IASC Imperva Application Security Practice Exam, Exams of Technology

Evaluates knowledge of Imperva application security solutions. Includes web application firewall configuration, threat detection, attack mitigation, monitoring, and reporting. Ensures candidates can secure applications effectively.

Typology: Exams

2025/2026

Available from 12/05/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 113

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
IASC Imperva Application Security Practice
Exam
**Question 1.** Which OWASP Top 10 category includes vulnerabilities that allow
attackers to bypass authentication and gain unauthorized access to resources?
A) Injection
B) Broken Access Control
C) Security Misconfiguration
D) Sensitive Data Exposure
Answer: B
Explanation: Broken Access Control covers flaws that let attackers act as privileged
users or access data they should not.
**Question 2.** In a SQL Injection attack, which of the following payloads is most
likely to retrieve the first user’s password from a table named users?
A) `'; DROP TABLE users;--`
B) `admin' OR '1'='1`
C) `'; SELECT password FROM users LIMIT 1;--`
D) `<script>alert(1)</script>`
Answer: C
Explanation: The payload terminates the original query and adds a SELECT
statement to return the password.
**Question 3.** Which HTTP method is considered unsafe because it can change
server state and should be protected against CSRF?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download IASC Imperva Application Security Practice Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which OWASP Top 10 category includes vulnerabilities that allow attackers to bypass authentication and gain unauthorized access to resources? A) Injection B) Broken Access Control C) Security Misconfiguration D) Sensitive Data Exposure Answer: B Explanation: Broken Access Control covers flaws that let attackers act as privileged users or access data they should not. Question 2. In a SQL Injection attack, which of the following payloads is most likely to retrieve the first user’s password from a table named users? A) '; DROP TABLE users;-- B) admin' OR '1'='1 C) '; SELECT password FROM users LIMIT 1;-- D) <script>alert(1)</script> Answer: C Explanation: The payload terminates the original query and adds a SELECT statement to return the password. Question 3. Which HTTP method is considered unsafe because it can change server state and should be protected against CSRF?

Exam

A) GET

B) HEAD

C) OPTIONS

D) POST

Answer: D Explanation: POST can modify data, making it a target for CSRF attacks; GET should be idempotent. Question 4. A web application uses a hidden field containing a CSRF token that is validated on each POST request. Which of the following best describes the mitigation technique? A) SameSite cookie attribute B) Double‑Submit Cookie C) Synchronizer Token Pattern D) Referrer Header Check Answer: C Explanation: The synchronizer token pattern stores a secret token on the server and validates it with each request. Question 5. Which type of injection attack allows an attacker to execute arbitrary operating‑system commands on the server? A) LDAP Injection

Exam

D) Strict‑Transport‑Security Answer: B Explanation: X‑Frame‑Options tells browsers whether a page can be displayed in an iframe. Question 8. Which of the following is a characteristic of a “Broken Object Level Authorization” vulnerability in APIs? A) Missing TLS encryption on the transport layer B) Excessive data returned in a response C) Lack of verification that the caller has permission to access a specific object ID D) Use of weak hashing algorithms for passwords Answer: C Explanation: Object level authorization ensures that a user can only access objects they are authorized for. Question 9. Which HTTP status code should a WAF return when it blocks a request due to a detected attack? A) 200 OK B) 301 Moved Permanently C) 403 Forbidden D) 500 Internal Server Error

Exam

Answer: C Explanation: 403 indicates that the server understood the request but refuses to fulfill it. Question 10. Which of the following best describes the purpose of a “Reverse Proxy” deployment mode for the Imperva WAF Gateway? A) The WAF sits inline between the client and the web server, terminating TLS. B) The WAF monitors traffic passively without affecting flow. C) The WAF forwards traffic to a separate security appliance for inspection. D) The WAF operates as a load balancer only. Answer: A Explanation: In reverse‑proxy mode the WAF terminates client connections, inspects, and forwards to the origin server. Question 11. What is the primary advantage of deploying the Imperva WAF in “Sniffer (Out‑of‑Band)” mode? A) Zero latency impact on traffic B. Full request/response modification capabilities C. Automatic SSL termination D. Built‑in load balancing Answer: A

Exam

Question 14. Which of the following is NOT a valid HTTP method that the Imperva WAF can explicitly block via a Protocol Policy? A) TRACE B) CONNECT C) PATCH D) BIND Answer: D Explanation: BIND is not an HTTP method; TRACE, CONNECT, and PATCH are valid methods. Question 15. When configuring SSL/TLS on the Imperva Gateway, which file type typically contains the private key? A. .crt B. .pem C. .der D. .pfx Answer: B Explanation: PEM files can store the private key in base64‑encoded format. Question 16. Which of the following best describes “Slow HTTP” attacks?

Exam

A. Flooding the server with large request bodies B. Sending HTTP headers extremely slowly to tie up connections C. Replaying captured HTTP traffic at high speed D. Using malformed HTTP methods to crash the server Answer: B Explanation: Slow HTTP (e.g., Slowloris) sends headers byte‑by‑byte, exhausting connection slots. Question 17. In the Imperva User Security Console (USC), which role typically has permission to create and edit policies but cannot delete gateways? A) Administrator B) Policy Manager C) Auditor D) Read‑Only User Answer: B Explanation: Policy Manager role is scoped to policy configuration, not infrastructure changes. Question 18. Which of the following is a primary difference between SAST and DAST? A) SAST analyzes running applications; DAST analyzes source code.

Exam

C) Fixed Signature Count D) Manual Threshold Override Answer: A Explanation: Adaptive Rate Limiting dynamically changes limits according to observed traffic. Question 21. Which HTTP header can be used by a client to indicate that it only accepts encrypted connections, helping prevent downgrade attacks? A) Upgrade-Insecure-Requests B) Strict-Transport-Security C) X-Forwarded-Proto D) Content-Security-Policy Answer: A Explanation: Upgrade-Insecure-Requests tells the server the client wants HTTPS instead of HTTP. Question 22. In a REST API, which HTTP status code indicates that the client is not authorized to access a protected resource? A) 401 Unauthorized B) 403 Forbidden C) 404 Not Found

Exam

D) 429 Too Many Requests Answer: A Explanation: 401 signals that authentication is required or failed. Question 23. Which of the following is a recommended practice when integrating external web scanner results into Imperva? A) Directly import raw XML without review. B) Map scanner findings to corresponding Signature Policies before enabling them. C) Disable all existing policies and replace them with scanner rules. D) Use the scanner to replace the WAF’s SSL certificates. Answer: B Explanation: Mapping findings to existing policies ensures proper context and avoids overblocking. Question 24. Which of the following best describes a “Bridge” deployment mode for the Imperva WAF? A) The WAF sits inline and terminates TLS. B) The WAF sits between two network segments, forwarding traffic without modifying IP headers. C) The WAF monitors traffic passively using a network tap. D) The WAF acts as a CDN edge node.

Exam

Explanation: XSS injects scripts that run in the context of the victim’s browser. Question 27. Which OWASP Top 10 category was renamed to “Cryptographic Failures” in the 2021 edition? A) Sensitive Data Exposure B) Security Misconfiguration C) Broken Authentication D) Insufficient Logging & Monitoring Answer: A Explanation: Sensitive Data Exposure was re‑named to emphasize cryptographic issues. Question 28. In Imperva, what does the “Action Set” define for a policy? A) The list of IP addresses to block. B) The specific actions (allow, block, log, rate‑limit) taken when a rule matches. C) The SSL cipher suites to negotiate. D) The DNS records to serve. Answer: B Explanation: Action Set ties a rule to concrete actions applied to traffic.

Exam

Question 29. Which of the following best describes “Content Security Policy (CSP)” as a mitigation technique? A) It encrypts all HTTP responses. B) It instructs browsers which sources of content are allowed to load. C) It forces all traffic through a VPN. D) It disables cookies for the site. Answer: B Explanation: CSP is a response header that restricts loading of scripts, styles, etc., mitigating XSS. Question 30. Which of the following is NOT a typical component of the Imperva SecureSphere architecture? A) Management Server B) Gateway C) Database Encryption Module D) Agent (optional) Answer: C Explanation: SecureSphere does not include a dedicated database encryption module. Question 31. When configuring a “Custom Web Policy,” which of the following can be used to block a specific parameter value?

Exam

B) Using multiple, layered security controls at network, application, and data levels. C) Encrypting traffic only during peak hours. D) Disabling all user inputs. Answer: B Explanation: Defense‑in‑Depth employs overlapping controls to reduce risk. Question 34. Which of the following Imperva logging features helps auditors trace the source of a blocked request? A) Event ID only B. Source IP, URL, and matched rule details C. Only the timestamp D. Encrypted payload without metadata Answer: B Explanation: Detailed logs include source IP, request URL, and the rule that triggered the block. Question 35. Which of the following is a recommended practice for handling vulnerable third‑party components identified by a scanner? A) Immediately block all traffic to the component. B) Update or patch the component and verify remediation before disabling.

Exam

C) Ignore the finding if the component is not publicly exposed. D. Replace the WAF with a network firewall. Answer: B Explanation: Patching removes the vulnerability; blocking may break functionality. Question 36. Which of the following HTTP headers can be used to enforce HTTPS by instructing browsers to automatically upgrade insecure requests? A) X‑Content‑Type‑Options B) Upgrade-Insecure-Requests C) X‑XSS‑Protection D) Referrer-Policy Answer: B Explanation: Upgrade‑Insecure‑Requests tells browsers to convert HTTP URLs to HTTPS. Question 37. In Imperva, what does “Locking a URL” accomplish? A) Prevents any traffic to the URL. B) Forces the URL to use HTTP instead of HTTPS. C) Enforces the learned profile for that URL, rejecting unknown patterns. D) Enables caching of the URL’s content. Answer: C

Exam

Question 40. Which of the following is an example of a “Security Misconfiguration” vulnerability? A) Using a default admin password on the WAF. B) Storing passwords in plain text in the database. C) Allowing cross‑origin resource sharing without restriction. D) All of the above. Answer: D Explanation: All listed items are misconfigurations that weaken security. Question 41. Which of the following is the most effective way to protect against “Local File Inclusion (LFI)” attacks? A) Validate and whitelist allowed file paths on the server side. B. Encode all user inputs in Base64. C. Use HTTP GET instead of POST. D. Disable SSL. Answer: A Explanation: Whitelisting ensures only intended files can be included. Question 42. In Imperva, the “Simulation” mode of a policy is primarily used for which purpose? A) Blocking traffic in production.

Exam

B) Testing rules without actually denying traffic, to assess false positives. C. Encrypting all outbound traffic. D. Disabling logging. Answer: B Explanation: Simulation logs matches but lets traffic pass, enabling safe tuning. Question 43. Which of the following best describes “Cross‑Site Request Forgery (CSRF) token rotation”? A. Changing the token value on every request to prevent reuse. B. Using the same token for the entire session. C. Storing the token in a cookie only. D. Disabling tokens for GET requests. Answer: A Explanation: Rotating tokens per request mitigates replay attacks. Question 44. Which of the following statements about “WebSocket” security is true? A. WebSocket connections are automatically protected by the same origin policy. B. WebSocket traffic can be inspected by a WAF only if the WAF supports the protocol. C. WebSocket uses only UDP, making it immune to injection attacks.