Question 71: CASBs can help enterprises boost security through all the following features and offerings, except:
A. Enabling two-factor authentication and other login security best practices
B. Helping reduce shadow IT control
C. Adding a layer of shielding for threat protection
D. Replacing data loss prevention mechanisms
Correct Answer: D. Replacing data loss prevention mechanisms
Explanation: CASBs can do all of these things except replace existing data loss prevention platforms. However, many CASBs integrate with data loss prevention tools to ensure data is not exfiltrated via cloud app connections.
Question 72: In which of the following exploits does an attacker insert malicious code into a link that appears to be from a trustworthy source?
A. XSS
B. Command injection
C. Path traversal attack
D. Buffer overflow
Correct Answer: A. XSS
Explanation: XSS attacks occur when an untrusted source injects code into an application or link that appears to be from a trusted source.
Question 73: In which of the following exploits does an attacker add SQL code to an application input form to gain access to resources or make changes to data?
A. XSS
B. Command injection
C. SQL injection
D. Buffer overflow
Correct Answer: C. SQL injection
Explanation: SQL injection attacks involve attackers inputting SQL code into an application form — for example, a username or password — to gain unauthorized access to resources. With this access, attackers can view and alter sensitive data, execute admin privileges, or conduct DDoS and other detrimental attacks.
Question 74: Netsparker and Burp Suite Professional are examples of:
A. Web-focused vulnerability detection tools
B. Antimalware
C. Web application firewalls
D. VPNs
Correct Answer: A. Web-focused vulnerability detection tools
Explanation: Netsparker and Burp Suite Professional are both examples of web-focused vulnerability detection tools, a category of application security testing tools critical to detecting app issues.
Question 75: Which of the following is not on OWASP’s top 10 web application security risks?
A. Sensitive data exposure
B. XML external entities
C. Noncompliance
D. Insecure deserialization
Correct Answer: C. Noncompliance
Explanation: Sensitive data exposure, XML external entities and insecure deserialization are all included on OWASP’s top 10 list. Noncompliance is not on the list.
Question 76: Core Impact, Metasploit and w3af are all examples of:
A. Cybersecurity search engines
B. Frameworks
C. Password security tools
D. SQL injection tools
Correct Answer: B. Frameworks
Explanation: These are all examples of security frameworks. Core Impact is a commercial pen testing framework, Metasploit is an open source pen testing framework, and w3af is a web application attack and audit framework.
Question 77: Web application firewalls (WAFs) help prevent which application layer attack?
A. XSS
B. SQL injection
C. DDoS
D. All of the above
Correct Answer: D. All of the above
Explanation: WAFs provide visibility into app data communicated via the HTTP app layer. A WAF can help prevent application attacks, including XSS, SQL injection and DDoS.
Question 78: Which of the following is not an example of an XSS attack?
A. Stored XSS
B. DNS XSS
C. Reflected XSS
D. DOM-based XSS
Correct Answer: B. DNS XSS
Explanation: There are three types of XSS attacks: stored, reflected and DOM-based. DNS XSS is not a type of attack.
Question 79: Which vulnerabilities may be missed by manual code reviews but picked up by automated pen testing tools?
A. Logic flaws
B. Authorization issues
C. Encryption misconfigurations
D. All of the above
Correct Answer: D. All of the above
Explanation: Logic flaws, authorization issues and encryption misconfigurations are often not detected without the use of automated pen testing tools.
Question 80: Which application security testing method is considered most costly?
A. Static application security testing (SAST)
B. Dynamic application security testing (DAST)
C. Mobile application security testing (MAST)
D. All of the above
Correct Answer: B. Dynamic application security testing (DAST)
Explanation: DAST is done after an application is out of the production phase and already in use. Because DAST runs at this later stage, fixing discovered vulnerabilities is considered more costly.