Web Application Security Quiz

Encrypting data with SSL will not guarantee the safety of a website, because: a. This only protects data between the website and user, not the Web application itself. (A) b. This approach ignores the security of the software on the network or Web server. c. This only protects data transmitted through port 443. d. The encryption used by SSL is not strong.

What is another term for DAST? a. White box testing. b. Black box testing. (A) c. Glass box testing. d. Gray box testing.

What type of attack target a website’s method of validating the identity of a user? a. Authorization. b. Authentication. (A) c. Identity attack. d. Client-side attack.

Which HTTP method sends data to the server? a. GET b. POST (A) c. PUT d. SEND

A hacker enters the following script into the search box or an entry form: . The hacker then clicks the search button and a pop-up window appears stating It Worked. What you conclude from this? a. The site is susceptible to buffer overflow b. The site is susceptible to SQL injection c. The site is susceptible to parameter tampering d. The site is susceptible to XSS (A)

In electronic authentication, which of the following controls is effective against cross-site scripting (XSS) vulnerabilities? a. Sanitize inputs to make them non executable. (A) b. Insert random data into any linked uniform resource locator c. Insert random data into a hidden field d. Use a per-session shared secret

CSRF stands for a. Cross State Request Forgery b. Cross Site Reply Forgery c. Cross Site Request Forgery (A) d. Cross State Reply Forgery.

Select a correct answer on how to protest a website from becoming the victim of CSRF attack. a. Insert sequence tokens in to the forms and URLs used in transactions. b. Use only post method while sending sensitive data to web server (A) c. Don’t set up external verification mechanism. d. Restrict checking user authentication.

Which is not considered as a weak authentication? a. Allowing single words like names as password. b. Allowing multiple login attempt for invalid login. c. Keeping birthday as password. d. Not allowing users to use the previous password. (A)

What is session hijacking? a. It is an attackers steals a web session through session ID of victim (A) b. A well-managed session ID is called session hijacking. c. Storing the sensitive information in the cookies is called session hijacking. d. Displaying the session ID in the browser is called session hijacking.