Module 1: Understanding Application Security, Threats, and Attacks

1.Identify the type of attack depicted in the following figure.

A. Denial-of-service attack

B. SQL Injection attack

C. Directory Traversal Attack

D. Form Tampering Attack

2.Which of the following utilities can be used to compile managed assemblies into processor-specific native code?

以下哪些工具可以用來將受管理的組件編譯成處理器特定的原生代碼？

A) gacutil

B) ngen

C) sn

D) dumpbin

3.Which of the following components of the .NET framework provide an extensible set of classes that can be used by any .NET compliant programming language?

以下哪一種 .NET 框架的組件提供了可擴展的類別集，可以被任何 .NET 兼容的程式語言使用？

A) .NET class libraries

B) Common Language Runtime

C) Common Language Infrastructure

D) Component Object Model

4.Which of the following statements correctly define .NET Framework?

A) It is an environment for developing, building, deploying and executing Desktop Applications, Web Applications and Web Services.

B) It is an environment for developing, building, deploying and executing only Web Applications.

C) It is an environment for developing, building, deploying and executing Distributed Applications.

D) It is an environment for developing, building, deploying and executing Web Services.

5.Which of the following statements is correct about the .NET Framework?

A) .NET Framework uses DCOM for achieving language interoperability.

B) .NET Framework is built on the DCOM technology.

C) .NET Framework uses DCOM for making transition between managed and unmanaged code.

D) .NET Framework uses DCOM for creating unmanaged applications.

6.Which of the following statements are correct about JIT?

A) JIT compiler compiles instructions into machine code at run time.

B) The code compiler by the JIT compiler runs under CLR.

C) The instructions compiled by JIT compilers are written in native code.

D) The instructions compiled by JIT compilers are written in Intermediate Language (IL) code.

7.Which filter will be execute at last using ASP.Net MVC?

在 ASP.NET MVC 中，哪個過濾器將最後執行？

A) Action filters

B) Authorization filters

C) Exception filters

D) Response filters

https://blog.miniasp.com/post/2010/08/14/ASPNET-MVC-Developer-Note-Part-19-The-using-in-Action-method

Option A is INCORRECT because action filters in ASP.NET MVC are executed at the moment of the action execution in the MVC execution pipeline. It means these filters are executed before the final result.

Option C is CORRECT because exception filters are the last filters to be executed in the ASP.Net MVC pipeline. They are called when an unhandled exception occurs during the action method execution.

Option B  authorization filters are the first filters to handle a request.

Option D is INCORRECT because there are no explicit 'Response filters' in ASP.NET MVC. However, if you are referring to Result filters, they execute right after the action method execution and before the result is rendered to the client

8.In which type of attack, the attacker places a malicious link or image on the target website on which the user is logged in as legitimated user?

A) XSS

B) CSRF

C) SQL Injection

D) Broken Authetication

Cross-site request forgery (CSRF) is a type of attack that occurs when a malicious website, email, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

9.Threat Modeling and Design review is the part of______.

A) Requirements

B) Design

C) Development

D) Testing

phase Threat modeling and design review are important activities that should be conducted during the design phase of the software development life cycle. This is because the design phase is when the architecture and design of the software are determined. During this phase, it is important to identify potential threats and vulnerabilities that could be exploited by attackers. By conducting a threat modeling and design review, developers can identify and address potential security issues before they become a problem. This helps to ensure that the software is secure and resilient to attack.

10.Identify the type of attack depicted in the figure below:

A. XSS

B. Cross-Site Request Forgery (CSRF) attack

C. SQL injection attack

D. Denial-of-Service attack

11.In a certain website, a secure login feature is designed to prevent brute-force attack by implementing account lockout mechanism. The account will automatically be locked after five failed attempts. This feature will not allow the users to login to the website until their account is unlocked. However, there is a possibility that this security feature can be abused to perform __________ attack.

A. Failure to Restrict URL

B. Broken Authentication

C. Unvalidated Redirects and Forwards

D. Denial-of-Service (DoS)

安全登錄功能旨在通過實施帳戶鎖定機制來防止暴力破解攻擊。如果用戶在五次登錄失敗後，該帳戶將自動鎖定。在帳戶解鎖之前，該功能不允許用戶登錄網站。

阻斷服務攻擊（Denial-of-Service, DoS） 是一種攻擊方式，攻擊者透過發起大量的登錄請求，使得合法用戶無法訪問服務。在這種情況下，帳戶鎖定機制可能被濫用，攻擊者可以故意輸入錯誤的登錄信息來鎖定合法用戶的帳戶，進而造成拒絕服務的效果。

CAPEC-2: Inducing Account Lockout 誘導帳戶鎖定

https://capec.mitre.org/data/definitions/2.html

Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks

https://web.cs.wpi.edu/~yliu25/publications/securecomm2019.pdf

New Default Account Lockout Policy in Windows 11 Blocks Brute Force Attacks

https://www.securityweek.com/new-default-account-lockout-policy-windows-11-blocks-brute-force-attacks/