OWASP Top 10 Trivia
1.
What attack technique is used to exploit websites by altering backend database queries through manipulated input?
Answer:
SQL Injection
Explanation:
SQL Injection is the correct answer because it is a technique used to exploit web sites by altering backend database queries through inputting manipulated queries. In SQL Injection, an attacker inserts malicious SQL code into input fields, which is then executed by the application's database. This allows the attacker to manipulate the database and potentially gain unauthorized access to sensitive information or perform unauthorized actions on the website.
2.
What occurs when an application sends user-inputted data to a web browser without proper validation and escaping?
Answer:
Cross Site Scripting
Explanation:
Cross Site Scripting, also known as XSS, happens when an application sends data to a web browser without checking or changing it to make it safe. This can allow harmful scripts to run in someone else’s browser. It's like handing someone a letter to deliver without checking if it contains something dangerous. By not cleaning the data, the application can accidentally help spread harmful code.
3.
What flaw arises when session tokens do not have good randomness across a range of values?
Answer:
Session Hijacking
Explanation:
Session Hijacking is a security problem that happens when session tokens, which are supposed to be random and unique, are predictable or not random enough. This allows attackers to guess or find these tokens more easily, and use them to take over someone else’s session. It's like having a simple and common password for a lock that many people know; it makes it easier for someone unwanted to open the lock and access your space.
4.
What attack technique forces a user’s session credential or session ID to an explicit value?
Answer:
Session Fixation
Explanation:
Session Fixation is an attack where the attacker tricks a user into using a specific session ID that they already know. This way, once the user logs in, the attacker can use this session ID to access the user's account as if they were the user. It's like someone secretly assigning you a locker they already have a key to; once you put your stuff inside and lock it, they can open it and access everything inside.
5.
What flaw can lead to the exposure of resources or functionality to unintended actors?
Answer:
Improper Authentication
Explanation:
Improper authentication is a flaw that can lead to the exposure of resources or functionality to unintended actors. This means that the system does not properly verify the identity of users before granting them access to certain resources or functionalities. As a result, unauthorized individuals may be able to gain access to sensitive information or perform actions that they should not have the privilege to do. This flaw can be exploited by attackers to compromise the security of the system and potentially cause harm or damage.
6.
Which threat can be prevented by generating usernames with a high degree of entropy?
Answer:
Authentication bypass
Explanation:
Authentication Bypass is a threat where someone gains access to a system without going through the proper security checks. By using unique usernames that are complex and generated with high entropy, it becomes much harder for attackers to guess or predict these usernames, thereby preventing unauthorized access. It’s like having a very unusual and complicated key for a lock, making it much harder for someone to make a copy or pick the lock.
7.
What type of flaw occurs when untrusted user-entered data is sent to the interpreter as part of a command or query?
Answer:
Injection
Explanation:
Injection flaws happen when an application sends untrusted data, like user inputs, to an interpreter without proper validation or sanitization. This allows attackers to inject malicious commands or queries, potentially gaining unauthorized access or causing harm to the system. It's like letting someone whisper instructions to your assistant without checking if they're safe or not; they could trick the assistant into doing something harmful.
8.
What attack can be prevented by using an unpredictable token for each user in links or forms that invoke state-changing functions?
Answer:
Cross Site Request Forgery
Explanation:
Cross Site Request Forgery (CSRF) is a type of attack that tricks a user into executing unwanted actions on a web application in which they are currently authenticated. By using unpredictable tokens in each user's link or form, the application ensures that the requests are genuinely initiated by the user and not by an attacker. It's like making sure that every command given is actually coming from the rightful owner and not an impersonator.
9.
What is phishing?
Answer:
Email Scam
Explanation:
Phishing refers to a type of online scam where individuals are tricked into providing sensitive information, such as passwords or credit card details, by posing as a trustworthy entity through fraudulent emails or websites. This fraudulent activity aims to deceive users into believing they are interacting with a legitimate organization, ultimately leading to financial loss or identity theft.
10.
What is the Internet equivalent of an IP address?
Answer:
Mailing Address
Explanation:
An IP address is similar to a mailing address because it identifies the location of a device connected to the internet. Just as a mailing address is used to send and receive physical mail, an IP address is used to send and receive data packets over the internet. It allows devices to communicate with each other and ensures that data is delivered to the correct destination.
Back to top