Eccouncil 312-96 practice test

Stephen is a web developer in the InterCall Systems. He was working on a Real Estate website for
one of his clients. He was given a task to design a web page with properties search feature. He
designed the following searchpage.jsp
< form Id="form1" method="post" action="SearchProperty.jsp" >
< input type="text" id=''txt_Search" name="txt_Search" placeholder="Search Property..." / >
< input type="Submit" Id="Btn_Search" value="Search" / >
< /form >
However, when the application went to security testing phase, the security tester found an XSS
vulnerability on this page. How can he mitigate the XSS vulnerability on this page?

• A. He should write code like out-Write ("You Searched for:" +ESAPI.encoder().encodeForHTML(search));
• B. He should write code like out.write ("You Searched for:" + request.qetParameter("search"l.toStrinq(ll;
• C. He should write code like out.write ("You Searched for:" + request.qetParameterf'txt Search"));
• D. He should write code like out.write (("You Searched for:" +(search));

Jacob, a Security Engineer of the testing team, was inspecting the source code to find security
vulnerabilities.
Which type of security assessment activity Jacob is currently performing?

• A. ISCST
• C. CAST
• D. SAST

Oliver, a Server Administrator (Tomcat), has set configuration in web.xml file as shown in the
following screenshot. What is he trying to achieve?

• A. He wants to transfer the entire data over encrypted channel
• B. He wants to transfer only response parameter data over encrypted channel
• C. He wants to transfer only request parameter data over encrypted channel
• D. He wants to transfer only Session cookies over encrypted channel

Alice works as a Java developer in Fygo software Services Ltd. He is given the responsibility to design
a bookstore website for one of their clients. This website is supposed to store articles in .pdf format.
Alice is advised by his superior to design ArticlesList.jsp page in such a way that it should display a list
of all the articles in one page and should send a selected filename as a query string to redirect users
to articledetails.jsp page.
Alice wrote the following code on page load to read the file name.
String myfilename = request.getParameter("filename");
String txtFileNameVariable = myfilename;
String locationVariable = request.getServletContext().getRealPath("/");
String PathVariable = "";
PathVariable = locationVariable + txtFileNameVariable;
BufferedInputStream bufferedInputStream = null;
Path filepath = Paths.get(PathVariable);
After reviewing this code, his superior pointed out the security mistake in the code and instructed
him not repeat the same in future. Can you point the type of vulnerability that may exist in the above
code?

• A. URL Tampering vulnerability
• B. Form Tampering vulnerability
• C. XSS vulnerability
• D. Directory Traversal vulnerability

In a certain website, a secure login feature is designed to prevent brute-force attack by implementing
account lockout mechanism. The account will automatically be locked after five failed attempts. This
feature will not allow the users to login to the website until their account is unlocked. However,
there is a possibility that this security feature can be abused to perform __________ attack.

• A. Failure to Restrict URL
• B. Broken Authentication
• C. Unvalidated Redirects and Forwards
• D. Denial-of-Service [Do

Which of the risk assessment model is used to rate the threats-based risk to the application during
threat modeling process?

• A. DREAD
• B. SMART
• C. STRIDE
• D. RED

Which of the following Spring Security Framework configuration setting will ensure the protection
from session fixation attacks by not allowing authenticated user to login again?

• A. session-fixation-protection ="newSessionlD"
• C. session-fixation-protection ="enabled"
• D. session-fixation-protection =".

Alice, a security engineer, was performing security testing on the application. He found that users
can view the website structure and file names. As per the standard security practices, this can pose a
serious security risk as attackers can access hidden script files in your directory. Which of the
following will mitigate the above security risk?

• A. < int-param > < param-name>directory-listinqs < param-value>true < /init-param >
• B. < int param > < param-name>directorv-listinqs < param-value>false < /init-param >
• C. < int-param > < param-name>listinqs < param-value>true < /init-param
• D. < int-param > < param-name>listinqs < param-value>false < /init-param >

Which of the following relationship is used to describe security use case scenario?

• A. Threatens Relationship
• B. Extend Relationship
• C. Mitigates Relationship
• D. Include Relationship

Identify the formula for calculating the risk during threat modeling.

• A. RISK = PROBABILITY "Attack
• B. RISK = PROBABILITY " ASSETS
• C. RISK = PROBABILITY * DAMAGE POTENTIAL
• D. IRISK = PROBABILITY * VULNERABILITY