OWASP Quiz Night

Transcript

1. Make sure you name your answer sheet Else no points

   for you

2. Set 0, Q 0 How many types of NoSQL data

   store are there? A (< 50) B (between 50 and 100) C (between 101 and 200) D (> 201)

3. Set 0, Q 1 Is escaping a technique of: A

   (validation) B (filtering) C (sanitisation)

4. Set 0, Q 2 If you are using cookies for

   storage of client-side session artefacts, what is your main concern: A (CSRF) B (XSS)

5. Set 0, Q 3 What are the OWASP recommendations for

   the adaptive one-way KDF? Adaptive because the workload increases each year to keep up with advances in hardware technology. You now have control of how slow you want it to be to crack those passwords. The count should be: A (doubled each subsequent year), B (tripled each subsequent year), C (doubled each subsequent two years)

6. Set 0, Q 4 Bracketing is a technique used: A

   (By social engineers to elicit more precise information from a target) B (To force an attacker into a specific area of the targets network) C (When building a threat modelling team to make sure you have all the correct specialities represented within the team to be effective) D (To group types of security defects into particular types)

7. Set 0, Q 5 How many types of escaping can

   you think of? The team that gets closest gets the point.

8. Set 0, Q 6 Which of the following XML metacharacters

   would not be used to test for XML injection vulnerabilities? A (Single quotes: ') B (Double quotes: ") C (Angle brackets: ><) D (Comma: ,) E (Comment tags: <!-- and -->) F (Ampersand: &) G (CDATA section delimiters: <![CDATA[ and ]]>)

9. Set 0, Q 7 We have a system that takes

   a username and password and validates that both are correct in order to obtain information. We use any password for the password input, and the following string for the username: jdeer")(&))(" What is the type of injection that we are using here? A (SQL) B (NoSQL) C (XPath) D (LDAP) E (XML) F (XQuery) G (Command) H (XSLT) I (none of the above)

10. Set 0, Q 8 What does the syntax in the

    system just described that takes the username and password look like? Closest answer gets a point

11. Set 0, Q 9 What is the notation called in

    the previous syntax?

12. Hand in your answer sheet

13. Set 0, A 0 How many types of NoSQL data

    store are there? A (< 50) B (between 50 and 100) C (between 101 and 200) D (> 225)

14. Set 0, A 1 Is escaping a technique of: A

    (validation) B (filtering) C (sanitisation)

15. Set 0, A 2 If you are using cookies for

    storage of client-side session artefacts, what is your main concern: A (CSRF) B (XSS) Cookies are susceptible to both CSRF and XSS attacks (although XSS to a lesser degree). LocalStorage is only concerned with XSS.

16. Set 0, A 3 What are the OWASP recommendations for

    the adaptive one-way KDF? The count should be: A (doubled each subsequent year), B (tripled each subsequent year), C (doubled each subsequent two years)

17. Set 0, A 4 Bracketing is a technique used: A

    (By social engineers to elicit more precise information from a target) B (To force an attacker into a specific area of the targets network) C (When building a threat modelling team to make sure you have all the correct specialities represented within the team to be effective) D (To group types of security defects into particular types)

18. Set 0, A 5 How many types of escaping can

    you think of? The team that gets closest gets the point. HTML Escape Attribute Escape JavaScript Escape HTML Escape JSON values in HTML context CSS Escape URL Escape Sanitise HTML Prevent DOM-based XSS

19. Set 0, A 6 Which of the following XML metacharacters

    would not be used to test for XML injection vulnerabilities? A (Single quotes: ') B (Double quotes: ") C (Angle brackets: ><) D (Comma: ,) E (Comment tags: <!-- and -->) F (Ampersand: &) G (CDATA section delimiters: <![CDATA[ and ]]>)

20. Set 0, A 7 We have a system that takes

    a username and password and validates that both are correct in order to obtain information. We use any password for the password input, and the following string for the username: jdeer")(&))(" What is the type of injection that we are using here? A (SQL) B (NoSQL) C (XPath) D (LDAP) E (XML) F (XQuery) G (Command) H (XSLT) I (none of the above)

21. Set 0, A 8 What does the syntax in the

    system just described that takes the username and password look like? Closest answer gets a point string ldapLoginQuery = "(&(uId="jdeer")(userPassword="3xp10it3d"))"; With search filter applied: string ldapLoginQuery = "(&(uId="jdeer")(&))("")(userPassword="incorrectpass"))";

22. Set 0, A 9 What is the notation called in

    the previous syntax? Polish notation (PN), or normal Polish notation (NPN), or simply prefix notation.

23. Make sure you name your answer sheet Else no points

    for you

24. Set 1, Q 0 Which of the following functionalities should

    you include in an authentication and session management system? A (Logout functionality) B (Regular expressions) C (Escaping functionality) D (Forwarding system functionality)

25. Set 1, Q 1 State whether the following statement is

    True or False. When implementing an authentication or session system, you should ensure that new session IDs are not created at login. A (True) B (False)

26. Set 1, Q 2 Which of the following is the

    best way to protect a Web application from invalidated redirects and forwards? A (Validate the referrer header) B (Use extended validation certificates) C (Use the escaping technique) D (Disallow requests to unauthorized file types)

27. Set 1, Q 3 Which of the following procedures are

    involved in the hardening process? A (Disable unnecessary features) B (Resubmit POST parameters during redirection) C (Repeat the process at random intervals) D (Update the environment with changes only when needed)

28. Set 1, Q 4 Your application is created using a

    language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? A (Insecure direct object references) B (Failure to restrict URL access) C (Injection) D (Insufficient transport layer protection)

29. Set 1, Q 5 Which of the following threats is

    most likely to be caused by poor input validation? A (Enabling of IPSec) B (Insecure cryptographic storage) C (Insufficient transport layer protection) D (Insecure direct object reference)

30. Set 1, Q 6 Which of the following is the

    best way to prevent a DOM-based XSS attack? A (Set the HttpOnly flag in cookies) B (Validate any input that comes from another Web site) C (Ensure that session IDs are not exposed in a URL) D (Ensure that a different nonce is created for each request)

31. Set 1, Q 7 Which of the following is an

    authentication system mandatory requirement? A (Form variables are used for managing session IDs) B (Use a GOTCHA to prevent automated attacks) C (User logout and session inactivity controls) D (Session IDs are only accepted from cookies and parameter variables)

32. Set 1, Q 8 Which of the following consequences is

    most likely to occur due to an injection attack? A (Spoofing) B (Cross-site request forgery) C (Denial of service) D (Insecure direct object references)

33. Set 1, Q 9 Which of the following scenarios is

    most likely to cause an injection attack? A (Unvalidated input is embedded in an instruction stream) B (Unvalidated input can be distinguished from valid instructions) C (A Web application does not validate a client’s access to a resource) D (A Web action performs an operation on behalf of the user without checking a shared secret)

34. Hand in your answer sheet

35. Set 1, A 0 Which of the following functionalities should

    you include in an authentication and session management system? A (Logout functionality) B (Regular expressions) C (Escaping functionality) D (Forwarding system functionality)

36. Set 1, A 1 State whether the following statement is

    True or False. When implementing an authentication or session system, you should ensure that new session IDs are not created at login. A (True) B (False)

37. Set 1, A 2 Which of the following is the

    best way to protect a Web application from invalidated redirects and forwards? A (Validate the referrer header) B (Use extended validation certificates) C (Use the escaping technique) D (Disallow requests to unauthorized file types)

38. Set 1, A 3 Which of the following procedures are

    involved in the hardening process? A (Disable unnecessary features) B (Resubmit POST parameters during redirection) C (Repeat the process at random intervals) D (Update the environment with changes only when needed)

39. Set 1, A 4 Your application is created using a

    language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? A (Insecure direct object references) B (Failure to restrict URL access) C (Injection) D (Insufficient transport layer protection)

40. Set 1, A 5 Which of the following threats is

    most likely to be caused by poor input validation? A (Enabling of IPSec) B (Insecure cryptographic storage) C (Insufficient transport layer protection) D (Insecure direct object reference)

41. Set 1, A 6 Which of the following is the

    best way to prevent a DOM-based XSS attack? A (Set the HttpOnly flag in cookies) B (Validate any input that comes from another Web site) C (Ensure that session IDs are not exposed in a URL) D (Ensure that a different nonce is created for each request)

42. Set 1, A 7 Which of the following is an

    authentication system mandatory requirement? A (Form variables are used for managing session IDs) B (Use a GOTCHA to prevent automated attacks) C (User logout and session inactivity controls) D (Session IDs are only accepted from cookies and parameter variables)

43. Set 1, A 8 Which of the following consequences is

    most likely to occur due to an injection attack? A (Spoofing) B (Cross-site request forgery) C (Denial of service) D (Insecure direct object references)

44. Set 1, A 9 Which of the following scenarios is

    most likely to cause an injection attack? A (Unvalidated input is embedded in an instruction stream) B (Unvalidated input can be distinguished from valid instructions) C (A Web application does not validate a client’s access to a resource) D (A Web action performs an operation on behalf of the user without checking a shared secret)

45. Make sure you name your answer sheet Else no points

    for you

46. Set 2, Q 0 Who created the Sensible Security Model?

    A (Adam Shostack) B (Wil Allsopp) C (OWASP) D (Bruce Schneier)

47. Set 2, Q 1 What are the five steps of

    the Sensible Security Model?

48. Set 2, Q 2 What is the name of the

    OSINT tool used to gather info from github accounts? A (gitrob) B (gitlifter) C (gitrape) D (gitloot) E (gitclone)

49. Set 2, Q 3 What is the name of this

    NMap scan: nmap -D <host0>,<host1>,<host2>,<host3>,<host4>,ME <target>

50. Set 2, Q 4 What does the ME specify in

    the previous question?

51. Set 2, Q 5 Name three DNS recon tools.

52. Set 2, Q 6 What would you use Dradis for?

53. Set 2, Q 7 Collectd, statsd, Graphite: when combined are

    an excellent suite of components for: A (building intrusion detection systems) B (statistical analysis of vulnerabilities in Docker images) C (capturing and graphing VPS and application statistics) D (file integrity checking and graphing)

54. Hand in your answer sheet

55. Set 2, A 0 Who created the Sensible Security Model?

    A (Adam Shostack) B (Wil Allsopp) C (OWASP) D (Bruce Schneier)

56. Set 2, A 1 What are the five steps of

    the Sensible Security Model? 1. SSM Asset Identification 2. SSM Identify Risks 3. SSM Countermeasures 4. SSM Risks that Solution Causes 5. SSM Costs and Trade-offs

57. Set 2, A 2 What is the name of the

    OSINT tool used to gather info from github accounts? A (gitrob) B (gitlifter) C (gitrape) D (gitloot) E (gitclone)

58. Set 2, A 3 What is the name of this

    NMap scan: nmap -D <host0>,<host1>,<host2>,<host3>,<host4>,ME <target> Decoy

59. Set 2, A 4 What does the ME specify in

    the previous question? Decoys your source address, if in 6th position or later, even the best scan detectors are unlikely to show your address at all

60. Set 2, A 5 Name three DNS recon tools. Domain

    Information Groper (dig) dnsenum dnsrecon

61. Set 2, A 6 What would you use Dradis for?

    Gathering, storage, sharing of OSINT

62. Set 2, A 7 Collectd, statsd, Graphite: when combined are

    an excellent suite of components for: A (building intrusion detection systems) B (statistical analysis of vulnerabilities in Docker images) C (capturing and graphing VPS and application statistics) D (file integrity checking and graphing)

63. Make sure you name your answer sheet Else no points

    for you

64. Set 3, Q 0 Where is the cheapest place to

    find and deal with not just security defects, but all defects?

65. Set 3, Q 1 Baiting, Reciprocity, Scarcity are commonly used:

    A (In reconnaissance) B (By anti virus) C (In social engineering) D (When planning for physical security)

66. Set 3, Q 2 What is the concept or principle

    behind the JavaScript supersets: Flow and TypeScript A (Liskov Substitution principle) B (Open/closed principle) C (Interface segregation principle) D (Design by Contract)

67. Set 3, Q 3 Which of the following is used

    to prevent Clickjacking, also known as a "UI redress attack" A (HTTPS Connection) B (X-Frame-Options HTTP Header) C (Content-Security-Policy HTTP Header) D (None of the above)

68. Set 3, Q 4 The following are the steps taken

    in a specific order by the Diffie-Hellman key agreement, used as part of negotiating a session key for SSH for example. Place the steps into the correct order. E. Both client and server agree on a symmetric cipher, so that they are both encrypting/decrypting with the same block cipher, usually AES F. Each party then create a public key which they exchange with the other party. These public keys are created using the symmetric cipher from step 2, the shared prime number from step 1, and derived from the private key from step 3 C. Both client and server come to agreement on a seed value, that is a large prime number D. All communications from here on are encrypted with the same shared secret key, the connection from here on is known as the binary packet protocol. Each party can use their own shared secret key to encrypt and decrypt, messages from the other party A. Each party then creates another prime number of their own to be used as a private key for this ephemeral DH interaction B. The party receiving the other parties public key, uses this, along with their own private key, and the shared prime number from step 1 to compute their own secret key. Because each party does the same, they both arrive at the same (shared/symmetric/secret) key.

69. Set 3, Q 5 What is the best investment you

    can make in order to add security to your Dockerised components? A (Use Control Groups to limit, track and monitor the resources available to each container) B (Reduce the number of System calls that can be made from within your container) C (Change the default user from root to one of lower privileges) D (Improve application security) E (Fine tune the Linux Namespaces (mnt, PID, net, UTS, IPC, user)) F (Make sure the images you are consuming have been checked with the likes of (Haskell Dockerfile Linter, Lynis, Docker Bench, CoreOS Clair, Banyanops collector, Anchore, TwistLock, Drydock, Actuary))

70. Set 3, Q 6 How many capabilities are there in

    Linux? A (12) B (38) C (48) D (>300)

71. Set 3, Q 7 How many system calls are enabled

    by default with SecComp in the Linux kernel? A (<50) B (>100) C (>200) D (>300)

72. Set 3, Q 8 How many system calls does the

    default Docker container profile disable? A (38) B (44) C (>100) D (>200)

73. Hand in your answer sheet

74. Set 3, A 0 Where is the cheapest place to

    find and deal with not just security defects, but all defects? Up front

75. Set 3, A 1 Baiting, Reciprocity, Scarcity are commonly used:

    A (In reconnaissance) B (By anti virus) C (In social engineering) D (When planning for physical security)

76. Set 3, A 2 What is the concept or principle

    behind the JavaScript supersets: Flow and TypeScript A (Liskov Substitution principle) B (Open/closed principle) C (Interface segregation principle) D (Design by Contract) (DbC) enforces preconditions, postconditions and invariants in our routines

77. Set 3, A 3 Which of the following is used

    to prevent Clickjacking, also known as a "UI redress attack" A (HTTPS Connection) B (X-Frame-Options HTTP Header) C (Content-Security-Policy HTTP Header) D (None of the above)

78. Set 3, A 4 The following are the steps taken

    in a specific order by the Diffie-Hellman key agreement, used as part of negotiating a session key for SSH for example. Place the steps into the correct order. C. Both client and server come to agreement on a seed value, that is a large prime number E. Both client and server agree on a symmetric cipher, so that they are both encrypting/decrypting with the same block cipher, usually AES A. Each party then creates another prime number of their own to be used as a private key for this ephemeral DH interaction F. Each party then create a public key which they exchange with the other party. These public keys are created using the symmetric cipher from step 2, the shared prime number from step 1, and derived from the private key from step 3 B. The party receiving the other parties public key, uses this, along with their own private key, and the shared prime number from step 1 to compute their own secret key. Because each party does the same, they both arrive at the same (shared/symmetric/secret) key. D. All communications from here on are encrypted with the same shared secret key, the connection from here on is known as the binary packet protocol. Each party can use their own shared secret key to encrypt and decrypt, messages from the other party

79. Set 3, A 5 What is the best investment you

    can make in order to add security to your Dockerised components? A (Use Control Groups to limit, track and monitor the resources available to each container) B (Reduce the number of System calls that can be made from within your container) C (Change the default user from root to one of lower privileges) D (Improve application security) E (Fine tune the Linux Namespaces (mnt, PID, net, UTS, IPC, user)) F (Make sure the images you are consuming have been checked with the likes of (Haskell Dockerfile Linter, Lynis, Docker Bench, CoreOS Clair, Banyanops collector, Anchore, TwistLock, Drydock, Actuary))

80. Set 3, A 6 How many capabilities are there in

    Linux? A (12) B (38) C (48) D (>300)

81. Set 3, A 7 How many system calls are enabled

    by default with SecComp in the Linux kernel? A (<50) B (>100) C (>200) D (>300)

82. Set 3, A 8 How many system calls does the

    default Docker container profile disable? A (38) B (44) … enough? Often only 3 or 4 are required C (>100) D (>200)

83. Make sure you name your answer sheet Else no points

    for you

84. Set 4, Q 0 At what point would a Scrum

    Team usually create Evil Test Conditions? A (During Sprint Planning) B (Immediately before pulling a Sprint Backlog Item into WIP) C (Immediately after doing the code for a Sprint Backlog Item) D (Immediately before Sprint Review)

85. Set 4, Q 1 In which order should the following

    disciplines for preventing the traversal of untrusted data through the various execution contexts of your application be performed? A (sanitisation -> filtering -> validation) B (validation -> filtering -> sanitisation) C (filtering -> sanitisation -> validation) D (sanitisation -> validation -> filtering)

86. Set 4, Q 2 The sounding board technique is used

    by social engineers to: A (Gain additional information from your target using flattery) B (Elicit information by stating deliberate false statements in the hopes that your target will correct you with the accurate information) C (Create an environment where the target will feel comfortable about grumbling or bragging about their situation and thus divulge useful information) D (elicit sensitive information from the target by pretending to divulge confidential information to them)

87. Set 4, Q 3 In what order would the following

    steps take place in a social engineering engagement: Exploitation Connecting with target Reconnaissance Execution/Exit

88. Set 4, Q 4 One of the most effective and

    legal ways of obtaining quality information on a target is to hire their staff by offering them a better deal. Which of the following activities does not fit into the list of Morale, Productivity and Engagement Killers that will make technical staff more likely to be snatched? A (Adding people to a late project) B (Noisy, Crowded Offices) C (Uninterrupted development time) D (Email) E (Meetings) F (Context switching)

89. Set 4, Q 5 Which of the following tools is

    used for password profiling? A (Wordhoud) B (Net-creds) C (Spiderfoot) D (Find-creds) E (Crunch) F (LinEnum)

90. Set 4, Q 6 Explain what Fortress Mentality is

91. Set 4, Q 7 If I leave my computer locked

    when I leave it, is it safe? Provide (yes or no) and a creative answer

92. Set 4, Q 8 When I leave my computer and

    I'm logged out, is it safe? Provide (yes or no) and a creative answer

93. Set 4, Q 9 How can physical service labels be

    used against an organisation?

94. Hand in your answer sheet

95. Set 4, A 0 At what point would a Scrum

    Team usually create Evil Test Conditions? A (During Sprint Planning) B (Immediately before pulling a Sprint Backlog Item into WIP) C (Immediately after doing the code for a Sprint Backlog Item) D (Immediately before Sprint Review)

96. Set 4, A 1 In which order should the following

    disciplines for preventing the traversal of untrusted data through the various execution contexts of your application be performed? A (sanitisation -> filtering -> validation) B (validation -> filtering -> sanitisation) C (filtering -> sanitisation -> validation) D (sanitisation -> validation -> filtering)

97. Set 4, A 2 The sounding board technique is used

    by social engineers to: A (Gain additional information from your target using flattery) B (Elicit information by stating deliberate false statements in the hopes that your target will correct you with the accurate information) C (Create an environment where the target will feel comfortable about grumbling or bragging about their situation and thus divulge useful information) D (elicit sensitive information from the target by pretending to divulge confidential information to them)

98. Set 4, A 3 In what order would the following

    steps take place in a social engineering engagement: Reconnaissance Connecting with target Exploitation Execution/Exit

99. Set 4, A 4 One of the most effective and

    legal ways of obtaining quality information on a target is to hire their staff by offering them a better deal. Which of the following activities does not fit into the list of Morale, Productivity and Engagement Killers that will make technical staff more likely to be snatched? A (Adding people to a late project) B (Noisy, Crowded Offices) C (Uninterrupted development time) D (Email) E (Meetings) F (Context switching)

100. Set 4, A 5 Which of the following tools is

     used for password profiling? A (Wordhoud) B (Net-creds) C (Spiderfoot) D (Find-creds) E (Crunch) F (LinEnum)

101. Set 4, A 6 Explain what Fortress Mentality is The

     mentality that internals are safe and that attackers only exist on the outside (applicable in physical and network security)

102. Set 4, A 7 If I leave my computer locked

     when I leave it, is it safe? Provide (yes or no) and a creative answer Probably not, depends on physical and network access and what ports you have open and what is listening on them.

103. Set 4, A 8 When I leave my computer and

     I'm logged out, is it safe? Provide (yes or no) and a creative answer Not a lot of difference to the previous answer.

104. Set 4, A 9 How can physical service labels be

     used against an organisation? Potentially valuable information can be obtained about who the service agents are, which can be used to build a pretext for social engineering the target

105. Time to add scores...