CISSP PRACTICE QUESTIONS – 20210209

Effective CISSP Questions

The software testing team is testing a web-based E-Commerce system. The back-end API receives an HTTP request, GET /customer/delete?country=all, with an empty HTTP message body. Which of the following is the most likely test undergoing?
A. Fuzz testing
B. Stress testing
C. Synthetic transaction
D. Misuse/Abuse testing

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Misuse/Abuse testing.

HTTP Request
HTTP Request (credit: Chua Hock-Chuan)

It’s an abuse case that the tester manipulated the query string of the URL in the HTTP request, e.g., GET /customer/delete?country=all. Even end-users can submit an HTTP GET request by adding or modifying the URL and query parameters in the browser address bar. Before the RESTful API gets popular, it’s not uncommon to implement CRUD (create, retrieve, update, and delete) data operations using the HTTP verb, GET, which is subject to Misuse/Abuse attacks.

Misuse/Abuse Case

An Abuse Case can be defined as:

A way to use a feature that was not expected by the implementer,
allowing an attacker to influence the feature or outcome of use of
the feature based on the attacker action (or input).

Source: OWASP

Synopsys define an Abuse Case like this:

– Misuse and abuse cases describe how users misuse or exploit the weaknesses
of controls in software features to attack an application.
– This can lead to tangible business impact when a direct attack against
business functionalities, which may bring in revenue or provide
positive user experience, are attacked.
– Abuse cases can also be an effective way to drive security requirements
that lead to proper protection of these critical business use cases.

Source: OWASP

Fuzz Testing

Fuzz testing is used to test applications that accept structural inputs by feeding randomly generated test data. We didn’t see any random data used in the testing.

Stress Testing

Stress test focuses on the performance and scalability; the workload of network, CPU, memory is increased gradually to observe the system performance at a certain level of workload and the upper limit of the system. There is no clue about performance and scalability in the test.

Synthetic Transaction

In a strict sense, Synthetic Transaction is a proactive website “monitoring” technique that is done by deploying behavioral scripts in a web browser to simulate the path a real customer (or end-user) takes through a website. However, Synthetic Transaction is crucial for high traffic sites, e.g., e-commerce, to be tested prior to launch. (monitis)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

軟體測試團隊正在測試Web的電子商務系統。 後端API收到帶有空HTTP訊息正文(body)的HTTP請求: GET /customer/delete?country=all。 以下哪項是最可能進行的測試?
A. 模糊測試 (Fuzzing test)
B. 壓力測試 (Stress testing)
C. 綜合交易 (Synthetic transaction)
D. 誤用/濫用測試 (Misuse/Abuse testing)

Leave a Reply