OWASP Quiz Night

Make sure you name your answer sheet
Else no points for you

View Slide

Set 0, Q 0
How many types of NoSQL data store are
there?
A (< 50)
B (between 50 and 100)
C (between 101 and 200)
D (> 201)

View Slide

Set 0, Q 1
Is escaping a technique of:
A (validation)
B (filtering)
C (sanitisation)

View Slide

Set 0, Q 2
If you are using cookies for storage of
client-side session artefacts, what is your main
concern:
A (CSRF)
B (XSS)

View Slide

Set 0, Q 3
What are the OWASP recommendations for the
adaptive one-way KDF?
Adaptive because the workload increases each year to keep
up with advances in hardware technology. You now have
control of how slow you want it to be to crack those
passwords.
The count should be:
A (doubled each subsequent year),
B (tripled each subsequent year),
C (doubled each subsequent two years)

View Slide

Set 0, Q 4
Bracketing is a technique used:
A (By social engineers to elicit more precise information from a
target)
B (To force an attacker into a specific area of the targets network)
C (When building a threat modelling team to make sure you have
all the correct specialities represented within the team to be
effective)
D (To group types of security defects into particular types)

View Slide

Set 0, Q 5
How many types of escaping can you think of?
The team that gets closest gets the point.

View Slide

Set 0, Q 6
Which of the following XML metacharacters
would not be used to test for XML injection
vulnerabilities?
A (Single quotes: ')
B (Double quotes: ")
C (Angle brackets: ><)
D (Comma: ,)
E (Comment tags: )
F (Ampersand: &)
G (CDATA section delimiters: )

View Slide

Set 0, Q 7
We have a system that takes a username and password and
validates that both are correct in order to obtain information.
We use any password for the password input, and the following
string for the username:
jdeer")(&))("
What is the type of injection that we are using here?
A (SQL)
B (NoSQL)
C (XPath)
D (LDAP)
E (XML)
F (XQuery)
G (Command)
H (XSLT)
I (none of the above)

View Slide

Set 0, Q 8
What does the syntax in the system just
described that takes the username and
password look like? Closest answer gets a point

View Slide

Set 0, Q 9
What is the notation called in the previous
syntax?

View Slide

Hand in your answer sheet

View Slide

Set 0, A 0
How many types of NoSQL data store are
there?
A (< 50)
B (between 50 and 100)
C (between 101 and 200)
D (> 225)

View Slide

Set 0, A 1
Is escaping a technique of:
A (validation)
B (filtering)
C (sanitisation)

View Slide

Set 0, A 2
If you are using cookies for storage of
client-side session artefacts, what is your main
concern:
A (CSRF)
B (XSS)
Cookies are susceptible to both CSRF and XSS attacks
(although XSS to a lesser degree).
LocalStorage is only concerned with XSS.

View Slide

Set 0, A 3
What are the OWASP recommendations for the
adaptive one-way KDF?
The count should be:
A (doubled each subsequent year),
B (tripled each subsequent year),
C (doubled each subsequent two years)

View Slide

Set 0, A 4
Bracketing is a technique used:
A (By social engineers to elicit more precise information from a
target)
B (To force an attacker into a specific area of the targets network)
C (When building a threat modelling team to make sure you have
all the correct specialities represented within the team to be
effective)
D (To group types of security defects into particular types)

View Slide

Set 0, A 5
How many types of escaping can you think of?
The team that gets closest gets the point.
HTML Escape
Attribute Escape
JavaScript Escape
HTML Escape JSON values in HTML context
CSS Escape
URL Escape
Sanitise HTML
Prevent DOM-based XSS

View Slide

Set 0, A 6
Which of the following XML metacharacters
would not be used to test for XML injection
vulnerabilities?
A (Single quotes: ')
B (Double quotes: ")
C (Angle brackets: ><)
D (Comma: ,)
E (Comment tags: )
F (Ampersand: &)
G (CDATA section delimiters: )

View Slide

Set 0, A 7
We have a system that takes a username and password and
validates that both are correct in order to obtain information.
We use any password for the password input, and the following
string for the username:
jdeer")(&))("
What is the type of injection that we are using here?
A (SQL)
B (NoSQL)
C (XPath)
D (LDAP)
E (XML)
F (XQuery)
G (Command)
H (XSLT)
I (none of the above)

View Slide

Set 0, A 8
What does the syntax in the system just
described that takes the username and
password look like? Closest answer gets a point
string ldapLoginQuery = "(&(uId="jdeer")(userPassword="3xp10it3d"))";
With search filter applied:
string ldapLoginQuery = "(&(uId="jdeer")(&))("")(userPassword="incorrectpass"))";

View Slide

Set 0, A 9
What is the notation called in the previous
syntax?
Polish notation (PN), or normal Polish notation
(NPN), or simply prefix notation.

View Slide


View Slide

Set 1, Q 0
Which of the following functionalities should you
include in an authentication and session
management system?
A (Logout functionality)
B (Regular expressions)
C (Escaping functionality)
D (Forwarding system functionality)

View Slide

Set 1, Q 1
State whether the following statement is True or
False. When implementing an authentication or
session system, you should ensure that new
session IDs are not created at login.
A (True)
B (False)

View Slide

Set 1, Q 2
Which of the following is the best way to protect
a Web application from invalidated redirects and
forwards?
A (Validate the referrer header)
B (Use extended validation certificates)
C (Use the escaping technique)
D (Disallow requests to unauthorized file types)

View Slide

Set 1, Q 3
Which of the following procedures are involved
in the hardening process?
A (Disable unnecessary features)
B (Resubmit POST parameters during redirection)
C (Repeat the process at random intervals)
D (Update the environment with changes only when needed)

View Slide

Set 1, Q 4
Your application is created using a language
that does not support a clear distinction
between code and data. Which vulnerability is
most likely to occur in your application?
A (Insecure direct object references)
B (Failure to restrict URL access)
C (Injection)
D (Insufficient transport layer protection)

View Slide

Set 1, Q 5
Which of the following threats is most likely to
be caused by poor input validation?
A (Enabling of IPSec)
B (Insecure cryptographic storage)
C (Insufficient transport layer protection)
D (Insecure direct object reference)

View Slide

Set 1, Q 6
Which of the following is the best way to prevent
a DOM-based XSS attack?
A (Set the HttpOnly flag in cookies)
B (Validate any input that comes from another Web site)
C (Ensure that session IDs are not exposed in a URL)
D (Ensure that a different nonce is created for each request)

View Slide

Set 1, Q 7
Which of the following is an authentication
system mandatory requirement?
A (Form variables are used for managing session IDs)
B (Use a GOTCHA to prevent automated attacks)
C (User logout and session inactivity controls)
D (Session IDs are only accepted from cookies and
parameter variables)

View Slide

Set 1, Q 8
Which of the following consequences is most
likely to occur due to an injection attack?
A (Spoofing)
B (Cross-site request forgery)
C (Denial of service)
D (Insecure direct object references)

View Slide

Set 1, Q 9
Which of the following scenarios is most likely to
cause an injection attack?
A (Unvalidated input is embedded in an instruction stream)
B (Unvalidated input can be distinguished from valid instructions)
C (A Web application does not validate a client’s access to a
resource)
D (A Web action performs an operation on behalf of the user without
checking a shared secret)

View Slide


View Slide

Set 1, A 0
Which of the following functionalities should you
include in an authentication and session
management system?
A (Logout functionality)
B (Regular expressions)
C (Escaping functionality)
D (Forwarding system functionality)

View Slide

Set 1, A 1
State whether the following statement is True or
False. When implementing an authentication or
session system, you should ensure that new
session IDs are not created at login.
A (True)
B (False)

View Slide

Set 1, A 2
Which of the following is the best way to protect
a Web application from invalidated redirects and
forwards?
A (Validate the referrer header)
B (Use extended validation certificates)
C (Use the escaping technique)
D (Disallow requests to unauthorized file types)

View Slide

Set 1, A 3
Which of the following procedures are involved
in the hardening process?
A (Disable unnecessary features)
B (Resubmit POST parameters during redirection)
C (Repeat the process at random intervals)
D (Update the environment with changes only when needed)

View Slide

Set 1, A 4
Your application is created using a language
that does not support a clear distinction
between code and data. Which vulnerability is
most likely to occur in your application?
A (Insecure direct object references)
B (Failure to restrict URL access)
C (Injection)
D (Insufficient transport layer protection)

View Slide

Set 1, A 5
Which of the following threats is most likely to
be caused by poor input validation?
A (Enabling of IPSec)
B (Insecure cryptographic storage)
C (Insufficient transport layer protection)
D (Insecure direct object reference)

View Slide

Set 1, A 6
Which of the following is the best way to prevent
a DOM-based XSS attack?
A (Set the HttpOnly flag in cookies)
B (Validate any input that comes from another Web site)
C (Ensure that session IDs are not exposed in a URL)
D (Ensure that a different nonce is created for each request)

View Slide

Set 1, A 7
Which of the following is an authentication
system mandatory requirement?
A (Form variables are used for managing session IDs)
B (Use a GOTCHA to prevent automated attacks)
C (User logout and session inactivity controls)
D (Session IDs are only accepted from cookies and
parameter variables)

View Slide

Set 1, A 8
Which of the following consequences is most
likely to occur due to an injection attack?
A (Spoofing)
B (Cross-site request forgery)
C (Denial of service)
D (Insecure direct object references)

View Slide

Set 1, A 9
Which of the following scenarios is most likely to
cause an injection attack?
A (Unvalidated input is embedded in an instruction stream)
B (Unvalidated input can be distinguished from valid instructions)
C (A Web application does not validate a client’s access to a
resource)
D (A Web action performs an operation on behalf of the user without
checking a shared secret)

View Slide


View Slide

Set 2, Q 0
Who created the Sensible Security Model?
A (Adam Shostack)
B (Wil Allsopp)
C (OWASP)
D (Bruce Schneier)

View Slide

Set 2, Q 1
What are the five steps of the Sensible Security
Model?

View Slide

Set 2, Q 2
What is the name of the OSINT tool used to
gather info from github accounts?
A (gitrob)
B (gitlifter)
C (gitrape)
D (gitloot)
E (gitclone)

View Slide

Set 2, Q 3
What is the name of this NMap scan:
nmap -D ,,,,,ME

View Slide

Set 2, Q 4
What does the ME specify in the previous
question?

View Slide

Set 2, Q 5
Name three DNS recon tools.

View Slide

Set 2, Q 6
What would you use Dradis for?

View Slide

Set 2, Q 7
Collectd, statsd, Graphite: when combined are
an excellent suite of components for:
A (building intrusion detection systems)
B (statistical analysis of vulnerabilities in Docker images)
C (capturing and graphing VPS and application statistics)
D (file integrity checking and graphing)

View Slide


View Slide

Set 2, A 0
Who created the Sensible Security Model?
A (Adam Shostack)
B (Wil Allsopp)
C (OWASP)
D (Bruce Schneier)

View Slide

Set 2, A 1
What are the five steps of the Sensible Security
Model?
1. SSM Asset Identification
2. SSM Identify Risks
3. SSM Countermeasures
4. SSM Risks that Solution Causes
5. SSM Costs and Trade-offs

View Slide

Set 2, A 2
What is the name of the OSINT tool used to
gather info from github accounts?
A (gitrob)
B (gitlifter)
C (gitrape)
D (gitloot)
E (gitclone)

View Slide

Set 2, A 3
What is the name of this NMap scan:
nmap -D ,,,,,ME
Decoy

View Slide

Set 2, A 4
What does the ME specify in the previous
question?
Decoys your source address, if in 6th position or
later, even the best scan detectors are unlikely
to show your address at all

View Slide

Set 2, A 5
Name three DNS recon tools.
Domain Information Groper (dig)
dnsenum
dnsrecon

View Slide

Set 2, A 6
What would you use Dradis for?
Gathering, storage, sharing of OSINT

View Slide

Set 2, A 7
Collectd, statsd, Graphite: when combined are
an excellent suite of components for:
A (building intrusion detection systems)
B (statistical analysis of vulnerabilities in Docker images)
C (capturing and graphing VPS and application statistics)
D (file integrity checking and graphing)

View Slide


View Slide

Set 3, Q 0
Where is the cheapest place to find and deal
with not just security defects, but all defects?

View Slide

Set 3, Q 1
Baiting, Reciprocity, Scarcity are commonly
used:
A (In reconnaissance)
B (By anti virus)
C (In social engineering)
D (When planning for physical security)

View Slide

Set 3, Q 2
What is the concept or principle behind the
JavaScript supersets: Flow and TypeScript
A (Liskov Substitution principle)
B (Open/closed principle)
C (Interface segregation principle)
D (Design by Contract)

View Slide

Set 3, Q 3
Which of the following is used to prevent
Clickjacking, also known as a "UI redress
attack"
A (HTTPS Connection)
B (X-Frame-Options HTTP Header)
C (Content-Security-Policy HTTP Header)
D (None of the above)

View Slide

Set 3, Q 4
The following are the steps taken in a specific order by the Diffie-Hellman key
agreement, used as part of negotiating a session key for SSH for example.
Place the steps into the correct order.
E. Both client and server agree on a symmetric cipher, so that they are both
encrypting/decrypting with the same block cipher, usually AES
F. Each party then create a public key which they exchange with the other party. These
public keys are created using the symmetric cipher from step 2, the shared prime number
from step 1, and derived from the private key from step 3
C. Both client and server come to agreement on a seed value, that is a large prime
number
D. All communications from here on are encrypted with the same shared secret key, the
connection from here on is known as the binary packet protocol. Each party can use their
own shared secret key to encrypt and decrypt, messages from the other party
A. Each party then creates another prime number of their own to be used as a private key
for this ephemeral DH interaction
B. The party receiving the other parties public key, uses this, along with their own private
key, and the shared prime number from step 1 to compute their own secret key. Because
each party does the same, they both arrive at the same (shared/symmetric/secret) key.

View Slide

Set 3, Q 5
What is the best investment you can make in order to add
security to your Dockerised components?
A (Use Control Groups to limit, track and monitor the resources
available to each container)
B (Reduce the number of System calls that can be made from within
your container)
C (Change the default user from root to one of lower privileges)
D (Improve application security)
E (Fine tune the Linux Namespaces (mnt, PID, net, UTS, IPC, user))
F (Make sure the images you are consuming have been checked with
the likes of (Haskell Dockerfile Linter, Lynis, Docker Bench, CoreOS
Clair, Banyanops collector, Anchore, TwistLock, Drydock, Actuary))

View Slide

Set 3, Q 6
How many capabilities are there in Linux?
A (12)
B (38)
C (48)
D (>300)

View Slide

Set 3, Q 7
How many system calls are enabled by default
with SecComp in the Linux kernel?
A (<50)
B (>100)
C (>200)
D (>300)

View Slide

Set 3, Q 8
How many system calls does the default Docker
container profile disable?
A (38)
B (44)
C (>100)
D (>200)

View Slide


View Slide

Set 3, A 0
Where is the cheapest place to find and deal
with not just security defects, but all defects?
Up front

View Slide

Set 3, A 1
Baiting, Reciprocity, Scarcity are commonly
used:
A (In reconnaissance)
B (By anti virus)
C (In social engineering)
D (When planning for physical security)

View Slide

Set 3, A 2
What is the concept or principle behind the
JavaScript supersets: Flow and TypeScript
A (Liskov Substitution principle)
B (Open/closed principle)
C (Interface segregation principle)
D (Design by Contract) (DbC) enforces
preconditions, postconditions and invariants in
our routines

View Slide

Set 3, A 3
Which of the following is used to prevent
Clickjacking, also known as a "UI redress
attack"
A (HTTPS Connection)
B (X-Frame-Options HTTP Header)
C (Content-Security-Policy HTTP Header)
D (None of the above)

View Slide

Set 3, A 4
The following are the steps taken in a specific order by the Diffie-Hellman key
agreement, used as part of negotiating a session key for SSH for example.
Place the steps into the correct order.
C. Both client and server come to agreement on a seed value, that is a large prime
number
E. Both client and server agree on a symmetric cipher, so that they are both
encrypting/decrypting with the same block cipher, usually AES
A. Each party then creates another prime number of their own to be used as a private key
for this ephemeral DH interaction
F. Each party then create a public key which they exchange with the other party. These
public keys are created using the symmetric cipher from step 2, the shared prime number
from step 1, and derived from the private key from step 3
B. The party receiving the other parties public key, uses this, along with their own private
key, and the shared prime number from step 1 to compute their own secret key. Because
each party does the same, they both arrive at the same (shared/symmetric/secret) key.
D. All communications from here on are encrypted with the same shared secret key, the
connection from here on is known as the binary packet protocol. Each party can use their
own shared secret key to encrypt and decrypt, messages from the other party

View Slide

Set 3, A 5
What is the best investment you can make in order to add
security to your Dockerised components?
A (Use Control Groups to limit, track and monitor the resources
available to each container)
B (Reduce the number of System calls that can be made from within
your container)
C (Change the default user from root to one of lower privileges)
D (Improve application security)
E (Fine tune the Linux Namespaces (mnt, PID, net, UTS, IPC, user))
F (Make sure the images you are consuming have been checked with
the likes of (Haskell Dockerfile Linter, Lynis, Docker Bench, CoreOS
Clair, Banyanops collector, Anchore, TwistLock, Drydock, Actuary))

View Slide

Set 3, A 6
How many capabilities are there in Linux?
A (12)
B (38)
C (48)
D (>300)

View Slide

Set 3, A 7
How many system calls are enabled by default
with SecComp in the Linux kernel?
A (<50)
B (>100)
C (>200)
D (>300)

View Slide

Set 3, A 8
How many system calls does the default Docker
container profile disable?
A (38)
B (44) … enough? Often only 3 or 4 are required
C (>100)
D (>200)

View Slide


View Slide

Set 4, Q 0
At what point would a Scrum Team usually
create Evil Test Conditions?
A (During Sprint Planning)
B (Immediately before pulling a Sprint Backlog Item into WIP)
C (Immediately after doing the code for a Sprint Backlog Item)
D (Immediately before Sprint Review)

View Slide

Set 4, Q 1
In which order should the following disciplines
for preventing the traversal of untrusted data
through the various execution contexts of your
application be performed?
A (sanitisation -> filtering -> validation)
B (validation -> filtering -> sanitisation)
C (filtering -> sanitisation -> validation)
D (sanitisation -> validation -> filtering)

View Slide

Set 4, Q 2
The sounding board technique is used by social
engineers to:
A (Gain additional information from your target using flattery)
B (Elicit information by stating deliberate false statements in the
hopes that your target will correct you with the accurate
information)
C (Create an environment where the target will feel comfortable
about grumbling or bragging about their situation and thus divulge
useful information)
D (elicit sensitive information from the target by pretending to
divulge confidential information to them)

View Slide

Set 4, Q 3
In what order would the following steps take
place in a social engineering engagement:
Exploitation
Connecting with target
Reconnaissance
Execution/Exit

View Slide

Set 4, Q 4
One of the most effective and legal ways of obtaining quality
information on a target is to hire their staff by offering them a
better deal.
Which of the following activities does not fit into the list of
Morale, Productivity and Engagement Killers that will make
technical staff more likely to be snatched?
A (Adding people to a late project)
B (Noisy, Crowded Offices)
C (Uninterrupted development time)
D (Email)
E (Meetings)
F (Context switching)

View Slide

Set 4, Q 5
Which of the following tools is used for password
profiling?
A (Wordhoud)
B (Net-creds)
C (Spiderfoot)
D (Find-creds)
E (Crunch)
F (LinEnum)

View Slide

Set 4, Q 6
Explain what Fortress Mentality is

View Slide

Set 4, Q 7
If I leave my computer locked when I leave it, is
it safe?
Provide (yes or no) and a creative answer

View Slide

Set 4, Q 8
When I leave my computer and I'm logged out,
is it safe?

View Slide

Set 4, Q 9
How can physical service labels be used against
an organisation?

View Slide


View Slide

Set 4, A 0
At what point would a Scrum Team usually
create Evil Test Conditions?
A (During Sprint Planning)
B (Immediately before pulling a Sprint Backlog Item into WIP)
C (Immediately after doing the code for a Sprint Backlog Item)
D (Immediately before Sprint Review)

View Slide

Set 4, A 1
In which order should the following disciplines
for preventing the traversal of untrusted data
through the various execution contexts of your
application be performed?
A (sanitisation -> filtering -> validation)
B (validation -> filtering -> sanitisation)
C (filtering -> sanitisation -> validation)
D (sanitisation -> validation -> filtering)

View Slide

Set 4, A 2
The sounding board technique is used by social
engineers to:
A (Gain additional information from your target using flattery)
B (Elicit information by stating deliberate false statements in the
hopes that your target will correct you with the accurate
information)
C (Create an environment where the target will feel comfortable
about grumbling or bragging about their situation and thus divulge
useful information)
D (elicit sensitive information from the target by pretending to
divulge confidential information to them)

View Slide

Set 4, A 3
In what order would the following steps take
place in a social engineering engagement:
Reconnaissance
Connecting with target
Exploitation
Execution/Exit

View Slide

Set 4, A 4
One of the most effective and legal ways of obtaining quality
information on a target is to hire their staff by offering them a
better deal.
Which of the following activities does not fit into the list of
Morale, Productivity and Engagement Killers that will make
technical staff more likely to be snatched?
A (Adding people to a late project)
B (Noisy, Crowded Offices)
C (Uninterrupted development time)
D (Email)
E (Meetings)
F (Context switching)

View Slide

Set 4, A 5
Which of the following tools is used for password
profiling?
A (Wordhoud)
B (Net-creds)
C (Spiderfoot)
D (Find-creds)
E (Crunch)
F (LinEnum)

View Slide

Set 4, A 6
Explain what Fortress Mentality is
The mentality that internals are safe and that
attackers only exist on the outside (applicable in
physical and network security)

View Slide

Set 4, A 7
If I leave my computer locked when I leave it, is
it safe?
Probably not, depends on physical and network
access and what ports you have open and what
is listening on them.

View Slide

Set 4, A 8
When I leave my computer and I'm logged out,
is it safe?
Not a lot of difference to the previous answer.

View Slide

Set 4, A 9
How can physical service labels be used against
an organisation?
Potentially valuable information can be obtained
about who the service agents are, which can be
used to build a pretext for social engineering the
target

View Slide

Time to add scores...

View Slide

OWASP Quiz Night

OWASP Quiz Night

Kim Carter

More Decks by Kim Carter

Other Decks in Technology

Featured

Transcript