




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This practice exam focuses on secure development principles for web applications. Topics include OWASP Top 10 vulnerabilities, secure coding techniques, secure architecture design, input validation, authentication models, session management, API security, database security, penetration testing fundamentals, and code review strategies. Scenario-based questions mirror real application security assessments, requiring candidates to identify weaknesses, design countermeasures, and implement secure development practices.
Typology: Exams
1 / 124
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which security principle advocates placing defensive mechanisms at multiple layers of a web application architecture? A) Least Privilege B) Defense‑in‑Depth C) Security by Obscurity D) Fail‑Safe Defaults Answer: B Explanation: Defense‑in‑Depth requires multiple, redundant controls across layers so that if one fails, others still protect the system. Question 2. In the SDLC, the earliest phase where security should be introduced is: A) Testing B) Deployment C) Planning D) Maintenance Answer: C Explanation: Security by Design calls for integrating security requirements during planning, before any code is written. Question 3. Which cryptographic algorithm is best suited for encrypting large volumes of data efficiently?
B) Diffie‑Hellman C) AES D) ECC Answer: C Explanation: AES is a symmetric algorithm that provides fast encryption/decryption, ideal for bulk data. Question 4. When storing passwords, which of the following is the most secure practice? A) MD5 hash B) SHA‑1 hash with salt C) Plain‑text storage D) Argon2 hashing with a unique salt per password Answer: D Explanation: Argon2 is a modern password‑hashing algorithm designed to resist GPU attacks; using a unique salt prevents rainbow‑table attacks. Question 5. Which TLS protocol version should be disabled because it is considered insecure? A) TLS 1. B) TLS 1.
Answer: B Explanation: NoSQL databases often accept JSON‑style queries; attackers can inject malicious operators (e.g., $gt, $ne) to alter query behavior. Question 8. A web page reflects user‑supplied data without encoding and executes it in the browser. This is an example of: A) Stored XSS B) Reflected XSS C) DOM‑based XSS D) CSRF Answer: B Explanation: Reflected XSS occurs when malicious input is immediately reflected in the response and executed by the victim’s browser. Question 9. Which HTTP header helps mitigate reflected XSS by restricting the sources from which scripts can be loaded? A) X‑Content‑Type‑Options B) X‑Frame‑Options C) Content‑Security‑Policy D) Strict‑Transport‑Security Answer: C
Explanation: CSP allows a site to define approved script sources, preventing execution of injected scripts. Question 10. To protect against CSRF, a server should require each state‑changing request to contain: A) A unique session identifier in the URL B) A SameSite=Strict cookie C) A synchronizer token (CSRF token) D) HTTP Basic authentication header Answer: C Explanation: CSRF tokens are unpredictable values that the attacker cannot guess, ensuring the request originated from the legitimate site. Question 11. Which SameSite cookie attribute value offers the strongest protection against CSRF while preserving most functionality? A) None B) Lax C) Strict D) Secure Answer: C Explanation: SameSite=Strict prevents the cookie from being sent on any cross‑site request, effectively blocking CSRF attacks.
Question 14. Which of the following is a common mitigation technique for Server‑Side Request Forgery (SSRF)? A) Disabling all outbound traffic from the web server B) Validating and whitelisting URLs before making external requests C) Using GET instead of POST for internal APIs D) Enabling HTTP TRACE method Answer: B Explanation: Whitelisting allowed destinations ensures the server cannot be tricked into contacting arbitrary internal resources. Question 15. An XML parser is configured to resolve external entities. Which vulnerability is most likely to be exploited? A) Cross‑Site Scripting B) XML External Entity (XXE) C) SQL Injection D) Command Injection Answer: B Explanation: Allowing external entity resolution enables attackers to read arbitrary files or cause denial‑of‑service. Question 16. Which of the following is an example of positive (whitelist) input validation?
A) Rejecting inputs that contain “
Answer: C Explanation: Security gates automatically evaluate scan results and prevent promotion of vulnerable code. Question 21. Which OAuth 2.0 grant type is most appropriate for a single‑page application (SPA) that cannot securely store a client secret? A) Authorization Code Grant with PKCE B) Client Credentials Grant C) Implicit Grant D) Resource Owner Password Credentials Grant Answer: A Explanation: PKCE (Proof Key for Code Exchange) enhances the Authorization Code flow for public clients like SPAs, eliminating the need for a client secret. Question 22. In OpenID Connect, the token that contains user identity claims and is signed by the issuer is called: A) Access Token B) Refresh Token C) ID Token D) Session Token Answer: C
Explanation: The ID Token is a JWT that carries authentication information about the user. Question 23. Which attribute‑based access control (ABAC) condition would allow a user to edit a document only if the user’s department matches the document’s department attribute? A) role = “editor” B) user.department == document.department C) user.id == document.ownerId D) document.isPublic == true Answer: B Explanation: ABAC evaluates policies based on attributes; matching department attributes satisfies the condition. Question 24. Which cookie flag prevents client‑side scripts from accessing the cookie? A) Secure B) HttpOnly C) SameSite D) Path Answer: B
Question 27. In Docker container hardening, which action reduces the attack surface? A) Running containers as root B) Exposing all container ports to the host C) Using a minimal base image and dropping unnecessary capabilities D) Granting the container full access to the host’s /var/run/docker.sock Answer: C Explanation: Minimal images and reduced Linux capabilities follow the principle of least functionality. Question 28. Which Kubernetes feature can be used to enforce that pods only communicate over encrypted channels? A) PodSecurityPolicy B) NetworkPolicy with TLS enforcement annotations C) ServiceAccount D) HorizontalPodAutoscaler Answer: B Explanation: NetworkPolicy can restrict traffic, and when combined with sidecar proxies or TLS‑enforcing annotations, it ensures encrypted communication.
Question 29. When logging security events, which practice helps ensure log integrity? A) Storing logs in plain text on the same server as the application B) Rotating logs daily without backups C) Forwarding logs to a centralized, write‑once, tamper‑evident system D) Allowing any user to delete log files via a web UI Answer: C Explanation: Centralized, immutable logging prevents attackers from altering evidence. Question 30. Which of the following is a recommended Content Security Policy (CSP) directive to block inline scripts? A) script-src 'unsafe-inline' B) script-src 'self' C) default-src * D) style-src 'unsafe-inline' Answer: B Explanation: script-src 'self' allows scripts only from the same origin and disallows inline scripts unless 'unsafe-inline' is added. Question 31. Which of the following best describes a “trust boundary” in web application security?
A) Unit testing B) Static code analysis C) Fuzz testing (fuzzing) D) Regression testing Answer: C Explanation: Fuzzing feeds random or crafted inputs to the live application to provoke crashes or unexpected behavior. Question 34. In a penetration test, the term “pivoting” refers to: A) Exploiting a client‑side vulnerability to gain initial access B) Using a compromised system as a launch point to attack other internal systems C) Performing a denial‑of‑service attack against the web server D) Scanning the network for open ports Answer: B Explanation: Pivoting leverages a foothold inside a network to move laterally to other targets. Question 35. Which of the following is a secure way to store API keys used by a server‑side application? A) Hard‑code them in source files committed to version control B) Store them in environment variables or a secret manager and restrict access
C) Place them in a publicly accessible directory on the web server D) Encode them with Base64 and embed in HTML Answer: B Explanation: Secrets should be kept out of source code and protected by secret management solutions or environment variables with proper permissions. Question 36. A web application receives a request that includes the header X-Forwarded-Proto: https. Which security control should verify this header before trusting it? A) Input validation layer B) TLS termination at the load balancer C) Application firewall that validates the header against the actual connection security D) CSRF token generator Answer: C Explanation: Since headers can be spoofed, the application should only trust X- Forwarded-Proto after confirming the front‑end (e.g., load balancer) set it over a secure TLS connection. Question 37. Which OWASP Top 10 category addresses weaknesses where an attacker can bypass authentication or gain elevated privileges? A) Injection B) Broken Authentication
D) Use BASE64 encoding for all XML data Answer: B Explanation: Disabling external entity processing prevents the parser from fetching or expanding external entities. Question 40. In a serverless function (e.g., AWS Lambda), the principle of least privilege is enforced by: A) Granting the function full administrative IAM permissions B) Assigning the function an IAM role that only permits required actions (e.g., read from a specific S3 bucket) C) Allowing the function to assume any role at runtime D) Disabling all network access for the function Answer: B Explanation: Providing the minimal IAM permissions needed reduces the impact of a compromised function. Question 41. Which of the following best describes “defense‑in‑depth” for a web API? A) Using a single firewall at the network edge B) Implementing input validation, authentication, rate limiting, and output encoding at the API layer, plus network and host hardening C) Relying solely on the database’s built‑in security features
D) Disabling all HTTP methods except GET Answer: B Explanation: Defense‑in‑depth layers multiple controls (validation, auth, rate limiting, host hardening) to protect the API. Question 42. A developer wants to ensure that a JSON Web Token (JWT) cannot be tampered with. Which algorithm should be used for signing? A) HS256 (HMAC with SHA‑256) with a strong secret key B) None (no signature) C) RS256 (RSA with SHA‑256) with a private key and public verification key D) Both A and C are acceptable if keys are managed securely Answer: D Explanation: Both HMAC and RSA signatures provide integrity; the choice depends on key management needs. Using a strong secret or proper key pair is essential. Question 43. Which of the following is a primary advantage of using prepared statements over manual string concatenation for SQL queries? A) Faster execution time B) Automatic encryption of data at rest C) Prevention of SQL injection by separating code from data D) Ability to execute queries without a database connection Answer: C