Basic Developer Web Application Security Quiz

9 Questions

Settings
Please wait...
Web Application Quizzes & Trivia

This brief quiz is based on OWASP. Org's Top-Ten 2007 Web Vulnerabilities The Top-10 provides a description of, examples for and solutions to the ten most commonly discovered vulnerabilities found in deployed web applications during 2007. The questions in this quiz are basic in the sense that, while they might seem complex, the quiz only evaluates your understanding of the most common and easy exploits of these vulnerabilities. The quiz does not address sophisticated attacks such as the OrkuTron Trojan, an attack that leverages vulnerabilities in Twitter and Orkut, two unrelated social websites, to execute a single attack.  In general, if you are programming web applications that require even a modicum of security, scoring anything less than 80% probably means you are produc


Questions and Answers
  • 1. 
    • A. 

      A user visits a site's homepage.

    • B. 

      A site prompts the user for their user name and password.

    • C. 

      A site produces an error message for an invalid user name.

    • D. 

      A user clicks on a hyperlink to visit another page in the same site.

    • E. 

      A user clicks on a hyperlink to visit another page in a different site.

  • 2. 
    One common strategy to prevent XSS vulnerabilities is to (choose exactly 1 answer):
    • A. 

      Educate your users to recognize safe vs. unsafe web pages.

    • B. 

      Escape user's input is valid as soon as possible.

    • C. 

      Avoid using JavaScript in your site.

    • D. 

      Use an interpreted programming language such as Java or C#.

    • E. 

      Make sure your database is configured for strong security.

  • 3. 
    • A. 

      Are partially corrected by adding and validating on submission a hidden field with a secure random number as its value.

    • B. 

      Only affect pages with forms that do not include the user name in the data sent back to the server.

    • C. 

      Are common in sites that avoid JavaScript on pages that contain one or more forms.

    • D. 

      Are common in sites that rely heavily on JavaScript, especially on pages that contain one or more forms.

    • E. 

      Prevented by using newer web frameworks such as Ruby on Rails

  • 4. 
    In a typical N-tier web application with a DMZ, standard security practices dictate that encryption is required when (choose 1 or more answers):
    • A. 

      Displaying the logon page's form.

    • B. 

      Credit card numbers are being transmitted to the site.

    • C. 

      Credit card numbers are being transmitted between two machines within the DMZ itself.

    • D. 

      Credit card numbers are being transmitted between two machines within the secure network behind the DMZ.

    • E. 

      Never. Encryption is always required.

  • 5. 
    Of the following types of vulnerabilities, which is LEAST likely to be found by an automated security tool such as the port scanner NMAP (http://nmap.org), the free web scanner Paros (http://tinyurl.com/2a5757) or its productized version MileSCAN (http://tinyurl.com/2a5757), or a vulnerability scanner such as Nessus (http://www.nessus.org) (choose exactly 1 answer):
    • A. 

      Cross-site scripting (XSS) Vulnerabilities

    • B. 

      SQL Injection Flaws

    • C. 

      Buffer Overflow Vulnerabilities

    • D. 

      Insecure Cryptographic Storage Vulnerabilities

    • E. 

      Information Leakage Vulnerabilities

  • 6. 
    • A. 

      A message that states that the system is down for maintenance and tells what time it is expected to be back up. E.g.: Our site is down. We're sorry for the inconvenience. We are doing maintenance on our servers. The site should be up by 11:00 PM PST.

    • B. 

      A message that says the user typed an incorrect password but does not display the username. E.g.: You entered an invalid password for the specified user.

    • C. 

      A message that says that there was an error logging in mentioning the username. E.g.: User "JoeUser" could not be logged in with the information you provided.

    • D. 

      An error message that says there was an internal error but does not provide any details to assist in debugging or reporting of the error. E.g.: There was an internal error. Please report this to the sysadmin.

    • E. 

      An error message that says there was an internal error message and displays the call stack to assist in debugging and reporting of the error. There was an internal error. Please send a copy-and-paste of this page to the sysadmin.

  • 7. 
    If a site has an unusually short session timeout (e.g.: 2 minutes) and has an unusually large logout button on the top of every page, one might assume that the site is trying to prevent what type of attack? (choose exactly 1 answer):
    • A. 

      SQL Injection

    • B. 

      Cross-Site Request Forgery (CSRF)

    • C. 

      Cross-Site Scripting (XSS)

    • D. 

      Session Management

    • E. 

      Buffer Overflow (AKA: Malicious File Execution)

  • 8. 
    Which of the following strategies prevents a SQL injection vulnerability (choose 1 or more answers):
    • A. 

      Carefully validating user input and rejecting invalid input before executing any SQL requests.

    • B. 

      Ensuring that you use only database software that has been widely tested and is generally considered secure.

    • C. 

      Code all of your database access functions in a strongly-typed language to ensure that you do not have an type mismatches.

    • D. 

      Always run the database on a remote machine and use SSL whenever you communicate with it.

    • E. 

      Using prepared statements at runtime instead of dynamically evaluating SQL.

  • 9. 
    In an imaginary online banking application, after logging in the user sees a summary page about their accounts which has several navigation links. One of the links is for account details and accesses the following URL:   http://really-cheapo-bank.com/ShowAccountDetail.jsp?AccountNumber=1234567890what security problems likely exist in the application (choose 1 or more answers):
    • A. 

      The account number should be treated as confidential data but is displayed in the user's browser's location bar potentially allowing passers' by to steal it.

    • B. 

      The only likely reason for passing the account number within the URL is that it will be used by the system. This allows a user to alter the URL to reference other account numbers and potentially steal other users' confidential data.

    • C. 

      The combination of both upper and lower case in the URL, when accessed by a browser that is running on system that is case insensitive (e.g.: MS Windows), can lead to an incorrect page being served and potentially displaying confidential information.

    • D. 

      By using HTTP instead of HTTPS, the user's data can be stolen during transmission across the internet. One way this might happen is if one of the routers along the route has had malicious code installed on it.

    • E. 

      By using HTTP instead of HTTPS, the user cannot be assured that there has not been DNS poisoning leading to them passing confidential information to a server other than their bank's server.