During an audit, several customer order forms v/ere found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the BEST way to locate this issue?
The best way to locate the issue of inconsistencies between the actual price of an item and the amount charged to the customer, due to manipulation of the public-facing web form, is to run a static code scan. A static code scan examines the source code of an application without executing it and can identify potential vulnerabilities, such as insecure parameters or logic flaws, that are being exploited. This approach helps in pinpointing the exact code issues leading to the manipulation, making it possible to address and correct them effectively.
Implementing input validation is NOT the best way to LOCATE THE ISSUE. It's a mitigation technique to reduce the likelihood of exploitation. D - static code analysis and code review is the way to go.
I agree with this!
I also agree. The question says the 'web form' was manipulated. I am not seeing how input validation would assist with the code on the web form being manipulated. Thus, Static code analysis should be the better option here.
C. Implement input validation would be the BEST way to locate the issue of manipulation of the public-facing web form used by customers to order products. Running a static code scan (Option D) may help to identify potential vulnerabilities in the source code of the web application, but it is not specific to the issue of manipulation of the web form. Static code scans are usually used to identify code-level vulnerabilities before the application is deployed, while the issue here is more likely to be a configuration or logic issue in the web form.
A static code scan is a type of code analysis that examines the source code of an application without actually executing it. This analysis can detect issues such as code injection vulnerabilities, cross-site scripting (XSS) vulnerabilities, and other security flaws. In this case, the manipulation of the public-facing web form could be due to a vulnerability in the code of the web form. By running a static code scan, any vulnerabilities or weaknesses in the code could be identified, and appropriate remedial actions could be taken to fix the issue.
only viable answer!
Implementing input validation on the web form used by customers to order products would be the best way to locate the issue of inconsistencies between the actual price of an item and the amount charged to the customer. Input validation involves checking the data entered by users and ensuring it meets certain criteria, such as proper format, data type, and length. By validating the input data, the security analyst can ensure that the user-entered data is in the correct format and does not contain any malicious payloads or tampering. This will help prevent the manipulation of the web form and reduce the risk of fraud and data breaches.
Input validation is required
he best way to locate the issue of manipulation in the public-facing web form would be C. Implement input validation. This ensures that only properly formatted data is entered into the system, which can help prevent inconsistencies and manipulation.
"manipulation of the public-facing WEB FORM" Implement input validation on web forms (Both client and at server).
Changing my answer to A. Question is about locating the issue, not fixing/remediation.
How would "Reduce the session timeout threshold" would locate the issue? Obviously, this is a poorly worded question but if we need to locate and not fix then D would be the best answer in this case.
D - I mean in what world would input validation be used to investigate or locate an issue? :)
"which would be the best to locate this issue" I think is the key here. While initially I thought it was input validation, that doesn't really help locate the issue but it does help mitigate it. I think the answer is D static code analysis. It will help help locate the insecure parameters that are likely being passed in the http request such as "item price" which are being manipulated by the user.
C. Implement input validation. Implementing input validation involves validating and sanitizing user input on the web form to ensure that only valid and expected data is accepted. This can help prevent malicious or unintended input, such as unauthorized changes to product prices. By implementing input validation, you can enforce specific rules and constraints on the data entered by users, such as numerical values for prices, proper formatting, and other relevant criteria. This can help detect and reject any attempts to manipulate the form by entering incorrect or malicious pricing information.
agree with D
D static code scan