|
Question 1. Which type of vulnerability can occur when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter? A. Cross-site Scripting B. Insecure Direct Object Reference C. Injection Flaw D. Cross Site Request Forgery Answer: B Question 2. After 30 minutes your scan stops with an out-of-session error. What is a possible cause of this error? A. Redundant path limit was too low. B. A parameter was not tracked. C. Flash parsing was turned off. D. Platform authentication was not configured. Answer: B Question 3. AppScan sent the following test HTTP request: GET /web/content/index.php?file=/../../../../../../../../etc/passwd%00 HTTP/1.0 Cookie: JSESSIONID=dqt0LSnfhdVyTJkCwTwfLQQSkTTGYX9D79tLLpT1yLQjVhSpZKP9!914376523; customerLanguage=en Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: www.ibm.com Although, there is no indication in the response about the existence of a password file, AppScan reported vulnerability with the following reasoning: Global Validation found an embedded script in the response (), which was probably injected by a previous test. The presence of this script in the site suggests that the application is vulnerable to which type of attack? A. Stored Cross-site Scripting B. Cross-site Scripting C. Namazu Path Traversal D. Directory Listing Answer: A Question 4. What information does difference displayed in the Request / Response tab provide? A. the difference between two tests B. how the vulnerability was resolved C. howAppScan constructed the test HTTP request D. how the Web application page has been modified from its previous version Answer: C Question 5. You are scanning a Web site in a pre-production environment. You notice that your scan is running very slowly and there are numerous communication errors. What would you do to resolve the problem? A. increase the number of threads and decrease the timeout limit B. decrease the number of threads and increase the timeout limit C. increase the number of threads and increase the timeout limit D. set the timeout to 0 for infinite timeout Answer: B Question 6. Which type of vulnerability allows an attacker to execute a malicious script in a user browser? A. Cross-site Scripting B. Injection Flaw C. Insecure Direct Object Reference D. Failure to restrict URL access Answer: A Question 7. Which statement is true about infrastructure vulnerabilities? A. They are caused by insecure coding and are fixed by modifying the application code. B. They are detected using application security scanners and exist in the Web application. C. They are known vulnerabilities and are fixed by modifying the application code. D. They exist in third-party components and are fixed by applying security patches. Answer: D Question 8. What does secure session management require? A. session tokens that are given long lifetimes B. session tokensthat are invalidated when the user logs out C. session tokensthat are persistent D. session tokens that are numeric Answer: B Question 9. Your site contains the following URL: http://www.mycompany.com/smb/default.jsp?page=wireless productID=65343, In this URL, the page parameter defines a unique page and the productID parameter defines a different product page, based on a template. How would you configure AppScan to thoroughly explore this site while avoiding redundant URLs? (Choose two.) A. ensure JavaScript Execute is turned on B. ignore the page parameter C. turn off Redundant Path limit D. track the page parameter E. Track theproductID parameter F. Ignore theproductID parameter Answer: C, F Question 10. You are scanning a Web application in a pre-production environment. During your initial assessment, you notice that some of the links are specified by IP and some by host name. Your starting URL contains an IP address, http://12.34.56.67/default.jsp. When the scan completes, you discover that it has not covered a significant portion of your Web application. What could be the reason? A. The host name is not added to the list of additional domains and servers. B. The scan is configured to use only one connection. C. There is no route to IP 12.34.56.67. D. You are not licensed to scan IP 12.34.56.67. Answer: A Question 11. You expect your scan to cover around 500 pages, but instead it covers 55. What are three possible reasons for this? (Choose three.) A. You chose the wrong test policy. B. The login failed. C. You specified only one connection. D. JavaScript Execution was not enabled. E. The redundant path limit was set too low. Answer: B, D, E
|
Question 1. Which of the following is NOT an example of Self-Help capabilities? A. Requirement to always call the service desk for service requests B. Menu-driven range of self help and service requests C. Web front-end D. A direct interface into the back end process handling software Answer: A Question 2. What is a RACI model used for? A. Defining roles and responsibilities B. Monitoring services C. Performance analysis D. Recording Configuration Items Answer: A Question 3. Which of the following statements is INCORRECT? A. The SKMS is part of the Configuration Management System (CMS) B. The SKMS can include data on the performance of the organization C. The Service Knowledge Management System (SKMS) includes Configuration Management Databases (CMDB) D. The SKMS can include user skill levels Answer: A Question 4. The group that authorizes changes that must be installed faster than the normal process is called the? A. Emergency CAB (ECAB) B. Urgent Change Authority (UCA) C. Urgent Change Board (UCB) D. CAB Emergency Committee (CAB/EC) Answer: A Question 5. In which core publication can you find detailed descriptions of Service Level Management, Availability Management, Supplier Management and IT Service Continuity Management? A. Service Transition B. Service Design C. Service Strategy D. Service Operation Answer: B Question 6. Which of these statements about Service Desk staff is CORRECT? A. Service Desk staff should be recruited from people who have high levels of technical skill tominimise the cost of training them B. The Service Desk can often be used as a stepping stone for staff to move into other more technical or supervisory roles C. The Service Desk should try to have a high level of staff turnover as the training requirements are low and this helps to minimise salaries D. Service Desk staff should be discouraged from applying for other roles as it is more cost effective to keep them in the role where they have been trained Answer: B Question 7. Which of the following statements is INCORRECT? A. The Service Knowledge Management System (SKMS) includes Configuration Management Databases (CMDB) B. The SKMS is part of the Configuration Management System (CMS) C. The SKMS can include data on the performance of the organization D. The SKMS can include user skill levels Answer: B Question 8. Service Assets are used to create value. Which of the following are the MAJOR types of Service Asset? A. Services and Infrastructure B. Applications and Infrastructure C. Resources and Capabilities D. Utility and Warranty Answer: C Question 9. Which of the following is NOT one of the five individual aspects of Service Design? A. The design of the Service Portfolio, including the Service Catalogue B. The design of Market Spaces C. The design of new or changed services D. The design of the technology architecture and management systems Answer: B Question 10. Which of the following is NOT the responsibility of the Service Catalogue Manager? A. Ensuring that all operational services are recorded in the Service Catalogue B. Ensuring that information in the Service Catalogue is accurate C. Ensuring that information in the Service Catalogue is consistent with information in the Service Portfolio D. Ensuring that information within the Service Pipeline is accurate Answer: D
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.