the lower part of the heap, to overwrite dynamic content there.

27. You are examining website files and find the following text file:



Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Popular ebooks
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(9796)
Red Hat Certified Specialist in Services Management and Automation EX358 Exam Guide by Eric McLeroy(6163)
The KCNA Book by Nigel Poulton(4242)
Microsoft Security, Compliance, and Identity Fundamentals Exam Ref SC-900 by Dwayne Natwick(3611)
Designing and Implementing Microsoft Azure Networking Solutions by David Okeyode(3515)
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide by Trevor Stuart and Joe Anich(3466)
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide by Trevor Stuart & Joe Anich(3390)
TCP IP by Todd Lammle(2982)
Microsoft Power BI Data Analyst Certification Guide by Ed Corcoran Orrin Edenfield(2921)
Unity Certified Programmer: Exam Guide by Philip Walker(2563)
MCSA Windows Server 2016 Study Guide: Exam 70-740 by William Panek(2520)
Networking A Beginner's Guide by Bruce Hallberg(2209)
Microsoft Power Platform Solution Architect's Handbook by Hugo Herrera(2037)
31 Days Before Your CompTIA A+ Exams (Shanette Luellen's Library) by Benjamin Patrick Conry(1860)
CompTIA A+ Practice Tests Core 1 (220-1101) and Core 2 (220-1102) by Ian Neil and Mark Birch(1794)
MCSA Windows Server 2016 Study Guide: Exam 70-741 by William Panek(1666)
PHP 7 Zend Certification Study Guide by Andrew Beak(1645)
Healthcare Information Security and Privacy (All-In-One) by Sean Murphy(1551)
CompTIA A+ Certification Guide (220-901 and 220-902) by Matthew Bennett(1526)
RHCSA & RHCE Red Hat Enterprise Linux 7: Training and Exam Preparation Guide (EX200 and EX300), Third Edition by Asghar Ghori(1488)