Get Instant Access to 312-96 Practice Exam Questions
Reliable Study Materials & Testing Engine for 312-96 Exam Success!
EC-Council CASE Java Exam Certification Details:
| Passing Score | 70% |
| Exam Code | 312-96 |
| Duration | 120 mins |
| Exam Name | EC-Council Certified Application Security Engineer (CASE) - Java |
| Exam Price | $450 (USD) |
| Books / Training | Master Class |
| Number of Questions | 50 |
NEW QUESTION # 17
Stephen is a web developer in the InterCall Systems. He was working on a Real Estate website for one of his clients. He was given a task to design a web page with properties search feature. He designed the following searchpage.jsp
< form Id="form1" method="post" action="SearchProperty.jsp" >
< input type="text" id=''txt_Search" name="txt_Search" placeholder="Search Property..." / >
< input type="Submit" Id="Btn_Search" value="Search" / >
< /form >
However, when the application went to security testing phase, the security tester found an XSS vulnerability on this page. How can he mitigate the XSS vulnerability on this page?
- A. He should write code like out.write ("You Searched for:" + request.qetParameterf'txt Search"));
- B. He should write code like out.write ("You Searched for:" + request.qetParameter("search"l.toStrinq(ll;
- C. He should write code like out-Write ("You Searched for:" +ESAPI.encoder().encodeForHTML(search));
- D. He should write code like out.write (("You Searched for:" +(search));
Answer: C
NEW QUESTION # 18
It is recommended that you should not use return, break, continue or throw statements in _________
- A. Finally block
- B. Try block
- C. Catch block
- D. Try-With-Resources block
Answer: A
NEW QUESTION # 19
Which of the following state management method works only for a sequence of dynamically generated forms?
- A. Hidden Field
- B. Cookies
- C. Sessions
- D. URL-rewriting
Answer: A
NEW QUESTION # 20
Which of the following can be derived from abuse cases to elicit security requirements for software system?
- A. Misuse cases
- B. Security use cases
- C. Data flow diagram
- D. Use cases
Answer: B
NEW QUESTION # 21
During his secure code review, John, an independent application security expert, found that the developer has used Java code as highlighted in the following screenshot. Identify the security mistake committed by the developer?
- A. He is trying to use Whitelisting Input Validation
- B. He is trying to use Blacklisting Input Validation
- C. He is trying to use Parametrized SQL Query
- D. He is trying to use Non-parametrized SQL query
Answer: D
NEW QUESTION # 22
Alice, a security engineer, was performing security testing on the application. He found that users can view the website structure and file names. As per the standard security practices, this can pose a serious security risk as attackers can access hidden script files in your directory. Which of the following will mitigate the above security risk?
- A. < int-param > < param-name>listinqs < param-value>true < /init-param
- B. < int param > < param-name>directorv-listinqs < param-value>false < /init-param >
- C. < int-param > < param-name>directory-listinqs < param-value>true < /init-param >
- D. < int-param > < param-name>listinqs < param-value>false < /init-param >
Answer: B
NEW QUESTION # 23
Which of the following Spring Security Framework configuration setting will ensure the protection from session fixation attacks by not allowing authenticated user to login again?
- A. session-fixation-protection ="newSessionlD"
- B. session-fixation-protection =".
- C. session-fixation-protection ="enabled"
- D. session-fixation-protection =".
Answer: B
NEW QUESTION # 24
Identify the type of attack depicted in the figure below:
- A. Denial-of-Service attack
- B. Cross-Site Request Forgery (CSRF) attack
- C. SQL injection attack
- D. XSS
Answer: B
NEW QUESTION # 25
Which of the following method will help you check if DEBUG level is enabled?
- A. isDebugEnabled()
- B. IsEnableDebug ()
- C. DebugEnabled()
- D. EnableDebug ()
Answer: A
NEW QUESTION # 26
Which of the following configurations can help you avoid displaying server names in server response header?
- A. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server = " " redirectPort="8443" / >
- B. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName ="null " redirectPort="8443'' / >
- C. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName=" disable" redirectPort="8443" / >
- D. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort= "8443" / >
Answer: C
NEW QUESTION # 27
Jacob, a Security Engineer of the testing team, was inspecting the source code to find security vulnerabilities.
Which type of security assessment activity Jacob is currently performing?
- A. CAST
- B. CAST
- C. SAST
- D. ISCST
Answer: C
NEW QUESTION # 28
Which of the risk assessment model is used to rate the threats-based risk to the application during threat modeling process?
- A. DREAD
- B. STRIDE
- C. RED
- D. SMART
Answer: B
NEW QUESTION # 29
Identify what should NOT be catched while handling exceptions.
- A. NullPointerException
- B. IllegalAccessException
- C. SecurityException
- D. EOFException
Answer: C
NEW QUESTION # 30
Identify the type of attack depicted in the following figure.
- A. Session Fixation Attack
- B. Parameter Tampering Attack
- C. Denial-of-Service Attack
- D. SQL Injection Attacks
Answer: B
NEW QUESTION # 31
Suppose there is a productList.jsp page, which displays the list of products from the database for the requested product category. The product category comes as a request parameter value. Which of the following line of code will you use to strictly validate request parameter value before processing it for execution?
- A. public boolean validateUserName() { Pattern p = Pattern.compile("[a-zA-Z0-9]*$"); Matcher m = p.matcher(request.getParameter(CatId")); boolean result = m.matches(); return result;}
- B. public boolean validateUserName() {String CategoryId= request.getParameter("CatId");}
- C. public.boolean validateUserName() { if(!request.getParamcter("CatId").equals("null"))}
- D. public boolean validateUserName() { if(request.getParameter("CatId")!=null ) String CategoryId=request.getParameter("CatId");}
Answer: A
NEW QUESTION # 32
A developer has written the following line of code to handle and maintain session in the application. What did he do in the below scenario?
- A. Maintained session by creating a HTTP variable user with value stored in uname variable.
- B. Maintained session by creating a Cookie user with value stored in uname variable.
- C. Maintained session by creating a Session variable user with value stored in uname variable.
- D. Maintained session by creating a hidden variable user with value stored in uname variable.
Answer: C
NEW QUESTION # 33
In a certain website, a secure login feature is designed to prevent brute-force attack by implementing account lockout mechanism. The account will automatically be locked after five failed attempts. This feature will not allow the users to login to the website until their account is unlocked. However, there is a possibility that this security feature can be abused to perform __________ attack.
- A. Unvalidated Redirects and Forwards
- B. Failure to Restrict URL
- C. Denial-of-Service [Do
- D. Broken Authentication
Answer: C
NEW QUESTION # 34
Which line of the following example of Java Code can make application vulnerable to a session attack?
- A. Line No. 1
- B. Line No. 5
- C. Line No. 4
- D. Line No. 3
Answer: D
NEW QUESTION # 35
To enable the struts validator on an application, which configuration setting should be applied in the struts validator configuration file?
- A. lsNotvalidate="false"
- B. valid ate-'true"
- C. lsNotvalidate="disabled"
- D. validate="enabled"
Answer: B
NEW QUESTION # 36
......
EC-Council 312-96 Exam Syllabus Topics:
| Topic | Details | Weights |
|---|---|---|
| Secure Application Design and Architecture | - Understand the importance of secure application design -Explain various secure design principles -Demonstrate the understanding of threat modeling -Explain threat modeling process -Explain STRIDE and DREAD Model -Demonstrate the understanding of Secure Application Architecture Design | 12% |
| Security Requirements Gathering | -Understand the importance of gathering security requirements -Explain Security Requirement Engineering (SRE) and its phases -Demonstrate the understanding of Abuse Cases and Abuse Case Modeling - Demonstrate the understanding of Security Use Cases and Security Use Case Modeling -Demonstrate the understanding of Abuser and Security Stories -Explain Security Quality Requirements Engineering (SQUARE) Model -Explain Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Model | 8% |
| Understanding Application Security, Threats, and Attacks | -Understand the need and benefits of application security -Demonstrate the understanding of common application-level attacks -Explain the causes of application-level vulnerabilities -Explain various components of comprehensive application security -Explain the need and advantages of integrating security in Software Development Life Cycle (SDLQ) -Differentiate functional vs security activities in SDLC -Explain Microsoft Security Development Lifecycle (SDU) -Demonstrate the understanding of various software security reference standards, models, and frameworks | 18% |
| Secure Coding Practices for Input Validation | - Understand the need of input validation -Explain data validation techniques -Explain data validation in strut framework -Explain data validation in Spring framework -Demonstrate the knowledge of common input validation errors -Demonstrate the knowledge of common secure coding practices for input validation | 8% |
| Secure Coding Practices for Cryptography | - Understand fundamental concepts and need of cryptography In Java -Explain encryption and secret keys -Demonstrate the knowledge of cipher class Implementation -Demonstrate the knowledge of digital signature and Its Implementation -Demonstrate the knowledge of Secure Socket Layer ISSUand Its Implementation -Explain Secure Key Management -Demonstrate the knowledgeofdigital certificate and its implementation - Demonstrate the knowledge of Hash implementation -Explain Java Card Cryptography -Explain Crypto Module in Spring Security -Demonstrate the understanding of Do's and Don'ts in Java Cryptography | 6% |
| Secure Deployment andMaintenance | - Understand the importance of secure deployment -Explain security practices at host level -Explain security practices at network level -Explain security practices at application level -Explain security practices at web container level (Tomcat) -Explain security practices at Oracle database level -Demonstrate the knowledge of security maintenance and monitoring activities | 10% |
| Static and Dynamic Application Security 'resting (SAST & DAST) | - Understand Static Application Security Testing (SAST) -Demonstrate the knowledge of manual secure code review techniques for most common vulnerabilities -Explain Dynamic Application Security Testing -Demonstrate the knowledge of Automated Application Vulnerability Scanning Toolsfor DAST -Demonstrate the knowledge of Proxy-based Security Testing Tools for DAST | 8% |
| Secure Coding Practices for Session Management | - Explain session management in Java -Demonstrate the knowledge of session management in Spring framework -Demonstrate the knowledge of session vulnerabilities and their mitigation techniques -Demonstrate the knowledge of best practices and guidelines for secure session management | 10% |
| Secure Coding Practices for Authentication and Authorization | - Understand authentication concepts -Explain authentication implementation in Java -Demonstrate the knowledge of authentication weaknesses and prevention -Understand authorization concepts -Explain Access Control Model -Explain EJB authorization -Explain Java Authentication and Authorization (JAAS) -Demonstrate the knowledge of authorization common mistakes and countermeasures -Explain Java EE security -Demonstrate the knowledge of authentication and authorization in Spring Security Framework -Demonstrate the knowledge of defensive coding practices against broken authentication and authorization | 4% |
Validate your Skills with Updated 312-96 Exam Questions & Answers and Test Engine: https://www.guidetorrent.com/312-96-pdf-free-download.html
Tested & Approved 312-96 Study Materials Download: https://drive.google.com/open?id=1ogB8JDJUtisIS6HLt0EIL4anm0OIphF9