Lab #5 – Assessment Worksheet
Attacking a Vulnerable Web Application and Database
Lab Assessment Questions & Answers
1. Why is it critical to perform a penetration test on a Web application and a Web server prior to
production implementation?
It is critical to perform a penetration test on a web application and a web server prior to production
implementation to make sure no one can penetrate your web app before you put it out online.
2. What is a cross-site scripting attack? Explain in your own words.
Cross-site scripting is a computer security vulnerability that is normally found in web applications. It allows
attacks to inject client side scripts into web pages that are viewed by other users.
3. What is a reflective cross-site scripting attack?
Reflective cross-site scripting is another computer security vulnerability that uses the web application
again. It creates a response using data that is non-sanitized from the client scripts such as Java scripts of
VB scripts. The data that is sent to the server will send a page back with the script.
4. Based on the tests you performed in this lab, which Web application attack is more likely to
extract privacy data elements out of a database?
SQL injection attacks are more likely to estract. The purpose of a SQL injection attack is to extract data by
changing the logic of SQL. With SQL you can enter a database with administrator rights.
5. If you can monitor when SQL injections are performed on an SQL database, what would you
recommend as a security countermeasure to monitor your production SQL databases?
To monitor your production SQL databases it is best to regularly audit and coordinated security checks.
6. Given that Apache and Internet Information Services (IIS) are the two most popular Web
application servers for Linux and Microsoft® Windows platforms, what would you do to identify
known software vulnerabilities and exploits?
Discovered in third party applications running on...