[2024年更新]312-96.PDFの問題回答PDFサンプル問題現実的
ECCouncil 312-96問題集PDFはまもなく最高のベストスコア
質問 # 19
A developer to handle global exception should use _________ annotation along with @ExceptionHandler method annotation for any class
- A. @ControllerAdvice
- B. @GlobalAdvice
- C. @globalControllerAdvice
- D. @Advice
正解:A
解説:
The @ControllerAdvice annotation is used in Spring Framework to handle exceptions globally across the whole application, not just to an individual controller. It allows you to handle exceptions across multiple @Controllers. This annotation is used alongside @ExceptionHandler to define a global exception handling mechanism.
Here's how it works:
* The @ExceptionHandler annotation is used to define methods in your @ControllerAdvice class that will handle exceptions.
* When an exception is thrown, the Spring Framework checks for a matching @ExceptionHandler method in a @ControllerAdvice class.
* If a match is found, the exception is handled by the method annotated with @ExceptionHandler.
References:For more detailed information and learning resources, you should refer to the official EC-Council Application Security Engineer (CASE) JAVA study guides and courses, which can be found on their official website and iClass platform.
質問 # 20
In which phase of secure development lifecycle the threat modeling is performed?
- A. Testing phase
- B. Coding phase
- C. Deployment phase
- D. Design phase
正解:D
質問 # 21
Thomas is not skilled in secure coding. He neither underwent secure coding training nor is aware of the consequences of insecure coding. One day, he wrote code as shown in the following screenshot. He passed
'false' parameter to setHttpOnly() method that may result in the existence of a certain type of vulnerability.
Identify the attack that could exploit the vulnerability in the above case.
- A. Denial-of-Service attack
- B. SQL Injection Attack
- C. Directory Traversal Attack
- D. Client-Side Scripts Attack
正解:D
解説:
The setHttpOnly(false) method call in the code indicates that the HttpOnly flag is not set for the cookie. This is a security concern because when the HttpOnly flag is not set, it allows client-side scripts, such as JavaScript, to access the cookie. Attackers can exploit this vulnerability by using cross-site scripting (XSS) attacks to steal the cookie and potentially hijack the user's session.
To mitigate this vulnerability, the HttpOnly flag should be set to true, which instructs the browser to prevent client-side scripts from accessing the cookie. The correct code should be:
Java
loginCookie.setHttpOnly(true);
AI-generated code. Review and use carefully. More info on FAQ.
This change ensures that the cookie is protected from being accessed by client-side scripts.
References: For verified answers and comprehensive explanations, it is recommended to refer to the official EC-Council Application Security Engineer (CASE) JAVA study guides and course materials. These resources provide detailed information on secure coding practices, including the proper use of the HttpOnly flag in cookies to prevent client-side script attacks. Additionally, the EC-Council's training programs offer in-depth knowledge and hands-on experience in secure coding techniques for Java applications.
質問 # 22
The developer wants to remove the HttpSessionobject and its values from the client' system.
Which of the following method should he use for the above purpose?
- A. Invalidate(session JSESSIONID)
- B. isValidateQ
- C. invalidateQ
- D. sessionlnvalidateil
正解:C
質問 # 23
Oliver, a Server Administrator (Tomcat), has set configuration in web.xml file as shown in the following screenshot. What is he trying to achieve?
- A. He wants to transfer only Session cookies over encrypted channel
- B. He wants to transfer the entire data over encrypted channel
- C. He wants to transfer only response parameter data over encrypted channel
- D. He wants to transfer only request parameter data over encrypted channel
正解:B
解説:
The configuration set in the web.xml file as indicated by the <transport-guarantee> tag set to CONFIDENTIAL suggests that Oliver, the Server Administrator, is aiming to ensure that all data transmitted between the client and the server is done over an encrypted channel. This is a common security practice to protect sensitive data from being intercepted or tampered with during transmission. Here's how the setting works:
* Enforce HTTPS: The CONFIDENTIAL transport guarantee enforces the use of HTTPS, which encrypts the entire communication channel.
* Protect Data: By using HTTPS, not only are the session cookies protected, but all request and response data, including headers and parameters, are encrypted.
* Comply with Security Standards: This setting helps in complying with security standards and regulations that mandate encryption of sensitive data in transit.
References: The EC-Council Application Security Engineer (CASE) JAVA documentation and learning resources emphasize the importance of secure data transmission. The use of the CONFIDENTIAL setting in the web.xml file aligns with the best practices for securing web applications deployed on servers like Tomcat12. Additionally, the Java Servlet Specification provides guidelines on how to configure transport guarantees in the deployment descriptor (web.xml) to ensure secure data transmission.
質問 # 24
Which of the following configurations can help you avoid displaying server names in server response header?
- A. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server = " " redirectPort="8443" / >
- B. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName ="null " redirectPort="8443'' / >
- C. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort= "8443" / >
- D. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName=" disable" redirectPort="8443" / >
正解:D
質問 # 25
The developer wants to remove the HttpSessionobject and its values from the client' system.
Which of the following method should he use for the above purpose?
- A. Invalidate(session JSESSIONID)
- B. isValidateQ
- C. invalidateQ
- D. sessionlnvalidateil
正解:C
解説:
To remove the HttpSession object and its values from the client's system, the developer should use the invalidate() method. This method is called on the HttpSession object itself and marks the session for deletion, removing all its attributes and invalidating the session on the server side. Once a session is invalidated, any new request from the client does not associate with the old session and will typically result in a new session being created if required.
Here's a step-by-step explanation of how the invalidate() method works:
* The developer retrieves the HttpSession object from the HttpServletRequest object using the getSession() method.
* The developer calls the invalidate() method on the retrieved HttpSession object.
* The server invalidates the session, which means it is no longer recognized and any subsequent requests will not be associated with it.
* All objects bound to the session are removed and available for garbage collection.
* The client's next request will not have a valid session, and the server will treat it as a new session if necessary.
References:The information provided here is aligned with the EC-Council's Certified Application Security Engineer (CASE) JAVA guidelines and best practices for secure session management. For more detailed information, please refer to the EC-Council's CASE JAVA official study guides and training materials12.
質問 # 26
Which of the following authentication mechanism does J2EE support?
- A. Http Basic, Form Based, Client/Server Mutual, HTTP Digest Authentication
- B. Windows, Form based. Role Based, Client/Server Mutual Authentication
- C. Role Based, Http Basic, Windows, Http Digest Authentication
- D. Http Basic, Form Based, Client/Server Mutual, Role Based Authentication
正解:A
質問 # 27
Oliver, a Server Administrator (Tomcat), has set configuration in web.xml file as shown in the following screenshot. What is he trying to achieve?
- A. He wants to transfer only Session cookies over encrypted channel
- B. He wants to transfer the entire data over encrypted channel
- C. He wants to transfer only response parameter data over encrypted channel
- D. He wants to transfer only request parameter data over encrypted channel
正解:B
質問 # 28
Identify the formula for calculating the risk during threat modeling.
- A. IRISK = PROBABILITY * VULNERABILITY
- B. RISK = PROBABILITY " ASSETS
- C. RISK = PROBABILITY "Attack
- D. RISK = PROBABILITY * DAMAGE POTENTIAL
正解:D
解説:
The formula for calculating risk in the context of threat modeling is typically expressed as the product of the probability of a threat materializing and the potential damage that could result from that threat. This is represented as:
RISK=PROBABILITY×DAMAGE POTENTIAL
In threat modeling, 'probability' refers to the likelihood of a threat exploiting a vulnerability, while 'damage potential' refers to the impact or harm that could be caused if the threat were to occur. By multiplying these two factors, we can estimate the level of risk associated with a particular threat.
References: The verified answer is aligned with the principles of threat modeling as per the EC-Council's Application Security Engineer (CASE) JAVA certification guidelines and learning resources1. Additionally, the general concept of risk calculation in threat modeling is supported by industry-standard methodologies, such as those outlined by the OWASP Foundation2.
質問 # 29
Which of the following configuration settings in server.xml will allow Tomcat server administrator to impose limit on uploading file based on their size?
- A. < connector... maxPostSize="0"/>
- B. < connector... maxPostSize="file size" / >
- C. < connector... maxFileLimit="file size" / >
- D. < connector... maxFileSize="file size" / >
正解:B
解説:
In Tomcat's server.xml configuration file, the maxPostSize attribute on a <Connector> element is used to specify the maximum size of a POST request that can be accepted by the server. Setting this attribute to a specific byte size will limit the size of uploads based on that size. If set to 0, it indicates that there is no limit on the size of the POST request1.
References: The EC-Council's Certified Application Security Engineer (CASE) JAVA course includes server configuration and security settings as part of its curriculum, which would cover aspects such as setting upload limits in server configuration files like server.xml for Tomcat1.
質問 # 30
A developer to handle global exception should use _________ annotation along with @ExceptionHandler method annotation for any class
- A. @ControllerAdvice
- B. @GlobalAdvice
- C. @globalControllerAdvice
- D. @Advice
正解:A
質問 # 31
Identify what should NOT be catched while handling exceptions.
- A. IllegalAccessException
- B. SecurityException
- C. NullPointerException
- D. EOFException
正解:B
質問 # 32
A developer has written the following line of code to handle and maintain session in the application. What did he do in the below scenario?
- A. Maintained session by creating a Session variable user with value stored in uname variable.
- B. Maintained session by creating a hidden variable user with value stored in uname variable.
- C. Maintained session by creating a Cookie user with value stored in uname variable.
- D. Maintained session by creating a HTTP variable user with value stored in uname variable.
正解:A
質問 # 33
A developer has written the following line of code to handle and maintain session in the application. What did he do in the below scenario?
- A. Maintained session by creating a Session variable user with value stored in uname variable.
- B. Maintained session by creating a hidden variable user with value stored in uname variable.
- C. Maintained session by creating a Cookie user with value stored in uname variable.
- D. Maintained session by creating a HTTP variable user with value stored in uname variable.
正解:A
解説:
The line of code in the scenario creates a session attribute named "user" with a value taken from the variable
"uname". This is a common practice in web applications to maintain state across multiple requests from the same user. In this instance, the HttpSession object is retrieved from the request object, and then it's used to store an attribute. By setting this session attribute, the developer ensures that the value stored in the variable uname can be associated with the user's session and retrieved during subsequent requests within the same session.
質問 # 34
Which of the following is used to mapCustom Exceptions to Statuscode?
- A. @ResponseCode
- B. @ResponseStatus
- C. @ScacusCode
- D. @ResponseStatusCode
正解:B
解説:
In Spring MVC, the @ResponseStatus annotation is used to map custom exceptions to specific HTTP status codes. When an exception is thrown, you can use this annotation to indicate which status code should be returned. For example, if you have a custom exception that represents a resource not found scenario, you can annotate it with @ResponseStatus and specify HttpStatus.NOT_FOUND as the status code. This will result in a 404 status code being returned when the exception is thrown.
References:The use of @ResponseStatus is covered in the EC-Council's Certified Application Security Engineer (CASE) JAVA training and certification program, which emphasizes the importance of secure application development practices across the Software Development Lifecycle (SDLC). The annotation is also widely documented in Spring MVC resources and tutorials, such as those available on Baeldung and Stack Overflow12.
質問 # 35
It is recommended that you should not use return, break, continue or throw statements in _________
- A. Try-With-Resources block
- B. Try block
- C. Finally block
- D. Catch block
正解:C
解説:
The finally block is used to execute important code such as closing resources, regardless of whether an exception was thrown or handled. Using control transfer statements like return, break, continue, or throw in a finally block can disrupt the normal flow of execution and can lead to unexpected behavior or resource leaks, as these statements may cause the method to exit before the resources are properly closed.
References: The guidelines and best practices for Java application security, as outlined by the EC-Council's Certified Application Security Engineer (CASE) program, emphasize the importance of proper resource management and error handling in secure application development. The CASE program provides comprehensive training on secure coding practices, which includes managing the flow of execution to ensure that resources are properly released and that applications are robust against exceptions and errors.
質問 # 36
Which line of the following example of Java Code can make application vulnerable to a session attack?
- A. Line No. 3
- B. Line No. 4
- C. Line No. 5
- D. Line No. 1
正解:A
解説:
In general, session management is a critical aspect of application security. A common vulnerability related to session management is the improper handling of session tokens, which can lead to session hijacking or fixation attacks. Without seeing the specific code, it's difficult to determine which line would be vulnerable. However, typical issues include:
* Line No. 1: If this line declares the servlet without proper security configuration, it could be vulnerable.
* Line No. 3: If this line involves the creation or handling of a session token without secure attributes (such as HttpOnly or Secure flags), it could make the application vulnerable.
* Line No. 4: If this line sets the session token's expiration too long, it could increase the risk of token theft.
* Line No. 5: If this line sends the session token to the client without encryption, it could be intercepted.
References:For verified answers and detailed explanations, please refer to the official EC-Council Application Security Engineer (CASE) JAVA study guides and courses. You can find more information and resources on their official website and iClass platform.
質問 # 37
Identify the type of attack depicted in the figure below:
- A. Directory traversal attack
- B. SQL injection attack
- C. Session fixation attack
- D. Parameter/form attack
正解:C
質問 # 38
Jacob, a Security Engineer of the testing team, was inspecting the source code to find security vulnerabilities.
Which type of security assessment activity Jacob is currently performing?
- A. CAST
- B. SAST
- C. ISCST
- D. CAST
正解:B
質問 # 39
Which of the risk assessment model is used to rate the threats-based risk to the application during threat modeling process?
- A. DREAD
- B. RED
- C. STRIDE
- D. SMART
正解:C
解説:
STRIDE is a risk assessment model used to identify and rate threats during the threat modeling process. It stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each element of STRIDE represents a specific type of threat that could potentially affect an application, and it is used to systematically assess the security of an application by identifying possible vulnerabilities that could be exploited by these threats.
References: The EC-Council's Certified Application Security Engineer (CASE) JAVA course emphasizes the importance of threat modeling in the software development lifecycle and specifically mentions the use of models like STRIDE to assess and mitigate risks12.
質問 # 40
Which of the following method will help you check if DEBUG level is enabled?
- A. EnableDebug ()
- B. DebugEnabled()
- C. isDebugEnabled()
- D. IsEnableDebug ()
正解:C
解説:
The method isDebugEnabled() is used in various logging frameworks such as Log4j and SLF4J to check if the DEBUG level is enabled before logging a debug message. This is a best practice in application logging, as it prevents the construction of complex log messages when the DEBUG level is not enabled, thus saving system resources.
References: The EC-Council's Certified Application Security Engineer (CASE) JAVA course outlines the importance of secure coding practices and includes the implementation of secure methodologies in the software development lifecycle, which encompasses logging practices12.
質問 # 41
Which of the following authentication mechanism does J2EE support?
- A. Http Basic, Form Based, Client/Server Mutual, HTTP Digest Authentication
- B. Http Basic, Form Based, Client/Server Mutual, Role Based Authentication
- C. Windows, Form based. Role Based, Client/Server Mutual Authentication
- D. Role Based, Http Basic, Windows, Http Digest Authentication
正解:B
解説:
J2EE supports a variety of authentication mechanisms to ensure secure user access and operations. The supported mechanisms include:
* HTTP Basic Authentication: A simple challenge-response mechanism that is part of the HTTP protocol.
* Form-Based Authentication: A more user-friendly approach where users submit their credentials via a web form.
* Client/Server Mutual Authentication: Also known as two-way SSL authentication, where both the client and server authenticate each other.
* Role-Based Authentication: Access control based on user roles, often implemented using declarative security in the deployment descriptor.
These mechanisms are designed to provide a flexible and robust security framework for J2EE applications, allowing developers to choose the most appropriate method for their needs.
References:
* The official J2EE specification, which outlines the security model and supported authentication mechanisms.
* EC-Council's Application Security Engineer (CASE) JAVA courses and study guides that align with the J2EE security requirements.
* InformIT's article on J2EE Security, which details the user authentication requirements for J2EE products1.
* Oracle's documentation on securing J2EE applications, which includes information on the J2EE security model2.
質問 # 42
Alice, a security engineer, was performing security testing on the application. He found that users can view the website structure and file names. As per the standard security practices, this can pose a serious security risk as attackers can access hidden script files in your directory. Which of the following will mitigate the above security risk?
- A. < int param > < param-name>directorv-listinqs < param-value>false < /init-param >
- B. < int-param > < param-name>listinqs < param-value>false < /init-param >
- C. < int-param > < param-name>listinqs < param-value>true < /init-param
- D. < int-param > < param-name>directory-listinqs < param-value>true < /init-param >
正解:B
解説:
To mitigate the security risk of users being able to view the website structure and file names, the correct action would be to disable directory listings. This is often accomplished through configuration settings in web server software, where you can specify whether to allow or deny the listing of directory contents. The option < int-param> <param-name>listings <param-value>false</int-param> effectively disables directory listings, preventing users and potential attackers from viewing the website's file and directory structure, thus enhancing security. Ensuring that directory listings are disabled is a common security practice to avoid revealing sensitive information about the web application's structure.References:
* Web Server Security Best Practices documentation
* OWASP (Open Web Application Security Project) guidelines on securing web server configurations
質問 # 43
Which of the following state management method works only for a sequence of dynamically generated forms?
- A. Cookies
- B. URL-rewriting
- C. Sessions
- D. Hidden Field
正解:D
質問 # 44
......
312-96試験問題集(2024年最新のPDF問題集)現実的な312-96テストエンジン:https://jp.fast2test.com/312-96-premium-file.html