Which of the following best describes a Cross-site Request Forgery (CSRF) attack?

An attack that exploits a user's trust in a website to execute unauthorized commands

An attack that injects malicious code into user input

An attack that steals data from the server by exploiting URL parameters

An attack that forces a server to visit malicious URLs

Which of the following would be the best defense against a session replay attack in web applications?

Secure cookies with the SECURE attribute

Encrypting database communications

What type of attack occurs when an attacker tricks an authenticated user into submitting a request they didn't intend?

Cross-Site Request Forgery (CSRF/XSRF)

Static Application Security Testing (SAST)

The process that describes the stages involved in developing software from design to deployment is known as:

Software Development Life Cycle (SDLC)

Which of the following refers to a security mechanism placed in front of web servers to monitor and filter traffic?

Static Application Security Testing (SAST)

Application Programming Interface (API)

Which of the following best describes an Application Programming Interface (API)?

A set of protocols for building and interacting with software applications

A security device used to detect web attacks

The specific system or product being assessed for security vulnerabilities is known as the:

Application Programming Interface (API)

Software Development Life Cycle (SDLC)

Secure Software Development Life Cycle (Secure SDLC) emphasizes integrating security into:

Every phase of software development

Only the Requirements gathering

Which of the following describes software assurance best practices?

Ensuring security from initial design through final disposal of software

Adding security controls only after deployment

Performing security tests exclusively during user acceptance testing

Using automated testing exclusively after coding

What is the primary benefit of selecting an appropriate SDLC model for a specific project?

It fits the specific workflow and project needs effectively

It guarantees zero vulnerabilities in the final product

It reduces the need for testing

It eliminates the need for ongoing maintenance

The process of systematically retiring software at the end of its useful life to ensure security and data protection is referred to as:

End of Life (EOL)/Decommissioning

Static Application Security Testing

Continuous integration (CI) within software assurance practices primarily ensures:

Code is regularly merged and tested automatically

Security checks are performed only after production

Development and operations teams remain separate

Manual testing replaces automated testing

A DevSecOps approach ensures:

Security responsibilities are shared throughout development and operations

Developers handle all security concerns independently

Security is treated as a separate team and added after deployment

Operations teams have exclusive control over security measures

SQL Injection attacks typically exploit weaknesses related to:

Unencrypted communication channels

Insufficient user authentication

Which type of injection attack involves tricking a web application into requesting malicious resources from internal services?

Server-side request forgery (SSRF)

Dynamic code analysis differs from static analysis in that dynamic analysis:

Requires code execution with various inputs

Reviews source code without execution

Analyzes code only after deployment

Detects logical errors by manual code review

Which secure coding practice reduces the risk of exposing sensitive application details during an error condition?

Generic error messaging and handling exceptions securely

Displaying error details in user interfaces

Using encryption during data transmission

An attack exploiting URLs containing parameters to gain unauthorized access to data is known as:

Insecure direct object references

Which of the following attacks tricks an authenticated user into executing unwanted commands against a web application they trust?

Cross-site request forgery (CSRF)

Server-side request forgery (SSRF)

Privilege escalation attacks are primarily designed to:

Increase the attacker’s permissions on the target system

Execute malicious scripts in a user's browser

Redirect legitimate web traffic to malicious sites

Cause denial of service in web servers

Stored (Persistent) XSS differs from Reflected XSS attacks because Stored XSS attacks:

Embed malicious code that remains on a server indefinitely

Inject scripts that execute immediately and do not persist

Depend on real-time user interaction to activate

Target server-side resources directly

An attacker observes network traffic, captures session tokens, and later uses them to gain unauthorized access. This describes a:

Cross-site request forgery (CSRF)

C6 - Application Security

Authored by Andrew Schmitz

Information Technology (IT)

9th - 12th Grade

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

80 questions

Show all answers

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

Which of the following attacks is characterized by inserting malicious code into user inputs that are executed by a database?

Directory traversal

Cross-site scripting

SQL injection

Replay attack

Answer explanation

SQL injection is an attack where malicious code is inserted into user inputs, which are then executed by a database. This allows attackers to manipulate or access sensitive data, making it the correct choice.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

What is the main purpose of input validation in web applications?

Improve user interface speed

Prevent cross-site scripting and injection attacks

Speed up database queries

Optimize resource usage

Answer explanation

The main purpose of input validation is to prevent cross-site scripting and injection attacks by ensuring that user inputs are safe and conform to expected formats, thus protecting the application from malicious inputs.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

What security mechanism ensures that code has not been altered since it was published by the developer?

Code obfuscation

Code signing

Code commenting

Code reuse

Answer explanation

Code signing is a security mechanism that uses digital signatures to verify the authenticity and integrity of code, ensuring it has not been altered since its publication by the developer.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

Which type of vulnerability occurs when a web server allows attackers to access files outside the intended directory structure?

Command injection

Directory traversal

Buffer overflow

Blind SQL injection

Answer explanation

The correct answer is 'Directory traversal'. This vulnerability allows attackers to access files outside the intended directory by manipulating file paths, potentially exposing sensitive information on the server.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

What software development practice integrates security throughout the entire software lifecycle, including development and operations?

Static code analysis

Continuous deployment

DevSecOps

Waterfall development

Answer explanation

DevSecOps integrates security into every phase of the software lifecycle, ensuring that security practices are part of development and operations. This contrasts with other practices that may address security separately.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

Which type of cross-site scripting attack involves malicious scripts stored on a server and executed whenever a user views the affected page?

Reflected XSS

Persistent XSS

DOM-based XSS

Blind XSS

Answer explanation

Persistent XSS involves malicious scripts stored on a server, which are executed whenever a user views the affected page. This distinguishes it from reflected and DOM-based XSS, which do not involve stored scripts.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

What term refers to running applications in isolated environments to prevent interaction with critical system resources?

Containerization

Sandboxing

Virtualization

Encapsulation

Answer explanation

Sandboxing refers to running applications in isolated environments, preventing them from interacting with critical system resources. This ensures security and stability, making it the correct term for the question.

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

82 questions

Module 11 CSEC

Quiz

•

12th Grade

83 questions

Identity Resolution Quiz

Quiz

•

12th Grade

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

15 questions

Equivalent Fractions

Quiz

•

4th Grade

20 questions

Figurative Language Review

Quiz

•

6th Grade

Discover more resources for Information Technology (IT)

20 questions

El Verbo IR Practice

Quiz

•

9th Grade

20 questions

-AR -ER -IR present tense

Quiz

•

10th - 12th Grade

10 questions

Understanding Meiosis

Interactive video

•

6th - 10th Grade

20 questions

Graphing Inequalities on a Number Line

Quiz

•

6th - 9th Grade

15 questions

Main Idea and Supporting Details.

Quiz

•

4th - 11th Grade

10 questions

Theme

Quiz

•

9th Grade

20 questions

Cell Organelles

Quiz

•

10th Grade

12 questions

Exponential Growth and Decay

Quiz

•

9th Grade

C6 - Application Security

Which of the following attacks is characterized by inserting malicious code into user inputs that are executed by a database?

SQL injection is an attack where malicious code is inserted into user inputs, which are then executed by a database. This allows attackers to manipulate or access sensitive data, making it the correct choice.

What is the main purpose of input validation in web applications?

The main purpose of input validation is to prevent cross-site scripting and injection attacks by ensuring that user inputs are safe and conform to expected formats, thus protecting the application from malicious inputs.

What security mechanism ensures that code has not been altered since it was published by the developer?

Code signing is a security mechanism that uses digital signatures to verify the authenticity and integrity of code, ensuring it has not been altered since its publication by the developer.

Which type of vulnerability occurs when a web server allows attackers to access files outside the intended directory structure?

The correct answer is 'Directory traversal'. This vulnerability allows attackers to access files outside the intended directory by manipulating file paths, potentially exposing sensitive information on the server.

What software development practice integrates security throughout the entire software lifecycle, including development and operations?

DevSecOps integrates security into every phase of the software lifecycle, ensuring that security practices are part of development and operations. This contrasts with other practices that may address security separately.

Which type of cross-site scripting attack involves malicious scripts stored on a server and executed whenever a user views the affected page?

Persistent XSS involves malicious scripts stored on a server, which are executed whenever a user views the affected page. This distinguishes it from reflected and DOM-based XSS, which do not involve stored scripts.

What term refers to running applications in isolated environments to prevent interaction with critical system resources?

Sandboxing refers to running applications in isolated environments, preventing them from interacting with critical system resources. This ensures security and stability, making it the correct term for the question.

Which of the following best describes a Cross-site Request Forgery (CSRF) attack?

A Cross-site Request Forgery (CSRF) attack tricks a user into executing unwanted actions on a trusted site, leveraging the user's authenticated session to perform unauthorized commands.

What type of testing method involves executing code with invalid or random data to discover vulnerabilities such as crashes or leaks?

Fuzzing is a testing method that involves executing code with invalid or random data to identify vulnerabilities like crashes or memory leaks. It is specifically designed to uncover issues that may not be found through other testing methods.

Which of the following would be the best defense against a session replay attack in web applications?

Secure cookies with the SECURE attribute ensure that cookies are only sent over HTTPS, protecting them from being intercepted during a session replay attack. This is crucial for maintaining session integrity.

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Information Technology (IT)