Database Multiple Choice Questions on “Application Security”.
1. In _________________ attacks, the attacker manages to get an application to execute an SQL query created by the attacker.
a) SQL injection
b) SQL
c) Direct
d) Application
Answer: a
Clarification: Application security has to deal with several security threats and issues beyond those handled by SQL authorization.
2. A Web site that allows users to enter text, such as a comment or a name, and then stores it and later display it to other users, is potentially vulnerable to a kind of attack called a ___________________ attack.
a) Two-factor authentication
b) Cross-site request forgery
c) Cross-site scripting
d) Cross-site scoring scripting
Answer: c
Clarification: In such an attack, a malicious user enters code written in a client-side scripting language such as JavaScript or Flash instead of entering a valid name or comment.
3. _________ is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
a) Two-factor authentication
b) Cross-site request forgery
c) Cross-site scripting
d) Cross-site scoring scripting
Answer: b
Clarification: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF.
4. Many applications use _________________ where two independent factors are used to identify a user.
a) Two-factor authentication
b) Cross-site request forgery
c) Cross-site scripting
d) Cross-site scoring scripting
Answer: a
Clarification: The two factors should not share a common vulnerability.
5. Even with two-factor authentication, users may still be vulnerable to_____________attacks.
a) Radiant
b) Cross attack
c) scripting
d) Man-in-the-middle
Answer: d
Clarification: In such attacks, a user attempting to connect to the application is diverted to a fake Web site, which accepts the password from the user, and uses it immediately to authenticate to the original application.
6. A single ______________ further allows the user to be authenticated once, and multiple applications can then verify the user’s identity through an authentication service without requiring reauthentication.
a) OpenID
b) Sign-on system
c) Security Assertion Markup Language (SAML)
d) Virtual Private Database (VPD)
Answer: b
Clarification: Once the user logged in at one site, he does not have to enter his user name and password at other sites that use the same single sign-on service.
7. The ___________________ is a standard for exchanging authentication and authorization information between different security domains, to provide cross-organization single sign-on.
a) OpenID
b) Sign-on system
c) Security Assertion Markup Language (SAML)
d) Virtual Private Database (VPD)
Answer: c
Clarification: The user’s password and other authentication factors are never revealed to the application, and the user need not register explicitly with the application.
8. The __________ standard is an alternative for single sign-on across organizations, and has seen increasing acceptance in recent years.
a) OpenID
b) Single-site system
c) Security Assertion Markup Language (SAML)
d) Virtual Private Database (VPD)
Answer: a
Clarification: The user’s password and other authentication factors are never revealed to the application, and the user need not register explicitly with the application.
9. _______________ allows a system administrator to associate a function with a relation; the function returns a predicate that must be added to any query that uses the relation.
a) OpenID
b) Single-site system
c) Security Assertion Markup Language (SAML)
d) Virtual Private Database (VPD)
Answer: d
Clarification: Some database systems provide mechanisms for fine-grained authorization.
10. VPD provides authorization at the level of specific tuples, or rows, of a relation, and is therefore said to be a _____________ mechanism.
a) Row-level authorization
b) Column-level authentication
c) Row-type authentication
d) Authorization security
Answer: a
Clarification: Oracle Virtual Private Database (VPD) allows a system administrator to associate a function with a relation.