Beruflich Dokumente
Kultur Dokumente
1. Which of the following scenarios are most likely to cause an injection attack?
Medium, A1 owasp top 10
a. Invalidated input is embedded in an instruction stream.
b. Invalidated input cannot be distinguished from valid instructions.
c. A Web application does not validate a client’s access to a resource.
d. A Web action performs an operation on behalf of the user without checking a shared
secret.
Answer. A, B
2. What is the best method to detect injection?
Need to verify, , Need to verify
A. Source Code Analysis
B. Black Box Analysis
C. Manual Testing
D. All
Answer: A
3. Which type of validation is safe?
Easy, Input validation
A. Black List
B. White List
C. Grey List
D. All
Answer: B
XSS
8. A Web site that allows users to enter text, such as a comment or a name, and then stores it
and
later display it to other users, is potentially vulnerable to a kind of attack called a
___________________ attack.
( Easy, A7)
a) Two-factor authentication
b) Cross-site request forgery
c) Cross-site scripting
d) Cross-site scoring scripting
Answer: C
9. Which of them is known as DOM Based XSS?
( Moderate, A7)
A. injected script is permanently stored on the target servers, such as in a database, in a
message
forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the
server
when it requests the stored information.
B. injected script is reflected off the web server, such as in an error message, search result,
or any
other response that includes some or all of the input sent to the server as part of the
request
C. attack payload is executed as a result of modifying the Document Object Modal
“environment”
in the victim’s browser used by the original client side script, so that the client side code runs
in an
“unexpected” manner.
D. Both A and B are correct
Answer: C
10. Which of them is Cross-site Scripting Attack Vectors?
( Moderate, A7)
A. <script> tag
B. JavaScript events
C. <img> tag
D. All of the above
Answer: D
Security Misconfiguration
11. Which of them is not among the most common web application threats?
( Easy, Generic)
A. Denial of Service Attacks
B. Cookie/Session Poisoning
C. Code Injection
D. Null Pointer Exceptions
Answer: D
12. Which statement(s) is not true in case of discovering potential Security
Misconfiguration? – (Valid/Easy/A6)
A. Are any default accounts left, and if so, have the passwords been changed?
B. When it is possible to enforce better security in a framework, are those options chosen?
C. Are there any unnecessary features installed/enabled that can be removed? This includes
accounts, too many privileges, ports, etc.
D. Does the error handling reveal overly informative error messages to users?
E. All are true
Answer: E
17. Which is/are not a preventive mechanism against Missing Function Level Access Control?
A. The authentication mechanism should deny all access by default, and provide access to
specific
roles for every function.
B. In a workflow based application, verify the users’ state before allowing them to access any
resources.
C. Allow anonymous users to access private functions that aren’t protected.
D. All of the Above
Answer: C
18. In security, the Principle of _______encourages system designers and implementers to allow
running code only the permissions needed to complete the required tasks and no more.
A. Higher Privilege
B. Elevated Privilege
C. Least Privilege
D. Important Privilege
Answer C
19. Which of them is not a valid Access control Policy?
A. Role Based Access Control (RBAC)
B. Discretionary Access Control (DAC)
C. Fixed Access Control (FAC)
D. Permission Based Access Control
Answer: C
CSRF
20. What is phishing?
A. Data transfer protocol
B. Email Scam
C. Network scandal
D. Cross domain scandal
Answer: B
21. . What is a cookie?
A. A computer virus
B. A file that makes it easier to access a Web site and browse
C. A file that hackers use to steal your identity
D. Web application file
Answer: B
22. . Any application that accepts HTTP requests from an authenticated user without having
some
control to verify that the HTTP request is unique to the user's session may be vulnerable to
A. XSS Attack
B. CSRF Attack
C. Injection Attack
D. Insecure Direct Object Reference Attack
Answer: B
Programmatic Security
4. Key point to achieve Defensive Security
a) Never trust user input
b) Standardize exception handling
c) Implement Secure Configuration
d) All the above (Ans : D)
Cryptography