Web Application Security! Hardest Trivia Quiz

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Searchlab
S
Searchlab
Community Contributor
Quizzes Created: 4 | Total Attempts: 4,701
Questions: 10 | Attempts: 2,283

SettingsSettingsSettings
Web Application Security! Hardest Trivia Quiz - Quiz


Web application security is a critical topic, and do you need to know more about this subject? Your computer security needs to tell the difference between legitimate and malicious traffic. Someone could come onto your site and worm their way into the site and also your computer. Taking this quiz can help you learn more about application security and how it makes your life easier.


Questions and Answers
  • 1. 

    A web application implements a SQL operation in the following way (pseudocode): The application uses a MSSQL database running on a different machine from the web server. The database has one user (the built-in administrator account is not used).   An attacker could use the following parameters to get extra data from the database's contents:

    • A.

      Item=1' UNION SELECT 1,2,name FROM master..sysobjects WHERE xtype='U

    • B.

      Item=1 or 1=1

    • C.

      User=1 UNION SELECT 1,2,name FROM master..sysdatabases

    • D.

      User=1 or 1=1--

    • E.

      User=1; WAITFOR DELAY '0:0:5';--

    Correct Answer(s)
    A. Item=1' UNION SELECT 1,2,name FROM master..sysobjects WHERE xtype='U
    C. User=1 UNION SELECT 1,2,name FROM master..sysdatabases
    D. User=1 or 1=1--
    Explanation
    a] This gives the attacker a list of table names.
    b] This does not give any extra information, since ‘1 or 1=1’ will be quoted.
    c] This gives an attacker a list of databases.
    d] This dumps the contents of the items table.
    e] This does not give the attacker extra information directly, but the delay indicates a vulnerability – this query is useful for blind SQL injection.

    Rate this question:

  • 2. 

    A web application implements a SQL operation in the following way (pseudocode):   The application uses a MSSQL database running on a different machine from the web server. The database has one user (the built-in administrator account is not used). If an attacker can control the value of user and item, he can… 

    • A.

      … obtain any data from the web application’s database.

    • B.

      … delete or modify arbitrary data in the web application’s database.

    • C.

      … read files from the database server.

    • D.

      … run arbitrary code on the database server.

    • E.

      … run arbitrary code on the web server.

    Correct Answer(s)
    A. … obtain any data from the web application’s database.
    B. … delete or modify arbitrary data in the web application’s database.
    C. … read files from the database server.
    Explanation
    a] There is only one user, therefore there are no access control issues. The attacker can map out the database, and use UNION to read out any data from it.
    b] Since the database is MSSQL, the attacker can use query stacking to perform multiple database manipulation actions in one query.
    c] The attacker can use create a table and use BULK INSERT tablename FROM ‘file’ to store the file’s content in the database, then read it out with a SELECT later.
    d] The attacker cannot use EXEC to run arbitrary code without administrative rights – which he does not have in this case
    e] The web server is on another machine, and the attacker cannot affect it directly through the database server.

    Rate this question:

  • 3. 

    The most effective way of protecting against SQL injection is… 

    • A.

      … blacklisting strings such as "1 OR 1=1" and "UNION" from input.

    • B.

      … using an intrusion detection system to detect attacks.

    • C.

      … whitelisting input (e.g. only allowing alphanumerical characters and spaces).

    • D.

      … use of prepared statements or parametrized queries.

    • E.

      … segmenting database accounts and minimizing their user rights.

    Correct Answer
    D. … use of prepared statements or parametrized queries.
    Explanation
    a] Blacklisting is a poor solution against SQL injection. It can be avoided in multiple ways, and can block valid user input if overused.
    b] IDS can detect obvious SQL injection attempts, but it is possible for skilled attackers to avoid detection.
    c] Whitelisting can be effective in general, but it overly restricts valid input. Many names have dashes and apostrophes in them, for example.
    d] Use of prepared statements is generally accepted as the most effective way of protecting against SQL injection. The built-in escaping and validation will prohibit attackers from injecting a string into a numeric field, and quote data in string fields properly.
    e] Adhering to the principle of least privilege is generally a good thing, but it only reduces the impact of a successful attack.

    Rate this question:

  • 4. 

    Which is NOT true with respect to cross-site scripting (XSS) vulnerabilities?

    • A.

      The attacker may be able to run arbitrary code on the user's machine.

    • B.

      The attacker can exploit a XSS vulnerability in order to impersonate a user.

    • C.

      Reflected XSS vulnerabilities can only be triggered if the user performs a certain action.

    • D.

      The user cannot do anything to protect himself against reflected XSS on a page that he normally trusts.

    • E.

      An XSS payload may use AJAX requests to persistently infect multiple pages on the host.

    Correct Answer
    D. The user cannot do anything to protect himself against reflected XSS on a page that he normally trusts.
    Explanation
    a] True; if there is a vulnerability in the JavaScript interpreter or in one of the browser plugins, an XSS attack can lead to client-side code execution.
    b] True; an attacker can steal the user’s authentication data from cookies and use it to impersonate the user.
    c] True; by definition, a reflected XSS vulnerability is triggered by the user actively following a link.
    d] This is NOT true; there are browser plugins such as NoScript that can prevent running JavaScript from untrusted sites.
    e] True, the payload may contain a HTTP request that is parametrized to exploit an XSS in another page on the same host. See the Samy MySpace worm for an example.

    Rate this question:

  • 5. 

    If a web application includes a WYSIWYG editor, which of the approaches described below would NOT be appropriate for dealing with potential XSS in user input?

    • A.

      Looking for dangerous strings such as <script>, javascript: and eval(.*) in user-submitted data, and removing them.

    • B.

      Converting HTML control characters such as < to HTML entities such as &lt;.

    • C.

      Only allowing certain 'safe' tags for formatting, such as <b>, <i>, <p>, <br>.

    • D.

      Using special tags (such as [url=...]) and converting them to HTML

    • E.

      Using a HTML filter library to remove potential XSS code from output.

    Correct Answer(s)
    A. Looking for dangerous strings such as <script>, javascript: and eval(.*) in user-submitted data, and removing them.
    B. Converting HTML control characters such as < to HTML entities such as &lt;.
    Explanation
    a] Blacklisting is not a good approach, as there are many ways to circumvent and avoid such filters.
    b] While this prevents cross-site scripting attacks, it also prevents users from submitting any kind of active content to the site.
    c] This approach may be viable depending on the context, but it significantly restricts the scope of content users can submit – e.g. links.
    d] This approach is generally accepted as the best compromise. However, the parameters of the special tags (e.g. URLs) must be validated in some way before conversion.
    e] Depending on the language of the webapp, this may be a viable solution.

    Rate this question:

  • 6. 

    Which of the following statements is true with respect to handling file uploads and spam?

    • A.

      It is a good solution to explicitly change the extension of uploaded files to match their (expected) content, and check their validity by attempting to open them with the appropriate function.

    • B.

      If uploaded content is filtered by extension (.aspx, .jsp, .inc, .php), it prevents the attacker from uploading executable scripts to the server.

    • C.

      It is possible to effectively filter dangerous content by checking the MIME type of uploaded files.

    • D.

      Since there are numerous CAPTCHA solver tools and human-powered online CAPTCHA solver services available, using a CAPTCHA to deter spam will have no effect.

    • E.

      To prevent spam, it is a good idea to select a CAPTCHA that requires solving a complex mathematical / geometry problem.

    Correct Answer
    A. It is a good solution to explicitly change the extension of uploaded files to match their (expected) content, and check their validity by attempting to open them with the appropriate function.
    Explanation
    a] True. However, robust file handling functions should be used – otherwise, malformed files may cause security problems on their own.
    b] False. Depending on how the web server works, it may interpret attack.php.mp3 as a PHP script even though its extension is not .php.
    c] False. MIME type is sent by the client, and can contain anything regardless of the file’s actual content.
    d] False. A good CAPTCHA will require a non-trivial time and money investment from the spammer’s side to avoid.
    e] False. These CAPTCHAs annoy users, and it is very possible that they’re more easily solved by programs than humans.

    Rate this question:

  • 7. 

    If the current page has been downloaded from https://example.com/admin/index.jsp, what address may the JavaScripts running on the page can download data from?

    • A.

      Https://en.example.com/admin/index.aspx

    • B.

      Http://example.com:443/admin/index.php

    • C.

      Https://example.com:80/admin/content.php

    • D.

      Https://example.com/attacker/index.asp

    • E.

      Http://example.com/admin/index.jsp

    Correct Answer
    D. Https://example.com/attacker/index.asp
    Explanation
    a] Incorrect – the domain does not match
    b] Incorrect – the server will reject HTTP queries sent to the HTTPS port.
    c] Incorrect – the server will reject HTTPS queries sent to the HTTP port.
    d] Correct
    e] Incorrect – the protocol is different between the two queries

    Rate this question:

  • 8. 

    Which statement is true with respect to HTML5 security?

    • A.

      In HTML5, AJAX calls can read from other domains without restrictions.

    • B.

      Thanks to the new possibilities of HTML5, an attacker can steal data from an iframe through ClickJacking.

    • C.

      If a page does not use the new features introduced by HTML5, it is a good way to protect against the new security risks introduced by those features.

    • D.

      HTML5 makes it easier to protect against XSS.

    • E.

      Local Storage cannot be directly manipulated by XSS.

    Correct Answer
    B. Thanks to the new possibilities of HTML5, an attacker can steal data from an iframe through ClickJacking.
    Explanation
    A] False – the other domain needs to explicitly allow this
    B] True
    C] False – if the browser supports HTML5, the attacker can inject any kind of HTML5 tag into the page
    D] False – it actually gives the attackers more opportunities for XSS attacks
    E] False – Cross-site scripting attacks can read or modify Local Storage contents

    Rate this question:

  • 9. 

    If the attacker can run JavaScript on the user’s machine, he can expect to…

    • A.

      … modify other currently running scripts.

    • B.

      … simulate user clicks in the browser.

    • C.

      … run arbitrary native code on the user’s machine.

    • D.

      … modify user session data.

    • E.

      … act as a keylogger within the scope of the JavaScript’s origin.

    Correct Answer(s)
    A. … modify other currently running scripts.
    B. … simulate user clicks in the browser.
    E. … act as a keylogger within the scope of the JavaScript’s origin.
    Explanation
    a] True – the attacker can rewrite methods and change variables of other JavaScripts.
    b] True – JavaScript clicks are equivalent to user clicks.
    c] False – this is only possible if there is a bug in the browser that can be exploited through JavaScript.
    d] False – a typical client-side breach cannot affect assets stored on the server.
    e] True – JavaScript can relay keystrokes and e.g. send them to an iframe.

    Rate this question:

  • 10. 

    To prevent cross-site request forgery attacks in AJAX requests, you can…

    • A.

      … deliberately add garbage (e.g. &&&NOTHING&&&) or unused JavaScript code that goes in an endless loop to your page.

    • B.

      … add the Access-Control-Allow-Origin header to only allow cross-origin requests from the site that is supposed to perform the AJAX requests.

    • C.

      … use POST XmlHttpRequests instead of GET

    • D.

      … use referrer checks to only send responses to XmlHttpRequests to the site that is supposed to perform the AJAX requests.

    • E.

      … send your XmlHttpRequest data in JSON format instead of XML.

    Correct Answer(s)
    A. … deliberately add garbage (e.g. &&&NOTHING&&&) or unused JavaScript code that goes in an endless loop to your page.
    C. … use POST XmlHttpRequests instead of GET
    D. … use referrer checks to only send responses to XmlHttpRequests to the site that is supposed to perform the AJAX requests.
    Explanation
    a]True – you could clear this garbage away when a “legitimate” AJAX request is made, and any injected JavaScript would hit the infinite loop or become inoperable when hitting the garbage part of the page.
    b]False – this header only enforces the same origin policy in HTML5 XmlHttpRequests.
    c]True – CSRF attacks can only be used in GET requests.
    d]True – this ensures that XmlHttpRequests only come from the site that is supposed to perform the AJAX requests. Referrer checks cannot be easily bypassed without JavaScript capability on the side of the attacker.
    e]False – changing the data format does not protect against CSRF.

    Rate this question:

Related Topics

Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.