Web Application Security Quiz Questions And Answers

1. Web application security is not required for finance applications.

True

False

This statement is false because web application security is indeed required for finance applications. Finance applications deal with sensitive and confidential information such as personal and financial data of users. Without proper security measures in place, these applications can be vulnerable to various cyber threats, including data breaches, identity theft, and financial fraud. Implementing web application security is essential to protect the integrity, confidentiality, and availability of financial data and ensure the trust and confidence of users in the application.

Explanation

This statement is false because web application security is indeed required for finance applications. Finance applications deal with sensitive and confidential information such as personal and financial data of users. Without proper security measures in place, these applications can be vulnerable to various cyber threats, including data breaches, identity theft, and financial fraud. Implementing web application security is essential to protect the integrity, confidentiality, and availability of financial data and ensure the trust and confidence of users in the application.

2. One common strategy to prevent XSS vulnerabilities is to (choose exactly 1 answer):

Educate your users to recognize safe vs. unsafe web pages.

Escape user's input is valid as soon as possible.

Avoid using JavaScript in your site.

Use an interpreted programming language such as Java or C#.

Make sure your database is configured for strong security.

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-2.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-2.html for a detailed explanation.

3. Cross-site request forgery (CSRF) vulnerabilities (choose exactly 1 answer):

Are partially corrected by adding and validating on submission a hidden field with a secure random number as its value.

Only affect pages with forms that do not include the user name in the data sent back to the server.

Are common in sites that avoid JavaScript on pages that contain one or more forms.

Are common in sites that rely heavily on JavaScript, especially on pages that contain one or more forms.

Prevented by using newer web frameworks such as Ruby on Rails

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-3.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-3.html for a detailed explanation.

4. If a site has an unusually short session timeout (e.g.: 2 minutes) and has an unusually large logout button on the top of every page, one might assume that the site is trying to prevent what type of attack? (choose exactly 1 answer):

SQL Injection

Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Session Management

Buffer Overflow (AKA: Malicious File Execution)

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-8.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-8.html for a detailed explanation.

5. One operation that frequently has cross-site scripting (XSS) vulnerabilities is (choose exactly 1 answer):

A user visits a site's homepage.

A site prompts the user for their user name and password.

A site produces an error message for an invalid user name.

A user clicks on a hyperlink to visit another page in the same site.

A user clicks on a hyperlink to visit another page in a different site.

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-1.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-1.html for a detailed explanation.

6. Of the following types of vulnerabilities, which is LEAST likely to be found by an automated security tool such as the port scanner NMAP (https://nmap.org), the free web scanner Paros (https://tinyurl.com/2a5757) or its productized version MileSCAN (https://tinyurl.com/2a5757), or a vulnerability scanner such as Nessus (https://www.nessus.org) (choose exactly 1 answer):

Cross-site scripting (XSS) Vulnerabilities

SQL Injection Flaws

Buffer Overflow Vulnerabilities

Insecure Cryptographic Storage Vulnerabilities

Information Leakage Vulnerabilities

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-5.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-5.html for a detailed explanation.

7. In a typical N-tier web application with a DMZ, standard security practices dictate that encryption is required when (choose 1 or more answers):

Displaying the logon page's form.

Credit card numbers are being transmitted to the site.

Credit card numbers are being transmitted between two machines within the DMZ itself.

Credit card numbers are being transmitted between two machines within the secure network behind the DMZ.

Never. Encryption is always required.

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-4.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-4.html for a detailed explanation.

Submit

8. In an imaginary online banking application, after logging in the user sees a summary page about their accounts which has several navigation links. One of the links is for account details and accesses the following URL: https://really-cheapo-bank.com/ShowAccountDetail.jsp?AccountNumber=1234567890what security problems likely exist in the application (choose 1 or more answers):

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-10.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-10.html for a detailed explanation.

Submit

9. Which of the following strategies prevents a SQL injection vulnerability (choose 1 or more answers):

Carefully validating user input and rejecting invalid input before executing any SQL requests.

Ensuring that you use only database software that has been widely tested and is generally considered secure.

Always run the database on a remote machine and use SSL whenever you communicate with it.

Using prepared statements at runtime instead of dynamically evaluating SQL.

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-9.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-9.html for a detailed explanation.

Submit

10. Hackers often gather a multitude of seemingly small, innocuous pieces of configuration about a site that, when combined, can help them attack a site. Which of the following error messages are typically considered safe to display to the user? (choose 1 or more answers):

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-7.html for a detailed explanation.

Explanation

See http://www.onestopappsecurity.com/content/quiz/basicdevwebappquiz-1/basic-developer-web-application-security-quiz-explanation-7.html for a detailed explanation.

Submit