C SWAE Certified Secure Web Application Engineer Practice Exam, Exams of Technology

This practice exam focuses on secure development principles for web applications. Topics include OWASP Top 10 vulnerabilities, secure coding techniques, secure architecture design, input validation, authentication models, session management, API security, database security, penetration testing fundamentals, and code review strategies. Scenario-based questions mirror real application security assessments, requiring candidates to identify weaknesses, design countermeasures, and implement secure development practices.

Typology: Exams

2025/2026

Available from 12/11/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 124

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
C SWAE Certified Secure Web Application Engineer
Practice Exam
**Question 1.** Which security principle advocates placing defensive
mechanisms at multiple layers of a web application architecture?
A) Least Privilege
B) DefenseinDepth
C) Security by Obscurity
D) FailSafe Defaults
Answer: B
Explanation: DefenseinDepth requires multiple, redundant controls across layers
so that if one fails, others still protect the system.
**Question 2.** In the SDLC, the earliest phase where security should be
introduced is:
A) Testing
B) Deployment
C) Planning
D) Maintenance
Answer: C
Explanation: Security by Design calls for integrating security requirements during
planning, before any code is written.
**Question 3.** Which cryptographic algorithm is best suited for encrypting large
volumes of data efficiently?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download C SWAE Certified Secure Web Application Engineer Practice Exam and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. Which security principle advocates placing defensive mechanisms at multiple layers of a web application architecture? A) Least Privilege B) Defense‑in‑Depth C) Security by Obscurity D) Fail‑Safe Defaults Answer: B Explanation: Defense‑in‑Depth requires multiple, redundant controls across layers so that if one fails, others still protect the system. Question 2. In the SDLC, the earliest phase where security should be introduced is: A) Testing B) Deployment C) Planning D) Maintenance Answer: C Explanation: Security by Design calls for integrating security requirements during planning, before any code is written. Question 3. Which cryptographic algorithm is best suited for encrypting large volumes of data efficiently?

Practice Exam

A) RSA

B) Diffie‑Hellman C) AES D) ECC Answer: C Explanation: AES is a symmetric algorithm that provides fast encryption/decryption, ideal for bulk data. Question 4. When storing passwords, which of the following is the most secure practice? A) MD5 hash B) SHA‑1 hash with salt C) Plain‑text storage D) Argon2 hashing with a unique salt per password Answer: D Explanation: Argon2 is a modern password‑hashing algorithm designed to resist GPU attacks; using a unique salt prevents rainbow‑table attacks. Question 5. Which TLS protocol version should be disabled because it is considered insecure? A) TLS 1. B) TLS 1.

Practice Exam

Answer: B Explanation: NoSQL databases often accept JSON‑style queries; attackers can inject malicious operators (e.g., $gt, $ne) to alter query behavior. Question 8. A web page reflects user‑supplied data without encoding and executes it in the browser. This is an example of: A) Stored XSS B) Reflected XSS C) DOM‑based XSS D) CSRF Answer: B Explanation: Reflected XSS occurs when malicious input is immediately reflected in the response and executed by the victim’s browser. Question 9. Which HTTP header helps mitigate reflected XSS by restricting the sources from which scripts can be loaded? A) X‑Content‑Type‑Options B) X‑Frame‑Options C) Content‑Security‑Policy D) Strict‑Transport‑Security Answer: C

Practice Exam

Explanation: CSP allows a site to define approved script sources, preventing execution of injected scripts. Question 10. To protect against CSRF, a server should require each state‑changing request to contain: A) A unique session identifier in the URL B) A SameSite=Strict cookie C) A synchronizer token (CSRF token) D) HTTP Basic authentication header Answer: C Explanation: CSRF tokens are unpredictable values that the attacker cannot guess, ensuring the request originated from the legitimate site. Question 11. Which SameSite cookie attribute value offers the strongest protection against CSRF while preserving most functionality? A) None B) Lax C) Strict D) Secure Answer: C Explanation: SameSite=Strict prevents the cookie from being sent on any cross‑site request, effectively blocking CSRF attacks.

Practice Exam

Question 14. Which of the following is a common mitigation technique for Server‑Side Request Forgery (SSRF)? A) Disabling all outbound traffic from the web server B) Validating and whitelisting URLs before making external requests C) Using GET instead of POST for internal APIs D) Enabling HTTP TRACE method Answer: B Explanation: Whitelisting allowed destinations ensures the server cannot be tricked into contacting arbitrary internal resources. Question 15. An XML parser is configured to resolve external entities. Which vulnerability is most likely to be exploited? A) Cross‑Site Scripting B) XML External Entity (XXE) C) SQL Injection D) Command Injection Answer: B Explanation: Allowing external entity resolution enables attackers to read arbitrary files or cause denial‑of‑service. Question 16. Which of the following is an example of positive (whitelist) input validation?

Practice Exam

A) Rejecting inputs that contain “

Practice Exam

Answer: C Explanation: Security gates automatically evaluate scan results and prevent promotion of vulnerable code. Question 21. Which OAuth 2.0 grant type is most appropriate for a single‑page application (SPA) that cannot securely store a client secret? A) Authorization Code Grant with PKCE B) Client Credentials Grant C) Implicit Grant D) Resource Owner Password Credentials Grant Answer: A Explanation: PKCE (Proof Key for Code Exchange) enhances the Authorization Code flow for public clients like SPAs, eliminating the need for a client secret. Question 22. In OpenID Connect, the token that contains user identity claims and is signed by the issuer is called: A) Access Token B) Refresh Token C) ID Token D) Session Token Answer: C

Practice Exam

Explanation: The ID Token is a JWT that carries authentication information about the user. Question 23. Which attribute‑based access control (ABAC) condition would allow a user to edit a document only if the user’s department matches the document’s department attribute? A) role = “editor” B) user.department == document.department C) user.id == document.ownerId D) document.isPublic == true Answer: B Explanation: ABAC evaluates policies based on attributes; matching department attributes satisfies the condition. Question 24. Which cookie flag prevents client‑side scripts from accessing the cookie? A) Secure B) HttpOnly C) SameSite D) Path Answer: B

Practice Exam

Question 27. In Docker container hardening, which action reduces the attack surface? A) Running containers as root B) Exposing all container ports to the host C) Using a minimal base image and dropping unnecessary capabilities D) Granting the container full access to the host’s /var/run/docker.sock Answer: C Explanation: Minimal images and reduced Linux capabilities follow the principle of least functionality. Question 28. Which Kubernetes feature can be used to enforce that pods only communicate over encrypted channels? A) PodSecurityPolicy B) NetworkPolicy with TLS enforcement annotations C) ServiceAccount D) HorizontalPodAutoscaler Answer: B Explanation: NetworkPolicy can restrict traffic, and when combined with sidecar proxies or TLS‑enforcing annotations, it ensures encrypted communication.

Practice Exam

Question 29. When logging security events, which practice helps ensure log integrity? A) Storing logs in plain text on the same server as the application B) Rotating logs daily without backups C) Forwarding logs to a centralized, write‑once, tamper‑evident system D) Allowing any user to delete log files via a web UI Answer: C Explanation: Centralized, immutable logging prevents attackers from altering evidence. Question 30. Which of the following is a recommended Content Security Policy (CSP) directive to block inline scripts? A) script-src 'unsafe-inline' B) script-src 'self' C) default-src * D) style-src 'unsafe-inline' Answer: B Explanation: script-src 'self' allows scripts only from the same origin and disallows inline scripts unless 'unsafe-inline' is added. Question 31. Which of the following best describes a “trust boundary” in web application security?

Practice Exam

A) Unit testing B) Static code analysis C) Fuzz testing (fuzzing) D) Regression testing Answer: C Explanation: Fuzzing feeds random or crafted inputs to the live application to provoke crashes or unexpected behavior. Question 34. In a penetration test, the term “pivoting” refers to: A) Exploiting a client‑side vulnerability to gain initial access B) Using a compromised system as a launch point to attack other internal systems C) Performing a denial‑of‑service attack against the web server D) Scanning the network for open ports Answer: B Explanation: Pivoting leverages a foothold inside a network to move laterally to other targets. Question 35. Which of the following is a secure way to store API keys used by a server‑side application? A) Hard‑code them in source files committed to version control B) Store them in environment variables or a secret manager and restrict access

Practice Exam

C) Place them in a publicly accessible directory on the web server D) Encode them with Base64 and embed in HTML Answer: B Explanation: Secrets should be kept out of source code and protected by secret management solutions or environment variables with proper permissions. Question 36. A web application receives a request that includes the header X-Forwarded-Proto: https. Which security control should verify this header before trusting it? A) Input validation layer B) TLS termination at the load balancer C) Application firewall that validates the header against the actual connection security D) CSRF token generator Answer: C Explanation: Since headers can be spoofed, the application should only trust X- Forwarded-Proto after confirming the front‑end (e.g., load balancer) set it over a secure TLS connection. Question 37. Which OWASP Top 10 category addresses weaknesses where an attacker can bypass authentication or gain elevated privileges? A) Injection B) Broken Authentication

Practice Exam

D) Use BASE64 encoding for all XML data Answer: B Explanation: Disabling external entity processing prevents the parser from fetching or expanding external entities. Question 40. In a serverless function (e.g., AWS Lambda), the principle of least privilege is enforced by: A) Granting the function full administrative IAM permissions B) Assigning the function an IAM role that only permits required actions (e.g., read from a specific S3 bucket) C) Allowing the function to assume any role at runtime D) Disabling all network access for the function Answer: B Explanation: Providing the minimal IAM permissions needed reduces the impact of a compromised function. Question 41. Which of the following best describes “defense‑in‑depth” for a web API? A) Using a single firewall at the network edge B) Implementing input validation, authentication, rate limiting, and output encoding at the API layer, plus network and host hardening C) Relying solely on the database’s built‑in security features

Practice Exam

D) Disabling all HTTP methods except GET Answer: B Explanation: Defense‑in‑depth layers multiple controls (validation, auth, rate limiting, host hardening) to protect the API. Question 42. A developer wants to ensure that a JSON Web Token (JWT) cannot be tampered with. Which algorithm should be used for signing? A) HS256 (HMAC with SHA‑256) with a strong secret key B) None (no signature) C) RS256 (RSA with SHA‑256) with a private key and public verification key D) Both A and C are acceptable if keys are managed securely Answer: D Explanation: Both HMAC and RSA signatures provide integrity; the choice depends on key management needs. Using a strong secret or proper key pair is essential. Question 43. Which of the following is a primary advantage of using prepared statements over manual string concatenation for SQL queries? A) Faster execution time B) Automatic encryption of data at rest C) Prevention of SQL injection by separating code from data D) Ability to execute queries without a database connection Answer: C