Pass Your Next Certification Exam Fast!

Everything you need to prepare, learn & pass your certification exam easily.

Login / Register  Shopping Cart (0)
  • Home
  • Articles
  • 312-96 Dumps By Pros - 1st Attempt Guaranteed Success [Q21-Q46]

312-96 Dumps By Pros - 1st Attempt Guaranteed Success [Q21-Q46]

Share

312-96 Dumps By Pros - 1st Attempt Guaranteed Success

100% Guarantee Download 312-96 Exam Dumps PDF Q&A


EC-Council 312-96 Exam Syllabus Topics:

TopicDetailsWeights
Secure Coding Practices for Cryptography- Understand fundamental concepts and need of cryptography In Java
-Explain encryption and secret keys
-Demonstrate the knowledge of cipher class Implementation
-Demonstrate the knowledge of digital signature and Its Implementation
-Demonstrate the knowledge of Secure Socket Layer ISSUand Its Implementation
-Explain Secure Key Management
-Demonstrate the knowledgeofdigital certificate and its implementation
- Demonstrate the knowledge of Hash implementation
-Explain Java Card Cryptography
-Explain Crypto Module in Spring Security
-Demonstrate the understanding of Do's and Don'ts in Java Cryptography		6%
Security Requirements Gathering-Understand the importance of gathering security requirements
-Explain Security Requirement Engineering (SRE) and its phases
-Demonstrate the understanding of Abuse Cases and Abuse Case Modeling
- Demonstrate the understanding of Security Use Cases and Security Use Case Modeling
-Demonstrate the understanding of Abuser and Security Stories
-Explain Security Quality Requirements Engineering (SQUARE) Model
-Explain Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Model		8%
Secure Coding Practices for Session Management- Explain session management in Java
-Demonstrate the knowledge of session management in Spring framework
-Demonstrate the knowledge of session vulnerabilities and their mitigation techniques
-Demonstrate the knowledge of best practices and guidelines for secure session management		10%
Static and Dynamic Application Security 'resting (SAST & DAST)- Understand Static Application Security Testing (SAST)
-Demonstrate the knowledge of manual secure code review techniques for most common vulnerabilities
-Explain Dynamic Application Security Testing
-Demonstrate the knowledge of Automated Application Vulnerability Scanning Toolsfor DAST
-Demonstrate the knowledge of Proxy-based Security Testing Tools for DAST		8%

 

NEW QUESTION # 21
Which of the following configurations can help you avoid displaying server names in server response header?

  • A. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server = " " redirectPort="8443" / >
  • B. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName ="null " redirectPort="8443'' / >
  • C. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort= "8443" / >
  • D. < Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" ServerName=" disable" redirectPort="8443" / >

Answer: D


NEW QUESTION # 22
Which of the risk assessment model is used to rate the threats-based risk to the application during threat modeling process?

  • A. RED
  • B. SMART
  • C. STRIDE
  • D. DREAD

Answer: C


NEW QUESTION # 23
Oliver, a Server Administrator (Tomcat), has set configuration in web.xml file as shown in the following screenshot. What is he trying to achieve?

  • A. He wants to transfer only response parameter data over encrypted channel
  • B. He wants to transfer the entire data over encrypted channel
  • C. He wants to transfer only request parameter data over encrypted channel
  • D. He wants to transfer only Session cookies over encrypted channel

Answer: B


NEW QUESTION # 24
Which of the threat classification model is used to classify threats during threat modeling process?

  • A. RED
  • B. SMART
  • C. STRIDE
  • D. DREAD

Answer: C


NEW QUESTION # 25
A developer to handle global exception should use _________ annotation along with @ExceptionHandler method annotation for any class

  • A. @globalControllerAdvice
  • B. @Advice
  • C. @GlobalAdvice
  • D. @ControllerAdvice

Answer: D


NEW QUESTION # 26
Ted is an application security engineer who ensures application security activities are being followed during the entire lifecycle of the project. One day, he was analyzing various interactions of users depicted in the use cases of the project under inception. Based on the use case in hand, he started depicting the scenarios where attacker could misuse the application. Can you identify the activity on which Ted is working?

  • A. Ted was depicting abuse cases
  • B. Ted was depicting lower-level use cases
  • C. Ted was depicting abstract use cases
  • D. Ted was depicting security use cases

Answer: A

Explanation:
Ted is engaged in the activity of depicting abuse cases. Abuse cases are a form of negative use cases that describe how an application can be misused or attacked. They are used to identify potential security vulnerabilities and to design countermeasures that can prevent or mitigate these attacks. By analyzing the interactions of users as depicted in the use cases, Ted is able to envision scenarios where an attacker could exploit the application, which is essential for strengthening the application's security posture.
References:For specific references, please consult the EC-Council Application Security Engineer (CASE) JAVA related courses and study guides. These resources will provide detailed information on abuse cases and their role in application security. My response is based on the general knowledge of application security practices up to the year 2021. Please note that I do not have real-time access to external databases or the internet for document retrieval.


NEW QUESTION # 27
Which of the following is used to mapCustom Exceptions to Statuscode?

  • A. @ResponseStatusCode
  • B. @ScacusCode
  • C. @ResponseStatus
  • D. @ResponseCode

Answer: C

Explanation:
In Spring MVC, the @ResponseStatus annotation is used to map custom exceptions to specific HTTP status codes. When an exception is thrown, you can use this annotation to indicate which status code should be returned. For example, if you have a custom exception that represents a resource not found scenario, you can annotate it with @ResponseStatus and specify HttpStatus.NOT_FOUND as the status code. This will result in a 404 status code being returned when the exception is thrown.
References:The use of @ResponseStatus is covered in the EC-Council's Certified Application Security Engineer (CASE) JAVA training and certification program, which emphasizes the importance of secure application development practices across the Software Development Lifecycle (SDLC). The annotation is also widely documented in Spring MVC resources and tutorials, such as those available on Baeldung and Stack Overflow12.


NEW QUESTION # 28
Alice, a security engineer, was performing security testing on the application. He found that users can view the website structure and file names. As per the standard security practices, this can pose a serious security risk as attackers can access hidden script files in your directory. Which of the following will mitigate the above security risk?

  • A. < int-param > < param-name>directory-listinqs < param-value>true < /init-param >
  • B. < int-param > < param-name>listinqs < param-value>true < /init-param
  • C. < int-param > < param-name>listinqs < param-value>false < /init-param >
  • D. < int param > < param-name>directorv-listinqs < param-value>false < /init-param >

Answer: D


NEW QUESTION # 29
Which of the following configuration settings in server.xml will allow Tomcat server administrator to impose limit on uploading file based on their size?

  • A. < connector... maxFileLimit="file size" / >
  • B. < connector... maxPostSize="0"/>
  • C. < connector... maxPostSize="file size" / >
  • D. < connector... maxFileSize="file size" / >

Answer: C

Explanation:
In Tomcat's server.xml configuration file, the maxPostSize attribute on a <Connector> element is used to specify the maximum size of a POST request that can be accepted by the server. Setting this attribute to a specific byte size will limit the size of uploads based on that size. If set to 0, it indicates that there is no limit on the size of the POST request1.
References: The EC-Council's Certified Application Security Engineer (CASE) JAVA course includes server configuration and security settings as part of its curriculum, which would cover aspects such as setting upload limits in server configuration files like server.xml for Tomcat1.


NEW QUESTION # 30
In a certain website, a secure login feature is designed to prevent brute-force attack by implementing account lockout mechanism. The account will automatically be locked after five failed attempts. This feature will not allow the users to login to the website until their account is unlocked. However, there is a possibility that this security feature can be abused to perform __________ attack.

  • A. Broken Authentication
  • B. Failure to Restrict URL
  • C. Denial-of-Service [Do
  • D. Unvalidated Redirects and Forwards

Answer: C


NEW QUESTION # 31
Alice, a Server Administrator (Tomcat), wants to ensure that Tomcat can be shut down only by the user who owns the Tomcat process. Select the appropriate setting of the CATALINA_HOME/conf in server.xml that will enable him to do so.

  • A. < server port="-1" shutdown-*" >
  • B. < server port="8080" shutdown="SHUTDOWN" >
  • C. < server port="" shutdown-"' >
  • D. < server port="-1" shutdown="SHUTDOWN" >

Answer: A


NEW QUESTION # 32
Which of the following state management method works only for a sequence of dynamically generated forms?

  • A. Sessions
  • B. URL-rewriting
  • C. Hidden Field
  • D. Cookies

Answer: C

Explanation:
The state management method that works specifically for a sequence of dynamically generated forms is the use of hidden fields. Hidden fields are a form of web form element that do not appear visible to the user but hold data that can be sent back to the server when the form is submitted. This method is particularly useful for maintaining state across multiple forms because the data in the hidden fields can be carried forward as the user progresses through the sequence of forms. Unlike cookies or sessions, which are maintained by the browser or server and can persist across different sessions and pages, hidden fields are tied to the specific form and its submission, making them suitable for state management in a sequence of dynamically generated forms.
References: The information provided here is aligned with the principles and guidelines found in the EC-Council's Certified Application Security Engineer (CASE) JAVA documentation and learning resources, which emphasize the importance of understanding various state management techniques and their appropriate use cases within the context of secure application development12.


NEW QUESTION # 33
Which of the following authentication mechanism does J2EE support?

  • A. Windows, Form based. Role Based, Client/Server Mutual Authentication
  • B. Http Basic, Form Based, Client/Server Mutual, Role Based Authentication
  • C. Http Basic, Form Based, Client/Server Mutual, HTTP Digest Authentication
  • D. Role Based, Http Basic, Windows, Http Digest Authentication

Answer: B

Explanation:
J2EE supports a variety of authentication mechanisms to ensure secure user access and operations. The supported mechanisms include:
* HTTP Basic Authentication: A simple challenge-response mechanism that is part of the HTTP protocol.
* Form-Based Authentication: A more user-friendly approach where users submit their credentials via a web form.
* Client/Server Mutual Authentication: Also known as two-way SSL authentication, where both the client and server authenticate each other.
* Role-Based Authentication: Access control based on user roles, often implemented using declarative security in the deployment descriptor.
These mechanisms are designed to provide a flexible and robust security framework for J2EE applications, allowing developers to choose the most appropriate method for their needs.
References:
* The official J2EE specification, which outlines the security model and supported authentication mechanisms.
* EC-Council's Application Security Engineer (CASE) JAVA courses and study guides that align with the J2EE security requirements.
* InformIT's article on J2EE Security, which details the user authentication requirements for J2EE products1.
* Oracle's documentation on securing J2EE applications, which includes information on the J2EE security model2.


NEW QUESTION # 34
Identify the type of attack depicted in the following figure.

  • A. Parameter Tampering Attack
  • B. Denial-of-Service Attack
  • C. Session Fixation Attack
  • D. SQL Injection Attacks

Answer: A


NEW QUESTION # 35
Which of the following elements in web.xml file ensures that cookies will be transmitted over an encrypted channel?

  • A. < connector SSLEnabled="false" / >
  • B. < connector EnableSSL="true" / >
  • C. < connector lsSSLEnabled="Yes" / >
  • D. < connector SSLEnabled="true" / >

Answer: D


NEW QUESTION # 36
Which of the following can be derived from abuse cases to elicit security requirements for software system?

  • A. Security use cases
  • B. Use cases
  • C. Data flow diagram
  • D. Misuse cases

Answer: A


NEW QUESTION # 37
Identify what should NOT be catched while handling exceptions.

  • A. IllegalAccessException
  • B. NullPointerException
  • C. SecurityException
  • D. EOFException

Answer: C

Explanation:
In Java, it's generally advised not to catch SecurityException. This is because SecurityException is thrown by the security manager to indicate a security violation. Catching and handling this exception might hide underlying security issues that should be addressed rather than caught and ignored. Instead, the application should be designed to avoid causing security exceptions by adhering to proper security practices.
References: While I cannot reference specific EC-Council materials, this advice is in line with general Java best practices for exception handling. For detailed guidelines, you should refer to the official Java documentation and the EC-Council's CASE JAVA certification study materials.


NEW QUESTION # 38
A US-based ecommerce company has developed their website www.ec-sell.com to sell their products online. The website has a feature that allows their customer to search products based on the price. Recently, a bug bounty has discovered a security flaw in the Search page of the website, where he could see all products from the database table when he altered the website URL http://www.ec-sell.com/products.jsp?val=100 to http://www.ec-sell.com/products.jsp?val=200 OR '1'='1 -. The product.jsp page is vulnerable to

  • A. Brute force attack
  • B. Session Hijacking attack
  • C. Cross Site Request Forgery attack
  • D. SQL Injection attack

Answer: D


NEW QUESTION # 39
It is recommended that you should not use return, break, continue or throw statements in _________

  • A. Try-With-Resources block
  • B. Catch block
  • C. Try block
  • D. Finally block

Answer: D


NEW QUESTION # 40
Alice, a security engineer, was performing security testing on the application. He found that users can view the website structure and file names. As per the standard security practices, this can pose a serious security risk as attackers can access hidden script files in your directory. Which of the following will mitigate the above security risk?

  • A. < int-param > < param-name>listinqs < param-value>false < /init-param >
  • B. < int-param > < param-name>directory-listinqs < param-value>true < /init-param >
  • C. < int param > < param-name>directorv-listinqs < param-value>false < /init-param >
  • D. < int-param > < param-name>listinqs < param-value>true < /init-param

Answer: A

Explanation:
To mitigate the security risk of users being able to view the website structure and file names, the correct action would be to disable directory listings. This is often accomplished through configuration settings in web server software, where you can specify whether to allow or deny the listing of directory contents. The option < int-param> <param-name>listings <param-value>false</int-param> effectively disables directory listings, preventing users and potential attackers from viewing the website's file and directory structure, thus enhancing security. Ensuring that directory listings are disabled is a common security practice to avoid revealing sensitive information about the web application's structure.References:
* Web Server Security Best Practices documentation
* OWASP (Open Web Application Security Project) guidelines on securing web server configurations


NEW QUESTION # 41
James is a Java developer working INFR INC. He has written Java code to open a file, read it line by line and display its content in the text editor. He wants to ensure that any unhandled exception raised by the code should automatically close the opened file stream. Which of the following exception handling block should he use for the above purpose?

  • A. Try-Catch-Finally block
  • B. Try-With-Resources block
  • C. Try-Catch block
  • D. Try-Catch-Resources block

Answer: B


NEW QUESTION # 42
Oliver is a web server admin and wants to configure the Tomcat server in such a way that it should not serve index pages in the absence of welcome files. Which of the following settings in CATALINA_HOME/conf/ in web.xml will solve his problem?

  • A. < servlet > < servlet-name > default < servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
    /param-name> < param-value > 0 < /param-value > < /init-param > < init-param > < param-name > listings < /param-name > < param-value > true < /param-value > < /init-param > < load-on-startup > l <
    /load-on-startup > < /servlet >
  • B. < servlet > < servlet-name > default < /servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
    /param-name>< param-value> 0 < /param value>< /init-param > < init-param > < param-name> listings
    < /param-name > < param-value > enable < /param-value > < /init-param > < load-on-startup> 1 <
    /load-on-startup > < /servlet >
  • C. < servlet > < servlet-name > default < /servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
    /param-name > < param-value > 0 < /param-value > < /init-param > < init-param > < param-name > listings < /param-name > < param-value > disable < /param-value> < /init-param > < load-on-startup > 1
    < /load-on-startup> < /servlet >
  • D. < servlet > < servlet-name > default < /servlet-name > < servlet-class > org.apache.catalina.servlets.DefaultServlet < /servlet-class > < init-param > < param-name > debug <
    /param-name > < param-value > 0 < /param-value > < /init-param > < init-param > < param-name > listings < /param-name > < param-value > false < /param-value > < /init-param > < load-on-startup > 1
    < /load-on-startup > < servlet >

Answer: D

Explanation:
To prevent the Tomcat server from serving index pages in the absence of welcome files, the <servlet> configuration for the DefaultServlet needs to be modified. The listings parameter controls whether directory listings are shown. When set to false, it ensures that directory listings are not provided, which includes not serving index pages when welcome files are absent.
Here's the breakdown of the configuration:
* <servlet-name>default</servlet-name>: This specifies the name of the servlet.
* <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>: This indicates the servlet class that is being configured.
* <init-param>: This tag is used to define initialization parameters for the servlet.
* <param-name>listings</param-name>: The listings parameter name is used to control the display of directory listings.
* <param-value>false</param-value>: Setting this value to false disables the directory listings.
* <load-on-startup>1</load-on-startup>: This indicates the servlet should be loaded at startup.
The correct configuration to solve Oliver's problem is:
XML
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
AI-generated code. Review and use carefully. More info on FAQ.
This configuration will ensure that if a welcome file is not present, the server will not default to serving an index page, thus addressing the security concern.
References:For further details on Tomcat server configuration, please refer to the official Apache Tomcat documentation and configuration guides which provide comprehensive instructions on server setup and security best practices12. These resources are essential for any web server admin like Oliver to configure and secure their Tomcat server effectively.


NEW QUESTION # 43
In which phase of secure development lifecycle the threat modeling is performed?

  • A. Deployment phase
  • B. Coding phase
  • C. Design phase
  • D. Testing phase

Answer: C

Explanation:
Threat modeling is an essential process in the secure development lifecycle that is typically performed during the design phase. This process involves identifying, predicting, and defining potential threats, as well as determining the likelihood and impact of these threats on the application. By conducting threat modeling in the design phase, developers and security teams can proactively address security issues and integrate necessary countermeasures before the coding begins. This approach helps to minimize vulnerabilities and ensures that security considerations are embedded into the application from the early stages of development.
References: The EC-Council's Certified Application Security Engineer (CASE) JAVA training and certification program emphasizes the importance of implementing secure methodologies and practices throughout the Software Development Lifecycle (SDLC), including the planning, creation, testing, and deployment of an application. The program specifically highlights the role of threat modeling in the design phase as a critical security activity1234.


NEW QUESTION # 44
Suppose there is a productList.jsp page, which displays the list of products from the database for the requested product category. The product category comes as a request parameter value. Which of the following line of code will you use to strictly validate request parameter value before processing it for execution?

  • A. public boolean validateUserName() { Pattern p = Pattern.compile("[a-zA-Z0-9]*$"); Matcher m = p.matcher(request.getParameter(CatId")); boolean result = m.matches(); return result;}
  • B. public.boolean validateUserName() { if(!request.getParamcter("CatId").equals("null"))}
  • C. public boolean validateUserName() {String CategoryId= request.getParameter("CatId");}
  • D. public boolean validateUserName() { if(request.getParameter("CatId")!=null ) String CategoryId=request.getParameter("CatId");}

Answer: A

Explanation:
The correct line of code for strictly validating the request parameter value before processing it for execution is option B. This code snippet uses a regular expression to ensure that the CatId parameter only contains alphanumeric characters, which is a common validation technique to prevent SQL injection and other forms of attacks. The Pattern.compile("[a-zA-Z0-9]*$") creates a pattern that matches a string of zero or more alphanumeric characters. The matcher method is then used to match the pattern against the CatId parameter obtained from the request. If the parameter matches the pattern, m.matches() returns true, indicating that the parameter is valid.
References: The answer provided is in accordance with the best practices for input validation as outlined in the EC-Council's Certified Application Security Engineer (CASE) JAVA training and certification program. The program emphasizes secure coding practices, including input validation to protect against common security threats such as SQL injection. For further details, please refer to the official EC-Council CASE JAVA course materials and study guides12.


NEW QUESTION # 45
Which of the following can be derived from abuse cases to elicit security requirements for software system?

  • A. Misuse cases
  • B. Use cases
  • C. Data flow diagram
  • D. Security use cases

Answer: A

Explanation:
Misuse cases are derived from abuse cases and are used to elicit security requirements for a software system.
They help in identifying and understanding how an application can be attacked or misused, which is essential for defining the security measures needed to protect the system. By analyzing misuse cases, developers and security engineers can anticipate potential threats and design the system to be resilient against them.
References: The concept of misuse cases is supported by various resources on application security and is aligned with the teachings of the EC-Council's Certified Application Security Engineer (CASE) JAVA program. The references from the web search results and the EC-Council's own documentation on the CASE JAVA certification emphasize the importance of understanding abuse cases to derive misuse cases for better security requirement elicitation123.


NEW QUESTION # 46
......


EC-Council CASE Java Exam Certification Details:

Passing Score70%
Schedule ExamPearson VUE OREC-Council Store,ECC Exam Center
Exam Price$450 (USD)
Exam NameEC-Council Certified Application Security Engineer (CASE) - Java
Duration120 mins
Exam Code312-96
Sample QuestionsEC-Council CASE Java Sample Questions

 

Earn Quick And Easy Success With 312-96 Dumps: https://simplilearn.actual4labs.com/ECCouncil/312-96-actual-exam-dumps.html

Related Articles

more
ECCouncil 312-96 Certification Practice Exam

Contact Us

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

Useful Links

Latest Updated