CISSP PRACTICE QUESTIONS – 20201208

Effective CISSP Questions

Modern CPUs and operating systems collaborate to enforce memory protection. Which of the following is an attack primarily against memory?
A. SQL injection
B. Cross-site scripting (XSS)
C. Object reuse
D. Session hijacking

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Object reuse.

What are Application Security Risks?

Object Reuse

According to the NIST glossary, object reuse refers to “reassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium.”

However, it’s not uncommon to refer to the “object” as “memory space.” Modern operating systems can allocate memory spaces to processes dynamically and reuse memory when released. The risk of data residency incurs if the operating system doesn’t initiate or clear the memory allocated to a process.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is “a vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.”

Source: NIST SP 800-63-3

SQL Injection

SQL injection refers to “attacks that look for web sites that pass insufficiently-processed user input to database back-ends.”

Source: NISTIR 7682

Session Hijacking

Session hijacking is “an attack in which the attacker is able to insert himself or herself between a claimant and a verifier subsequent to a successful authentication exchange between the latter two parties. The attacker is able to pose as a subscriber to the verifier or vice versa to control session data exchange. Sessions between the claimant and the RP can be similarly compromised.”

Source: NIST SP 800-63-3

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

現代的CPU和作業系統會一起協作來執行記憶體保護。 以下哪項主要是對記憶體的攻擊?
A. SQL注入
B. 跨站點腳本 (XSS)
C. 對象重用 (object reuse)
D. 會話劫持

 

Leave a Reply