Web Application Security Quiz (short Version)

5 Questions

Settings
Please wait...
Web Application Quizzes & Trivia

Questions and Answers
  • 1. 
    The most effective way of protecting against SQL injection is… 
    • A. 

      … blacklisting strings such as "1 OR 1=1" and "UNION" from input.

    • B. 

      … using an intrusion detection system to detect attacks.

    • C. 

      … whitelisting input (e.g. only allowing alphanumerical characters and spaces).

    • D. 

      … use of prepared statements or parametrized queries.

    • E. 

      … segmenting database accounts and minimizing their user rights.

  • 2. 
    Which is NOT true with respect to cross-site scripting (XSS) vulnerabilities?
    • A. 

      The attacker may be able to run arbitrary code on the user's machine.

    • B. 

      The attacker can exploit a XSS vulnerability in order to impersonate a user.

    • C. 

      Reflected XSS vulnerabilities can only be triggered if the user performs a certain action.

    • D. 

      The user cannot do anything to protect himself against reflected XSS on a page that he normally trusts.

    • E. 

      An XSS payload may use AJAX requests to persistently infect multiple pages on the host.

  • 3. 
    If a web application includes a WYSIWYG editor, which of the approaches described below would NOT be appropriate for dealing with potential XSS in user input?
    • A. 

      Looking for dangerous strings such as <script>, javascript: and eval(.*) in user-submitted data, and removing them.

    • B. 

      Converting HTML control characters such as < to HTML entities such as &lt;.

    • C. 

      Only allowing certain 'safe' tags for formatting, such as <b>, <i>, <p>, <br>.

    • D. 

      Using special tags (such as [url=...]) and converting them to HTML

    • E. 

      Using a HTML filter library to remove potential XSS code from output.

  • 4. 
    Which statement is true with respect to HTML5 security?
    • A. 

      In HTML5, AJAX calls can read from other domains without restrictions.

    • B. 

      Thanks to the new possibilities of HTML5, an attacker can steal data from an iframe through ClickJacking.

    • C. 

      If a page does not use the new features introduced by HTML5, it is a good way to protect against the new security risks introduced by those features.

    • D. 

      HTML5 makes it easier to protect against XSS.

    • E. 

      Local Storage cannot be directly manipulated by XSS.

  • 5. 
    If the attacker can run JavaScript on the user’s machine, he can expect to…
    • A. 

      … modify other currently running scripts.

    • B. 

      … simulate user clicks in the browser.

    • C. 

      … run arbitrary native code on the user’s machine.

    • D. 

      … modify user session data.

    • E. 

      … act as a keylogger within the scope of the JavaScript’s origin.