Q.1 What type of flaw occurs when untrusted user-entered data is sent to the interpreter as part of a query or command?
A. Cross Site Request Forgery
B. Insecure Direct Object References
C. Injection
D. Insufficient Transport Layer Protection
E. Improper Authentication
Ans : Injection
Q.2 Which of the following are the best ways to protect against injection attacks?
A. Memory size checks
B. Escaping
C. Validate integer values before referencing arrays
Ans : Escaping
Q.3 Which of the following consequences are most likely to occur due to an injection attack?
A. Denial of service
B. Spoofing
C. Data loss
Ans : Denial of service
Q.4 What flaw arises from session tokens having poor randomness across a range of values?
A. Session Replay
B. Session Fixation
C. Insecure Direct Object References
D. Session Hijacking
Ans : Session Hijacking
Q.5 What is the attack technique used to exploit websites by altering the backend database queries through inputting manipulated queries?
A. LDAP Injection
B. SQL Injection
C. OS Commanding
D. XML Injection
Ans : SQL Injection
Q.6 Which of the following depict the typical impact of failure to restrict URL access?
A. Attackers impersonate any user on the system
B. Attackers access other users accounts and data
C. Broken Authentication and Session Management
Ans : Attackers access other users accounts and data
Q.7 What happens when an application takes user inputted data, and sends it to a web browser without proper validation and escaping?
A. Cross Site Scripting
B. Broken Authentication and Session Management
C. Insecure Direct Object References
D. Security Misconfiguration
Ans : Cross Site Scripting
Q.8 In which of the following scenarios should you use the escaping technique?
A. When you need to tell the interpreter that input is data and not code
B. When you need to validate any input as valid input
C. When you are trying to protect against regular expression injection
Ans : When you need to tell the interpreter that input is data and not code
Q.9 Which of the following are the best ways to implement transport layer protection?
A. Both IPSec & SSL Enable
B. Install IDS
C. Set the HttpOnly flag on session ID cookies
D. Enable IPSec
E. Enable SSL
Ans : Both IPSec & SSL Enable
Q.10 Which of the following actions should you take to verify the implementation of a web application?
A. Use policy mechanisms
B. Verify that each URL in your application is appropriately protected
C. Use a simple and positive model at every layer
Ans : Verify that each URL in your application is appropriately protected
Q.11 What attack can be prevented by links or forms that invoke state-changing functions with an unpredictable token for each user?
A. Cross Site Request Forgery
B. Cross Site Tracing
C. OS Commanding
D. Cross Site Scripting
Ans : OS Commanding
Q.12 What threat arises from not flagging HTTP cookies with tokens, as secure?
A. Session Hijacking
B. Access Control Violation
C. Insecure Cryptographic Storage
D. Session Replay
Ans : Access Control Violation
Q.13 For a connection that changes from HTTP to HTTPS, what flaw arises if you do not change the session identifier?
A. Cross Site Scripting
B. Session Hijacking
C. Security Misconfiguration
D. Session Replay
Ans : Session Replay
Q.14 Which threat can be prevented by having unique usernames generated with a high degree of entropy?
A. Spamming
B. Authorization Bypass
C. Crypt-analysis of hash values
D. Authentication Bypass
Ans : Authentication Bypass
Q.15 What is an example of a session-related vulnerability?
A. Session Hijacking
B. Data Transfer Protocol
C. Security Tracing
D. Session Spoofing
Ans : Session Hijacking
Q.16 Which of the following languages are the primary targets of cross-site scripting?
A. SQL
B. Java Script
C. XML Injection
D. XSLT
Ans : Java Script
Q.17 What is an attack that forces a user’s session credential or session ID to an explicit value?
A. Brute Force Attack
B. Session Fixation
C. Session Hijacking
D. Dictionary Attack
Ans : Session Fixation
Q.18 What happens when an application takes user inputted data and sends it to a web browser, without proper validation?
A. Security Misconfiguration
B. Cross Site Scripting
C. Insecure Direct Object References
D. Broken Authentication and Session Management
Ans : Cross Site Scripting
Q.19 Role-based access control helps prevent which OWASP Top 10 vulnerability?
A. Security Misconfiguration
B. Unvalidated Redirect or Forward
C. Failure to restrict URL Access
D. Failure to restrict URL Access
Ans : Failure to restrict URL Access
Q.20 What is an attack that exploits the trust a site has in a user’s browser?
A. SQL Injection
B. Cross Site Scripting
C. Cross Site Request Forgery
D. Session Hijacking
Ans : Cross Site Request Forgery
Q.21 Which of the following are most likely to result in insecure cryptography?
A. Unsalted hash
B. Missing patches
C. New products
Ans : Unsalted hash
Q.22 Which attack can execute scripts in the user’s browser and is capable of hijacking user sessions, defacing websites or redirecting the user to malicious sites?
A. Man in the middle attack
B. Malware Uploading
C. SQL Injection
D. Cross Site Scripting
Ans : Cross Site Scripting
Q.23 Client-side scripts can be allowed to execute in the browsers for needed operations.
A. True
B. False
Ans : False
