Start your 312-96 Exam Questions Preparation with Updated 49 Questions [Q26-Q47]

Start your 312-96 Exam Questions Preparation with Updated 49 Questions

A Fully Updated 2024 312-96 Exam Dumps - PDF Questions and Testing Engine

EC-Council CASE Java Exam Certification Details:

Duration	120 mins
Exam Price	$450 (USD)
Exam Name	EC-Council Certified Application Security Engineer (CASE) - Java
Sample Questions	EC-Council CASE Java Sample Questions
Passing Score	70%
Number of Questions	50
Books / Training	Master Class

EC-Council 312-96 Exam Syllabus Topics:

Topic	Details	Weights
Secure Coding Practices for Input Validation	- Understand the need of input validation -Explain data validation techniques -Explain data validation in strut framework -Explain data validation in Spring framework -Demonstrate the knowledge of common input validation errors -Demonstrate the knowledge of common secure coding practices for input validation	8%
Static and Dynamic Application Security 'resting (SAST & DAST)	- Understand Static Application Security Testing (SAST) -Demonstrate the knowledge of manual secure code review techniques for most common vulnerabilities -Explain Dynamic Application Security Testing -Demonstrate the knowledge of Automated Application Vulnerability Scanning Toolsfor DAST -Demonstrate the knowledge of Proxy-based Security Testing Tools for DAST	8%
Secure Coding Practices for Cryptography	- Understand fundamental concepts and need of cryptography In Java -Explain encryption and secret keys -Demonstrate the knowledge of cipher class Implementation -Demonstrate the knowledge of digital signature and Its Implementation -Demonstrate the knowledge of Secure Socket Layer ISSUand Its Implementation -Explain Secure Key Management -Demonstrate the knowledgeofdigital certificate and its implementation - Demonstrate the knowledge of Hash implementation -Explain Java Card Cryptography -Explain Crypto Module in Spring Security -Demonstrate the understanding of Do's and Don'ts in Java Cryptography	6%
Secure Application Design and Architecture	- Understand the importance of secure application design -Explain various secure design principles -Demonstrate the understanding of threat modeling -Explain threat modeling process -Explain STRIDE and DREAD Model -Demonstrate the understanding of Secure Application Architecture Design	12%
Understanding Application Security, Threats, and Attacks	-Understand the need and benefits of application security -Demonstrate the understanding of common application-level attacks -Explain the causes of application-level vulnerabilities -Explain various components of comprehensive application security -Explain the need and advantages of integrating security in Software Development Life Cycle (SDLQ) -Differentiate functional vs security activities in SDLC -Explain Microsoft Security Development Lifecycle (SDU) -Demonstrate the understanding of various software security reference standards, models, and frameworks	18%
Secure Deployment andMaintenance	- Understand the importance of secure deployment -Explain security practices at host level -Explain security practices at network level -Explain security practices at application level -Explain security practices at web container level (Tomcat) -Explain security practices at Oracle database level -Demonstrate the knowledge of security maintenance and monitoring activities	10%
Secure Coding Practices for Authentication and Authorization	- Understand authentication concepts -Explain authentication implementation in Java -Demonstrate the knowledge of authentication weaknesses and prevention -Understand authorization concepts -Explain Access Control Model -Explain EJB authorization -Explain Java Authentication and Authorization (JAAS) -Demonstrate the knowledge of authorization common mistakes and countermeasures -Explain Java EE security -Demonstrate the knowledge of authentication and authorization in Spring Security Framework -Demonstrate the knowledge of defensive coding practices against broken authentication and authorization	4%
Security Requirements Gathering	-Understand the importance of gathering security requirements -Explain Security Requirement Engineering (SRE) and its phases -Demonstrate the understanding of Abuse Cases and Abuse Case Modeling - Demonstrate the understanding of Security Use Cases and Security Use Case Modeling -Demonstrate the understanding of Abuser and Security Stories -Explain Security Quality Requirements Engineering (SQUARE) Model -Explain Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Model	8%
Secure Coding Practices for Error Handling	- Explain Exception and Error Handling in Java -Explain erroneous exceptional behaviors -Demonstrate the knowledge of do's and don'ts in error handling -Explain Spring MVC error handing -Explain Exception Handling in Struts2 -Demonstrate the knowledge of best practices for error handling -Explain to Logging in Java -Demonstrate the knowledge of Log4j for logging -Demonstrate the knowledge of coding techniques for secure logging -Demonstrate the knowledge of best practices for logging	16%

 

NEW QUESTION # 26
Which of the following configurations can help you avoid displaying server names in server response header?

• A. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server = " " redirectPort="8443" / >
• B. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort= "8443" / >
• C. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName ="null " redirectPort="8443'' / >
• D. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName=" disable" redirectPort="8443" / >

Answer: A

Explanation:
To prevent the server name from being displayed in the server response header, you should set the Server attribute to an empty string. This is because the server name is included in the HTTP response headers by default, and setting it to an empty string effectively removes this information, thus not disclosing the identity of the server software being used.
References: The EC-Council's Certified Application Security Engineer (CASE) JAVA materials cover various aspects of secure application development, including the configuration of servers to enhance security. While the exact configuration details can vary based on the server and environment, the principle of setting the Server attribute to an empty string to hide the server information is a common practice in securing web applications as per the guidelines of secure application development.

NEW QUESTION # 27
In a certain website, a secure login feature is designed to prevent brute-force attack by implementing account lockout mechanism. The account will automatically be locked after five failed attempts. This feature will not allow the users to login to the website until their account is unlocked. However, there is a possibility that this security feature can be abused to perform __________ attack.

• A. Unvalidated Redirects and Forwards
• B. Denial-of-Service [Do
• C. Failure to Restrict URL
• D. Broken Authentication

Answer: B

NEW QUESTION # 28
According to secure logging practices, programmers should ensure that logging processes are not disrupted by:

• A. Throwing incorrect exceptions
• B. Re-throwing incorrect exceptions
• C. Multiple catching of incorrect exceptions
• D. Catching incorrect exceptions

Answer: A

Explanation:
In secure logging practices, it is crucial to ensure that the logging process is robust and not disrupted by errors within the application itself. Throwing incorrect exceptions can disrupt the logging process because it may lead to unhandled exceptions that terminate the logging operation. This can result in a loss of critical log information which is essential for monitoring and troubleshooting. To prevent this, programmers should:
* Validate exceptions: Ensure that the exceptions thrown are accurate and relevant to the operation that failed.
* Handle exceptions properly: Use try-catch blocks to manage exceptions and maintain the logging process even when an error occurs.
* Avoid excessive logging: Do not log unnecessary information or sensitive data that could clutter the logs or expose vulnerabilities.
* Use appropriate log levels: Differentiate between error levels (e.g., info, debug, error) to categorize the severity of the logged events.
References: The EC-Council's Certified Application Security Engineer (CASE) Java documentation emphasizes the importance of implementing secure methodologies and practices throughout the software development lifecycle (SDLC), including secure logging practices12. Additionally, best practices for logging in Java suggest protecting the logging process from disruption by managing exceptions correctly345.

NEW QUESTION # 29
Which of the following method will you use in place of ex.printStackTrace() method to avoid printing stack trace on error?

• A. ex.StackTrace.getError();
• B. ex.getMessage();
• C. ex.message();
• D. ex.getError();

Answer: B

Explanation:
The ex.printStackTrace() method is commonly used to print the stack trace of an exception to the standard error stream. It's useful during debugging but not recommended for use in production code, as it can expose sensitive information and isn't considered a best practice for error handling. Instead, it's better to use logging frameworks like Log4j or SLF4J for logging exceptions.
The ex.getMessage() method is a suitable alternative because it retrieves the detail message string of the throwable object, which can then be logged appropriately without exposing the stack trace. Here's an example of how you might use it:
Java
try {
// risky operations that might throw an exception
} catch (Exception ex) {
logger.error(ex.getMessage());
}
AI-generated code. Review and use carefully. More info on FAQ.
In this code snippet, logger.error() is a method provided by a logging framework, which you would use in place of ex.printStackTrace(). This method logs the error message at the error level, which is typically configured to be output to a log file for later analysis.
References:
* The EC-Council's Certified Application Security Engineer (CASE) Java course materials and study
* guides emphasize the importance of secure coding practices, including proper exception handling and logging12.
* Best practices in Java exception handling recommend using logging frameworks instead of printing stack traces directly to the console or standard error stream3456.

NEW QUESTION # 30
The software developer has implemented encryption in the code as shown in the following screenshot.

However, using the DES algorithm for encryption is considered to be an insecure coding practice as DES is a weak encryption algorithm. Which of the following symmetric encryption algorithms will you suggest for strong encryption?

• A. MD5
• B. Triple DES
• C. AES
• D. SHA-1

Answer: C

Explanation:
The DES algorithm has been considered insecure for some time due to its short key length and susceptibility to brute-force attacks. When seeking a more secure symmetric encryption algorithm, AES (Advanced Encryption Standard) is the recommended choice. AES is widely recognized for its strength and efficiency, particularly in its most common configuration of a 128-bit block size with key sizes of 128, 192, or 256 bits123.
AES is used by the U.S. government for securing classified information and is implemented in software and hardware throughout the world to encrypt sensitive data. Its security is based on the difficulty of the AES problem in cryptography, which involves the AES block cipher algorithm. The algorithm's design and strength against all known attacks make it suitable for highly sensitive data protection.
References: For a strong encryption algorithm, AES is often recommended in security guidelines and courses, including those provided by the EC-Council for Application Security Engineers specializing in Java. While I cannot provide direct references to EC-Council's proprietary materials, the use of AES for secure coding practices is a standard recommendation across various cybersecurity training programs and documents. For detailed study, one would refer to EC-Council's CASE Java courses and study guides that cover encryption and secure coding practices.

NEW QUESTION # 31
Jacob, a Security Engineer of the testing team, was inspecting the source code to find security vulnerabilities.
Which type of security assessment activity Jacob is currently performing?

• A. CAST
• B. CAST
• C. SAST
• D. ISCST

Answer: C

NEW QUESTION # 32
Oliver is a web server admin and wants to configure the Tomcat server in such a way that it should not serve index pages in the absence of welcome files. Which of the following settings in CATALINA_HOME/conf/ in web.xml will solve his problem?

• A. < servlet > < servlet-name > default < /servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
  /param-name > < param-value > 0 < /param-value > < /init-param > < init-param > < param-name > listings < /param-name > < param-value > disable < /param-value> < /init-param > < load-on-startup > 1
  < /load-on-startup> < /servlet >
• B. < servlet > < servlet-name > default < /servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
  /param-name>< param-value> 0 < /param value>< /init-param > < init-param > < param-name> listings
  < /param-name > < param-value > enable < /param-value > < /init-param > < load-on-startup> 1 <
  /load-on-startup > < /servlet >
• C. < servlet > < servlet-name > default < servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
  /param-name> < param-value > 0 < /param-value > < /init-param > < init-param > < param-name > listings < /param-name > < param-value > true < /param-value > < /init-param > < load-on-startup > l <
  /load-on-startup > < /servlet >
• D. < servlet > < servlet-name > default < /servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
  /param-name > < param-value > 0 < /param-value > < /init-param > < init-param > < param-name > listings < /param-name > < param-value > false < /param-value > < /init-param > < load-on-startup > 1
  < /load-on-startup > < servlet >

Answer: D

Explanation:
To prevent the Tomcat server from serving index pages in the absence of welcome files, the <servlet> configuration for the DefaultServlet needs to be modified. The listings parameter controls whether directory listings are shown. When set to false, it ensures that directory listings are not provided, which includes not serving index pages when welcome files are absent.
Here's the breakdown of the configuration:
* <servlet-name>default</servlet-name>: This specifies the name of the servlet.
* <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>: This indicates the servlet class that is being configured.
* <init-param>: This tag is used to define initialization parameters for the servlet.
* <param-name>listings</param-name>: The listings parameter name is used to control the display of directory listings.
* <param-value>false</param-value>: Setting this value to false disables the directory listings.
* <load-on-startup>1</load-on-startup>: This indicates the servlet should be loaded at startup.
The correct configuration to solve Oliver's problem is:
XML
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
AI-generated code. Review and use carefully. More info on FAQ.
This configuration will ensure that if a welcome file is not present, the server will not default to serving an index page, thus addressing the security concern.
References:For further details on Tomcat server configuration, please refer to the official Apache Tomcat documentation and configuration guides which provide comprehensive instructions on server setup and security best practices12. These resources are essential for any web server admin like Oliver to configure and secure their Tomcat server effectively.

NEW QUESTION # 33
A US-based ecommerce company has developed their website www.ec-sell.com to sell their products online. The website has a feature that allows their customer to search products based on the price. Recently, a bug bounty has discovered a security flaw in the Search page of the website, where he could see all products from the database table when he altered the website URL http://www.ec-sell.com/products.jsp?val=100 to http://www.ec-sell.com/products.jsp?val=200 OR '1'='1 -. The product.jsp page is vulnerable to

• A. Cross Site Request Forgery attack
• B. Session Hijacking attack
• C. Brute force attack
• D. SQL Injection attack

Answer: D

NEW QUESTION # 34
Which of the following Spring Security Framework configuration setting will ensure the protection from session fixation attacks by not allowing authenticated user to login again?

• A. session-fixation-protection =".
• B. session-fixation-protection ="enabled"
• C. session-fixation-protection ="newSessionlD"
• D. session-fixation-protection =".

Answer: A

Explanation:
Spring Security provides built-in protection against session fixation attacks. It does this by invalidating the existing session and creating a new one when a user authenticates. This behavior can be configured using the sessionManagement() method in the Java configuration. The newSession strategy, which is the default, changes the session ID upon authentication to protect against session fixation.
Here's an example of how it can be configured:
Java
http.sessionManagement()
sessionFixation().migrateSession();
AI-generated code. Review and use carefully. More info on FAQ.
This configuration ensures that a new session is created, and the old one is invalidated when the user logs in, thus providing protection against session fixation attacks.
References:The information provided is based on the standard configuration practices for Spring Security to protect against session fixation attacks. For more detailed information, you can refer to the official Spring Security documentation123 and other authoritative resources on Spring Security session management.

NEW QUESTION # 35
Which of the following state management method works only for a sequence of dynamically generated forms?

• A. Cookies
• B. Hidden Field
• C. Sessions
• D. URL-rewriting

Answer: B

Explanation:
The state management method that works specifically for a sequence of dynamically generated forms is the use of hidden fields. Hidden fields are a form of web form element that do not appear visible to the user but hold data that can be sent back to the server when the form is submitted. This method is particularly useful for maintaining state across multiple forms because the data in the hidden fields can be carried forward as the user progresses through the sequence of forms. Unlike cookies or sessions, which are maintained by the browser or server and can persist across different sessions and pages, hidden fields are tied to the specific form and its submission, making them suitable for state management in a sequence of dynamically generated forms.
References: The information provided here is aligned with the principles and guidelines found in the EC-Council's Certified Application Security Engineer (CASE) JAVA documentation and learning resources, which emphasize the importance of understanding various state management techniques and their appropriate use cases within the context of secure application development12.

NEW QUESTION # 36
Which of the following relationship is used to describe security use case scenario?

• A. Include Relationship
• B. Threatens Relationship
• C. Extend Relationship
• D. Mitigates Relationship

Answer: C

NEW QUESTION # 37
The software developer has implemented encryption in the code as shown in the following screenshot.

However, using the DES algorithm for encryption is considered to be an insecure coding practice as DES is a weak encryption algorithm. Which of the following symmetric encryption algorithms will you suggest for strong encryption?

• A. MD5
• B. Triple DES
• C. AES
• D. SHA-1

Answer: C

NEW QUESTION # 38
Stephen is a web developer in the InterCall Systems. He was working on a Real Estate website for one of his clients. He was given a task to design a web page with properties search feature. He designed the following searchpage.jsp
< form Id="form1" method="post" action="SearchProperty.jsp" >
< input type="text" id=''txt_Search" name="txt_Search" placeholder="Search Property..." / >
< input type="Submit" Id="Btn_Search" value="Search" / >
< /form >
However, when the application went to security testing phase, the security tester found an XSS vulnerability on this page. How can he mitigate the XSS vulnerability on this page?

• A. He should write code like out-Write ("You Searched for:" +ESAPI.encoder().encodeForHTML(search));
• B. He should write code like out.write ("You Searched for:" + request.qetParameter("search"l.toStrinq(ll;
• C. He should write code like out.write ("You Searched for:" + request.qetParameterf'txt Search"));
• D. He should write code like out.write (("You Searched for:" +(search));

Answer: A

NEW QUESTION # 39
The developer wants to remove the HttpSessionobject and its values from the client' system.
Which of the following method should he use for the above purpose?

• A. invalidateQ
• B. sessionlnvalidateil
• C. Invalidate(session JSESSIONID)
• D. isValidateQ

Answer: A

Explanation:
To remove the HttpSession object and its values from the client's system, the developer should use the invalidate() method. This method is called on the HttpSession object itself and marks the session for deletion, removing all its attributes and invalidating the session on the server side. Once a session is invalidated, any new request from the client does not associate with the old session and will typically result in a new session being created if required.
Here's a step-by-step explanation of how the invalidate() method works:
* The developer retrieves the HttpSession object from the HttpServletRequest object using the getSession() method.
* The developer calls the invalidate() method on the retrieved HttpSession object.
* The server invalidates the session, which means it is no longer recognized and any subsequent requests will not be associated with it.
* All objects bound to the session are removed and available for garbage collection.
* The client's next request will not have a valid session, and the server will treat it as a new session if necessary.
References:The information provided here is aligned with the EC-Council's Certified Application Security Engineer (CASE) JAVA guidelines and best practices for secure session management. For more detailed information, please refer to the EC-Council's CASE JAVA official study guides and training materials12.

NEW QUESTION # 40
A developer to handle global exception should use _________ annotation along with @ExceptionHandler method annotation for any class

• A. @Advice
• B. @ControllerAdvice
• C. @globalControllerAdvice
• D. @GlobalAdvice

Answer: B

Explanation:
The @ControllerAdvice annotation is used in Spring Framework to handle exceptions globally across the whole application, not just to an individual controller. It allows you to handle exceptions across multiple @Controllers. This annotation is used alongside @ExceptionHandler to define a global exception handling mechanism.
Here's how it works:
* The @ExceptionHandler annotation is used to define methods in your @ControllerAdvice class that will handle exceptions.
* When an exception is thrown, the Spring Framework checks for a matching @ExceptionHandler method in a @ControllerAdvice class.
* If a match is found, the exception is handled by the method annotated with @ExceptionHandler.
References:For more detailed information and learning resources, you should refer to the official EC-Council Application Security Engineer (CASE) JAVA study guides and courses, which can be found on their official website and iClass platform.

NEW QUESTION # 41
Which of the following configuration settings in server.xml will allow Tomcat server administrator to impose limit on uploading file based on their size?

• A. < connector... maxPostSize="0"/>
• B. < connector... maxPostSize="file size" / >
• C. < connector... maxFileSize="file size" / >
• D. < connector... maxFileLimit="file size" / >

Answer: B

Explanation:
In Tomcat's server.xml configuration file, the maxPostSize attribute on a <Connector> element is used to specify the maximum size of a POST request that can be accepted by the server. Setting this attribute to a specific byte size will limit the size of uploads based on that size. If set to 0, it indicates that there is no limit on the size of the POST request1.
References: The EC-Council's Certified Application Security Engineer (CASE) JAVA course includes server configuration and security settings as part of its curriculum, which would cover aspects such as setting upload limits in server configuration files like server.xml for Tomcat1.

NEW QUESTION # 42
Identify what should NOT be catched while handling exceptions.

• A. IllegalAccessException
• B. NullPointerException
• C. EOFException
• D. SecurityException

Answer: D

NEW QUESTION # 43
Which of the following configuration settings in server.xml will allow Tomcat server administrator to impose limit on uploading file based on their size?

• A. < connector... maxPostSize="0"/>
• B. < connector... maxPostSize="file size" / >
• C. < connector... maxFileSize="file size" / >
• D. < connector... maxFileLimit="file size" / >

Answer: B

NEW QUESTION # 44
Thomas is not skilled in secure coding. He neither underwent secure coding training nor is aware of the consequences of insecure coding. One day, he wrote code as shown in the following screenshot. He passed 'false' parameter to setHttpOnly() method that may result in the existence of a certain type of vulnerability. Identify the attack that could exploit the vulnerability in the above case.

• A. Directory Traversal Attack
• B. Denial-of-Service attack
• C. Client-Side Scripts Attack
• D. SQL Injection Attack

Answer: C

NEW QUESTION # 45
Which of the following configurations can help you avoid displaying server names in server response header?

• A. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName=" disable" redirectPort="8443" / >
• B. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server = " " redirectPort="8443" / >
• C. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort= "8443" / >
• D. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName ="null " redirectPort="8443'' / >

Answer: A

NEW QUESTION # 46
Ted is an application security engineer who ensures application security activities are being followed during the entire lifecycle of the project. One day, he was analyzing various interactions of users depicted in the use cases of the project under inception. Based on the use case in hand, he started depicting the scenarios where attacker could misuse the application. Can you identify the activity on which Ted is working?

• A. Ted was depicting abuse cases
• B. Ted was depicting abstract use cases
• C. Ted was depicting lower-level use cases
• D. Ted was depicting security use cases

Answer: A

NEW QUESTION # 47
......

Easy Success ECCouncil 312-96 Exam in First Try: https://gocertify.actual4labs.com/ECCouncil/312-96-actual-exam-dumps.html