WGU D385 OA EXAM QUESTION BANK COMPLETE 300
ACTUAL EXAM QUESTIONS AND CORRECT SOLUTIONS
LATEST UPDATE THIS YEAR
➢ WGU D385 Software Security and Testing exam
➢ WGU D385 SECURITY AUTHENTICATION
➢ WGU D385 LOGGING AND SECURITY ISSUES
WGU D385 Software Security and Testing exam
1
,Page 2 of 114
QUESTION: An attacker exploits a cross-site scripting vulnerability. What is the attacker able to
do?
A. Access the user's data
B. Execute a shell command or script
C. Discover other users' credentials
D. Gain access to sensitive files on the server - ANSWER-The question is about a specific security
vulnerability called "cross-site scripting" (XSS). Cross-site scripting is a type of security flaw in
web applications where an attacker can inject malicious scripts into web pages that are viewed
by other users. These scripts are then executed by the users' web browsers, allowing the
attacker to perform various actions on behalf of the victim.
Let's break down the answer options:
A. Access the user's data This option is correct. With a successful cross-site scripting attack, the
attacker can gain unauthorized access to the user's data, including personal information, login
credentials, cookies, and any other sensitive information that the user has on the affected
website. (CORRECT)
B. Execute a shell command or script This option is not directly related to cross-site scripting.
Executing shell commands or scripts typically involves other types of security vulnerabilities like
command injection or remote code execution.
C. Discover other users' credentials While cross-site scripting can potentially allow an attacker
to access other users' credentials if they are stored on the same vulnerable website, it's not the
primary purpose of XSS attacks. The primary goal is to target individual users and steal their
data.
2
,Page 3 of 114
D. Gain access to sensitive files on the server Again, this option is not directly related to cross-
site scripting. Accessing sensitive files on the server would typically require a different type of
vulnerability, such as directory traversal or server misconfigurations.
QUESTION: Which Python function is prone to a potential code injection attack?
A. eval()
B. type()
C. print()
D. append() - ANSWER-Code Injection Attacks: A code injection attack is a type of security
vulnerability where an attacker can insert and execute malicious code into a program or
application. This can happen when user-supplied data is not properly validated or sanitized
before being executed by the program. If an attacker can manipulate data that gets executed as
code, they can potentially take control of the application, access sensitive information, or
perform unauthorized actions.
Now, let's examine the answer options:
A. eval()
This option is correct. The eval() function in Python is prone to code injection attacks because it
takes a string as input and interprets it as Python code. In other words, it allows dynamic
execution of arbitrary Python expressions. If untrusted data from a user or an external source is
passed to eval() without proper validation, an attacker can inject malicious Python code that
gets executed, leading to serious security risks. (CORRECT)
B. type()
3
, Page 4 of 114
The type() function in Python is not directly related to code injection attacks. It is used to
determine the type of an object, such as whether it's a list, dictionary, integer, etc.
C. print()
The print() function in Python is not prone to code injection attacks. It is used to display output
on the console or in files and does not execute arbitrary code.
D. append()
The append() function is a list method in Python used to add elements to the end of a list. It is
not related to code injection vulnerabilities as it deals with manipulating list data.
What is the primary defense against log injection attacks?
A. Do not use parameterized stored procedures in the database
B. Allow all users to write to these logs
C. Sanitize outbound log messages
D. Use API calls to log actions - ANSWER-C. Sanitize outbound log messages.
The primary defense against log injection attacks is to sanitize outbound log messages. Log
injection is a type of security vulnerability where an attacker manipulates log messages to inject
malicious code or exploit system vulnerabilities. By sanitizing outbound log messages, you
ensure that any user-supplied input or potentially dangerous characters are properly escaped
or removed before being included in the log.
Sanitizing log messages involves applying input validation and output encoding techniques to
prevent the injection of malicious content. It typically involves validating the input data, such as
4
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller eddietaylor. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $23.99. You're not tied to anything after your purchase.