000 139 PDF

http://www.TwPass.
com
000-139
IBM
AppScan Standard Edition
http://www.twpass.com/twpass.com/exam.aspx?eCode= 000-139
The 000-139 practice exam is written and formatted by Certified Senior IT Professionals working in
today's prospering companies and data centers all over the world! The 000-139 Practice Test covers all
the exam topics and objectives and will prepare you for success quickly and efficiently.
The 000-139 exam is very challenging, but with our 000-139 questions and answers practice exam,
you can feel confident in obtaining your success on the 000-139 exam on your FIRST TRY!
IBM 000-139 Exam Features
- Detailed questions and answers for 000-139 exam
- Try a demo before buying any IBM exam
- 000-139 questions and answers, updated regularly
- Verified 000-139 answers by Experts and bear almost 100% accuracy
- 000-139 tested and verified before publishing
- 000-139 exam questions with exhibits
- 000-139 same questions as real exam with multiple choice options
Acquiring IBM certifications are becoming a huge task in the field of I.T. More over these
exams like 000-139 exam are now continuously updating and accepting this challenge is itself a task.
This 000-139 test is an important part of IBM certifications. We have the resources to
prepare you for this. The 000-139 exam is essential and core part of IBM certifications and
once you clear the exam you will be able to solve the real life problems yourself.Want to take
advantage of the Real 000-139 Test and save time and money while developing your skills to pass
your IBM 000-139 Exam? Let us help you climb that ladder of success and pass your 000-139 now!
000-139
QUESTION: 1
Which type of vulnerability can occur when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or key, as a URL or form
parameter?
A. Cross-site Scripting
B. Insecure Direct Object Reference
C. Injection Flaw
D. Cross Site Request Forgery
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=000-139&qno=1
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 2
After 30 minutes your scan stops with an out-of-session error. What is a possible cause of this
error?
A. Redundant path limit was too low.

B. A parameter was not tracked.
C. Flash parsing was turned off.
D. Platform authentication was not configured.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 3
AppScan sent the following test HTTP request: GET
/web/content/index.php?file=/../../../../../../../../etc/passwd%00 HTTP/1.0 Cookie:
JSESSIONID=dqt0LSnfhdVyTJkCwTwfLQQSkTTGYX9D79tLLpT1yLQjVhSpZKP9!91437
6523; customerLanguage=en Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Win32) Host: www.ibm.com Although, there is no indication in the
response about the existence of a password file, AppScan reported vulnerability with the
following reasoning: Global Validation found an embedded script in the response
(<script>alert(25053)</script>), which was probably injected by a previous test. The presence
of this script in the site suggests that the application is vulnerable to which type of attack?
A. Stored Cross-site Scripting

B. Cross-site Scripting
C. Namazu Path Traversal
D. Directory Listing
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 4
What information does difference displayed in the Request / Response tab provide?
A. the difference between two tests

B. how the vulnerability was resolved
C. how AppScan constructed the test HTTP request
D. how the Web application page has been modified from its previous version
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 5
You are scanning a Web site in a pre-production environment. You notice that your scan is
running very slowly and there are numerous communication errors. What would you do to
resolve the problem?
A. increase the number of threads and decrease the timeout limit

B. decrease the number of threads and increase the timeout limit
C. increase the number of threads and increase the timeout limit
D. set the timeout to 0 for infinite timeout
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 6
Which type of vulnerability allows an attacker to execute a malicious script in a user browser?
B. Injection Flaw
C. Insecure Direct Object Reference
D. Failure to restrict URL access
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 7
Which statement is true about infrastructure vulnerabilities?
A. They are caused by insecure coding and are fixed by modifying the application code.
B. They are detected using application security scanners and exist in the Web
application.
C. They are known vulnerabilities and are fixed by modifying the application code.
D. They exist in third-party components and are fixed by applying security patches.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 8
What does secure session management require?
A. session tokens that are given long lifetimes

B. session tokens that are invalidated when the user logs out
C. session tokens that are persistent
D. session tokens that are numeric
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 9
Your site contains the following URL:
http://www.mycompany.com/smb/default.jsp?page=wireless productID=65343, In this URL,
the page parameter defines a unique page and the productID parameter defines a different
product page, based on a template. How would you configure AppScan to thoroughly explore
this site while avoiding redundant URLs? (Choose two.)
A. ensure JavaScript Execute is turned on

B. ignore the page parameter
C. turn off Redundant Path limit
D. track the page parameter
E. Track the productID parameter
F. Ignore the productID parameter
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 10
You are scanning a Web application in a pre-production environment. During your initial
assessment, you notice that some of the links are specified by IP and some by host name. Your
starting URL contains an IP address, http://12.34.56.67/default.jsp. When the scan completes,
you discover that it has not covered a significant portion of your Web application. What could
be the reason?
A. The host name is not added to the list of additional domains and servers.
B. The scan is configured to use only one connection.
C. There is no route to IP 12.34.56.67.
D. You are not licensed to scan IP 12.34.56.67.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 11
You expect your scan to cover around 500 pages, but instead it covers 55. What are three
possible reasons for this? (Choose three.)
A. You chose the wrong test policy.

B. The login failed.
C. You specified only one connection.
D. JavaScript Execution was not enabled.
E. The redundant path limit was set too low.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 12
Which lines in an HTTP response would trigger a positive result from an AppScan test for a
vulnerability of type Possible Server Path Disclosure Pattern Found?
A. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
B. 
C. d:\backup\website\oldfiles
D. ./images/header/ibm/logoBigBlue.jpg
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 13
Which Web application operation indicates that the application may be vulnerable to Cross-site
Request Forgery?
A. GET transferfunds.aspx?sacct=3434dacct=56745formtoken= YUR345

B. GET sendemail.aspx?address=jsmith@dfg.com subject=hello content=
C. GET search.aspx text=ersonal banking
D. GET login.aspx
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 14
How does in-session detection work?
A. checks if the in-session pattern is present in every test response you receive from the
site
B. pings the application every 5 seconds and verifies the connection
C. sends the in-session detection request every 5 seconds and verifies that the in-session
pattern exists
D. updates the session token values to ensure that the user is still logged in
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 15
Which three steps should you take before running a security scan with AppScan? (Choose
three.)
A. notify application users

B. notify IT and Web Operations teams
C. back up your database
D. disable employed SMTP server
E. ensure only one thread is specified in the AppScan configuration
F. ensure that you have specified which reports you want to create
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 16
Which statement is true about network firewalls preventing Web application attacks?
A. Network firewalls cannot prevent attacks because ports 80 and 443 must be open.
B. If configured properly, network firewalls can prevent attacks.
C. Network firewalls cannot prevent attacks because it is too complex to configure.
D. Network firewalls can prevent attacks because they can detect malicious HTTP
traffic.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 17
Which username/passwords combination would NOT be reported as predictable by AppScan?
A. admin/admin
B. johnr/Na2acrA
C. user1/password
D. johnr/nascar
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 18
When would you set up a multi-step operation in AppScan?
A. when your application requires specific user input
B. when your application requires JavaScript execution

C. when your application requires a specific flow
D. when your application has two-factor authentication
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 19
What does a Cross-site Scripting vulnerability allow an attacker to do?
A. execute a malicious script on the Web server

B. change the Web server configuration
C. steal a user session tokens
D. drop database tables
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 20
AppScan belongs to which category of vulnerability assessment tools?
A. Host Scanners
B. Network Scanners
C. Black-Box Scanners
D. White-Box Scanners
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 21
What are two reasons why it is recommended that a Web application be scanned in a preproduction environment? (Choose two.)
A. to avoid having to notify the application owner

B. to improve scan performance
C. to avoid service interruption
D. to obtain more accurate results
E. to avoid corruption of the production database
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 22
What is indicative of Information Leakage vulnerability?
A. When the user logs in, hello, username! is displayed.
B. The exception call stack is displayed.

C. The message incorrect username or password! is displayed.
D. The message script error: Please contact the Web site administrator! is displayed.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 23
In the AppScan Application Data view, what can help you determine if your application was
fully explored? (Choose two.)
A. Visited URLs
B. JavaScripts
C. Cookies
D. Broken links
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 24
AppScan received the following test response: An Error Has Occurred Summary: Syntax
error in string in query expression userid = . Error Message:
System.Data.OleDb.OleDbException: Syntax error in string in query expression userid = . at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS
dbParams, Object executeResult) at ? Which type of vulnerability does this error message
indicate?
A. SQL Injection
B. Blind SQL Injection
C. XSS
D. Possible Server Path Disclosure Found
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 25
When can an injection type attack occur?
A. when the database is set up on a server outside the demilitarized zone

B. when an error message is generated by the Web server
C. when user-supplied data is sent to an interpreter as part of a command, query, or data
D. when too many users have ADMIN credentials to the Web server console
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 26
Which statement is true about application-specific vulnerabilities?
A. They exist in third-party components and are fixed by applying security patches.
B. They are caused by insecure coding and are fixed by modifying the application code.
C. They are detected using application security scanners and exist in third-party
components.
D. They are known vulnerabilities and are fixed by modifying the application code.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 27
What are the implications of Malicious File Execution vulnerabilities?
A. user impersonation and authentication bypass

B. authentication bypass and site defacement
C. site defacement and complete takeover of the application
D. complete takeover of the application and user impersonation
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 28
Where can you find details about a test AppScan executed during a scan?
A. in the Application Data view

B. in the Request/Response view
C. in the Original HTTP Traffic view
D. in the Fix Recommendation view
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 29
If the URL to your home page is http://domain.com and it redirects to http://www.domain.com,
how would you configure your scan?
A. do not do anything
B. configure the AppScan proxy settings
C. add www.domain.com to the list of additional domains
D. edit your DNS settings
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 30
Which type of vulnerability allows an attacker to browse files that shouldn be accessible (e.g.
*.bak, "Copy of", *.inc, etc.) or pages restricted forWhich type of vulnerability allows an
attacker to browse files that shouldn? be accessible (e.g. *.bak, "Copy of", *.inc, etc.) or pages
restricted for users with higher privileges?
A. Insecure Cryptographic Storage

B. Injection Flaw
C. Failure to Restrict URL Access
D. Insecure Communication
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 31
Which HTTP response codes trigger Application Error vulnerabilities?
A. 500
B. 302
C. 403
D. 200
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 32
AppScan reported a large number of idden files, which you know do not exist on your Web
server. What is the likely cause?
A. You did not define a custom error page.

B. AppScan created all these files on the server.
C. You did not exclude third-party domains.
D. Somebody put the files on the server.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 33
How does an attacker exploit Web application vulnerabilities?
A. by hacking the firewall

B. by installing viruses on a user machineby installing viruses on a user? machine
C. by sending malicious HTTP requests
D. by sniffing the traffic between a user and the Web server
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 34
Which AppScan report type relates to Sarbanes-Oxley Act, HIPPA and FISMA?
A. Compliance
B. WASC Threat Classification
C. OWASP Top 10
D. Delta Analysis
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 35
An AppScan test successfully embedded the following lines in an HTTP response header (in
bold): HTTP/1.1 200 OK Content-Length: 5710 Connection: close Date: Wed, 07 May 2008
19:36:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version:
2.0.50727 Set-Cookie: lang=Foobar AppScanHeader: AppScanValue/1.2-3
SecondAppScanHeader: whatever; path=/ Cache-Control: private Content-Type: text/html;
charset=utf-8 Which type of vulnerability does this indicate?
B. XPath Injection
C. HTTP Response Splitting
D. SQL Injection
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 36
How can an attacker use the information gained by an SQL debug message?
A. steal sensitive information from other users

B. run scripts on other users browsers
C. alter the communication protocol used by the site
D. can potentially understand the query s structure
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 37
Which type of parameters does AppScan manipulate when testing a .Net Web Service
A. JSON parameters
B. All custom parameters

C. SOAP parameters
D. POST parameters
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 38
AppScan identified a Blind SQL Injection vulnerability in your Web application by sending
three requests, all of which modify the searchText parameter in the following way: HTTP
request 1: 1234 and foobar = foobar HTTP request 2: 1234 and boofar = foobar HTTP
request 3: 1234 or barfoo = foobar Upon reviewing the three responses, you notice that
response 1 and response 3 are identical and response 2 only differs in the fact that the date and
time on the page changed (i.e. 23:59 Dec 31, 2008 to 00:01 Jan 1, 2009). What do you
conclude from this information?
A. This is a false positive.

B. This is an actual vulnerability.
C. No conclusions can be made, given the information provided.
D. AppScan failed to log in.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 39
After scanning your site with AppScan, you notice that your password was changed to 234.
What most likely happened?
A. One of the AppScan tests hacked your account and changed the password.
B. AppScan followed the Reset Password link.
C. AppScan submitted the change password form.
D. Your system admin changed your password during the scan.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 40
What is the problem with the following session pattern? Good morning, John!
A. The pattern does not match the session token pattern.

B. This in-session pattern can change on the site.
C. This in-session pattern can be changed in the scan configuration.
D. Multiple threads can parse this string incorrectly.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 41
Your site contains the following URL:
http://www.mycompany.com/smb/default.jsp?page=wireless In this URL, the Page parameter
defines a unique page. How would you configure AppScan to fully explore this site?
A. turn off Redundant Path limit

B. ensure JavaScript Execute is turned on
C. ignore the Page parameter
D. track the Page parameter
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 42
How do you test a Web service with AppScan?
A. interact with the Web service methods manually and then run AppScan to send the
generated tests automatically
B. explore the Web service automatically and then manually sends the generated tests
one by one
C. create a Python script for testing the service
D. explore the Web service automatically and then run AppScan to send the generated
tests automatically
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 43
In which three areas does AppScan test for vulnerabilities?
A. the network layer, the web application, the web server

B. the operating system, the web application platform, the database
C. the web application, the web server, the web application platform
D. the web application platform, the network layer, the web server
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 44
To construct a test, AppScan changed an HTTP request by removing the File CFile and
First_name parameters and changing the value of the Email_address mail_address parameter
to "><script>alert(23443)</script>"> Which type of vulnerability is AppScan testing for?
A. SQL Injection
B. XPath Injection
C. Cross-site Scripting
D. Possible Server Path Disclosure Found
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 45
Which three actions should you take if your application requires form-based authentication?
(Choose three.)
A. record a login sequence

B. configure platform authentication
C. configure client-side certificates
D. ensure that in-session detection is enabled and properly configured
E. ensure that all session tokens are being tracked
F. reduce the number of threads to one
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 46
What information does reasoning displayed in the Request / Response tab provide?
A. how to avoid this type of issue

B. why AppScan concluded that there is an issue
C. how AppScan constructed the test
D. why this issue causes non-compliance
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 47
How does AppScan test a Web application?
A. by sniffing network traffic

B. by scanning the Web server host machine
C. by performing a port scan
D. by sending HTTP requests
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 48
What happens when AppScan generates an Industry Standard report?
A. It generates and executes industry-specific tests.

B. It maps the discovered vulnerabilities to a set of industry-specific checkpoints.
C. It provides industry-specific advisories.
D. It applies an industry-specific test policy.
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 49
Which defense is most reliable in protecting a Web application from being hacked?
A. set up an application firewall

B. use SSL encryption
C. set up an Intrusion Detection System
D. write secure code
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 50
You notice that when you run your scan, your login account gets locked out. How can you
resolve the issue?
A. disables tests on your login and logout pages

B. disable JavaScript execute
C. reduce the number of threads
D. increase the timeout limit
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 51
Directories containing sensitive files must be hidden from the user. What is the best way to
hide the existence and content of such a directory?
A. configure your Web server to issue a response: 403 ?Access forbidden

B. configure your Web server to issue a response: 302 - Redirect to home
C. list the directory contents
D. configure your Web server to issue a response: 404 - Not Found
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 52
Why is it important to encrypt the HTTP traffic for an authenticated connection between a
client and Web server?
A. to prevent SQL injection

B. to prevent sensitive information from being stolen
C. to prevent Cross-site Scripting
D. to prevent Web site defacement
-------------------------------------------------------------------------------------------------------------------------------------
TwPass Certification Exam Features;

-
TwPass offers over 2500 Certification exams for professionals.

More than 98,800 Satisfied Customers Worldwide.
Average 99.8% Success Rate.
Over 120 Global Certification Vendors Covered.
Services of Professional & Certified Experts available via support.
Free 90 days updates to match real exam scenarios.
Instant Download Access! No Setup required.
Price as low as $19, which is 80% more cost effective than others.
Verified answers researched by industry experts.
Study Material updated on regular basis.
Questions / Answers are downloadable in PDF format.
Mobile Device Supported (Android, iPhone, iPod, iPad)
No authorization code required to open exam.
Portable anywhere.
Guaranteed Success.
Fast, helpful support 24x7.
View list of All Exams (AE);

http://www.twpass.com/twpass.com/vendors.aspx
Download Any Certication Exam DEMO.

http://www.twpass.com/twpass.com/vendors.aspx
To purchase Full version of exam click below;

http://www.TwPass.com/

000 139 PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

000 139 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

http://www.TwPass.

A. Redundant path limit was too low.

A. Stored Cross-site Scripting

A. the difference between two tests

A. increase the number of threads and decrease the timeout limit

A. session tokens that are given long lifetimes

A. ensure JavaScript Execute is turned on

A. You chose the wrong test policy.

A. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

A. GET transferfunds.aspx?sacct=3434dacct=56745formtoken= YUR345

A. notify application users

A. when your application requires specific user input

B. when your application requires JavaScript execution

A. execute a malicious script on the Web server

A. to avoid having to notify the application owner

A. When the user logs in, hello, username! is displayed.

B. The exception call stack is displayed.

A. when the database is set up on a server outside the demilitarized zone

A. user impersonation and authentication bypass

A. in the Application Data view

A. Insecure Cryptographic Storage

A. You did not define a custom error page.

A. by hacking the firewall

A. steal sensitive information from other users

B. All custom parameters

A. This is a false positive.

A. The pattern does not match the session token pattern.

A. turn off Redundant Path limit

A. the network layer, the web application, the web server

A. record a login sequence

A. how to avoid this type of issue

A. by sniffing network traffic

A. It generates and executes industry-specific tests.

A. set up an application firewall

A. disables tests on your login and logout pages

A. configure your Web server to issue a response: 403 ?Access forbidden

A. to prevent SQL injection

TwPass Certification Exam Features;

TwPass offers over 2500 Certification exams for professionals.

View list of All Exams (AE);

Download Any Certication Exam DEMO.

To purchase Full version of exam click below;

Das könnte Ihnen auch gefallen