Web Application Security Quiz Questions And Answers
(439).jpg "Web Application Security Quiz Questions And Answers - Quiz")
Check out our amazing web application security quiz based on OWASP. Org's Top-Ten 2007 Web Vulnerabilities. The Top-10 provides a description of, examples for, and solutions to the ten most commonly discovered vulnerabilities found in deployed web applications during 2007. The questions in this quiz question are both basic and complex for you to evaluate your understanding of the most common and easy exploits of these vulnerabilities. Let's go!
- 1.
One operation that frequently has cross-site scripting (XSS) vulnerabilities is (choose exactly 1 answer):
- A.
A user visits a site's homepage.
- B.
A site prompts the user for their user name and password.
- C.
A site produces an error message for an invalid user name.
- D.
A user clicks on a hyperlink to visit another page in the same site.
- E.
A user clicks on a hyperlink to visit another page in a different site.
Correct Answer
C. A site produces an error message for an invalid user name.Explanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-1.html for a detailed explanation.Rate this question:
-
- 2.
One common strategy to prevent XSS vulnerabilities is to (choose exactly 1 answer):
- A.
Educate your users to recognize safe vs. unsafe web pages.
- B.
Escape user's input is valid as soon as possible.
- C.
Avoid using JavaScript in your site.
- D.
Use an interpreted programming language such as Java or C#.
- E.
Make sure your database is configured for strong security.
Correct Answer
B. Escape user's input is valid as soon as possible.Explanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-2.html for a detailed explanation.Rate this question:
-
- 3.
Cross-site request forgery (CSRF) vulnerabilities (choose exactly 1 answer):
- A.
Are partially corrected by adding and validating on submission a hidden field with a secure random number as its value.
- B.
Only affect pages with forms that do not include the user name in the data sent back to the server.
- C.
Are common in sites that avoid JavaScript on pages that contain one or more forms.
- D.
Are common in sites that rely heavily on JavaScript, especially on pages that contain one or more forms.
- E.
Prevented by using newer web frameworks such as Ruby on Rails
Correct Answer
A. Are partially corrected by adding and validating on submission a hidden field with a secure random number as its value.Explanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-3.html for a detailed explanation.Rate this question:
-
- 4.
Web application security is not required for finance applications.
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
This statement is false because web application security is indeed required for finance applications. Finance applications deal with sensitive and confidential information such as personal and financial data of users. Without proper security measures in place, these applications can be vulnerable to various cyber threats, including data breaches, identity theft, and financial fraud. Implementing web application security is essential to protect the integrity, confidentiality, and availability of financial data and ensure the trust and confidence of users in the application.Rate this question:
-
- 5.
In a typical N-tier web application with a DMZ, standard security practices dictate that encryption is required when (choose 1 or more answers):
- A.
Displaying the logon page's form.
- B.
Credit card numbers are being transmitted to the site.
- C.
Credit card numbers are being transmitted between two machines within the DMZ itself.
- D.
Credit card numbers are being transmitted between two machines within the secure network behind the DMZ.
- E.
Never. Encryption is always required.
Correct Answer(s)
B. Credit card numbers are being transmitted to the site.
C. Credit card numbers are being transmitted between two machines within the DMZ itself.
D. Credit card numbers are being transmitted between two machines within the secure network behind the DMZ.Explanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-4.html for a detailed explanation.Rate this question:
-
- 6.
Of the following types of vulnerabilities, which is LEAST likely to be found by an automated security tool such as the port scanner NMAP (http://nmap.org), the free web scanner Paros (http://tinyurl.com/2a5757) or its productized version MileSCAN (http://tinyurl.com/2a5757), or a vulnerability scanner such as Nessus (http://www.nessus.org) (choose exactly 1 answer):
- A.
Cross-site scripting (XSS) Vulnerabilities
- B.
SQL Injection Flaws
- C.
Buffer Overflow Vulnerabilities
- D.
Insecure Cryptographic Storage Vulnerabilities
- E.
Information Leakage Vulnerabilities
Correct Answer
D. Insecure Cryptographic Storage VulnerabilitiesExplanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-5.html for a detailed explanation.Rate this question:
-
- 7.
Hackers often gather a multitude of seemingly small, innocuous pieces of configuration about a site that, when combined, can help them attack a site. Which of the following error messages are typically considered safe to display to the user? (choose 1 or more answers):
- A.
A message that states that the system is down for maintenance and tells what time it is expected to be back up. E.g.: Our site is down. We're sorry for the inconvenience. We are doing maintenance on our servers. The site should be up by 11:00 PM PST.
- B.
A message that says the user typed an incorrect password but does not display the username. E.g.: You entered an invalid password for the specified user.
- C.
A message that says that there was an error logging in mentioning the username. E.g.: User "JoeUser" could not be logged in with the information you provided.
- D.
An error message that says there was an internal error but does not provide any details to assist in debugging or reporting of the error. E.g.: There was an internal error. Please report this to the sysadmin.
- E.
An error message that says there was an internal error message and displays the call stack to assist in debugging and reporting of the error. There was an internal error. Please send a copy-and-paste of this page to the sysadmin.
Correct Answer(s)
A. A message that states that the system is down for maintenance and tells what time it is expected to be back up. E.g.: Our site is down. We're sorry for the inconvenience. We are doing maintenance on our servers. The site should be up by 11:00 PM PST.
C. A message that says that there was an error logging in mentioning the username. E.g.: User "JoeUser" could not be logged in with the information you provided.
D. An error message that says there was an internal error but does not provide any details to assist in debugging or reporting of the error. E.g.: There was an internal error. Please report this to the sysadmin.Explanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-7.html for a detailed explanation.Rate this question:
-
- 8.
If a site has an unusually short session timeout (e.g.: 2 minutes) and has an unusually large logout button on the top of every page, one might assume that the site is trying to prevent what type of attack? (choose exactly 1 answer):
- A.
SQL Injection
- B.
Cross-Site Request Forgery (CSRF)
- C.
Cross-Site Scripting (XSS)
- D.
Session Management
- E.
Buffer Overflow (AKA: Malicious File Execution)
Correct Answer
D. Session ManagementExplanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-8.html for a detailed explanation.Rate this question:
-
- 9.
Which of the following strategies prevents a SQL injection vulnerability (choose 1 or more answers):
- A.
Carefully validating user input and rejecting invalid input before executing any SQL requests.
- B.
Ensuring that you use only database software that has been widely tested and is generally considered secure.
- C.
Code all of your database access functions in a strongly-typed language to ensure that you do not have an type mismatches.
- D.
Always run the database on a remote machine and use SSL whenever you communicate with it.
- E.
Using prepared statements at runtime instead of dynamically evaluating SQL.
Correct Answer(s)
A. Carefully validating user input and rejecting invalid input before executing any SQL requests.
B. Ensuring that you use only database software that has been widely tested and is generally considered secure.
D. Always run the database on a remote machine and use SSL whenever you communicate with it.
E. Using prepared statements at runtime instead of dynamically evaluating SQL.Explanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-9.html for a detailed explanation.Rate this question:
-
- 10.
In an imaginary online banking application, after logging in the user sees a summary page about their accounts which has several navigation links. One of the links is for account details and accesses the following URL: http://really-cheapo-bank.com/ShowAccountDetail.jsp?AccountNumber=1234567890what security problems likely exist in the application (choose 1 or more answers):
- A.
The account number should be treated as confidential data but is displayed in the user's browser's location bar potentially allowing passers' by to steal it.
- B.
The only likely reason for passing the account number within the URL is that it will be used by the system. This allows a user to alter the URL to reference other account numbers and potentially steal other users' confidential data.
- C.
The combination of both upper and lower case in the URL, when accessed by a browser that is running on system that is case insensitive (e.g.: MS Windows), can lead to an incorrect page being served and potentially displaying confidential information.
- D.
By using HTTP instead of HTTPS, the user's data can be stolen during transmission across the internet. One way this might happen is if one of the routers along the route has had malicious code installed on it.
- E.
By using HTTP instead of HTTPS, the user cannot be assured that there has not been DNS poisoning leading to them passing confidential information to a server other than their bank's server.
Correct Answer(s)
A. The account number should be treated as confidential data but is displayed in the user's browser's location bar potentially allowing passers' by to steal it.
B. The only likely reason for passing the account number within the URL is that it will be used by the system. This allows a user to alter the URL to reference other account numbers and potentially steal other users' confidential data.
D. By using HTTP instead of HTTPS, the user's data can be stolen during transmission across the internet. One way this might happen is if one of the routers along the route has had malicious code installed on it.
E. By using HTTP instead of HTTPS, the user cannot be assured that there has not been DNS poisoning leading to them passing confidential information to a server other than their bank's server.Explanation
See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-10.html for a detailed explanation.Rate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Apr 13, 2023Quiz Edited by
ProProfs Editorial Team -
Oct 07, 2008Quiz Created by
Onestopappsecuri
Back to top