Chapter 18 Quiz: Web Application Security Fundamentals

Question 1

In the OWASP Top 10 (2021), which vulnerability category moved to the number one position?

A) Injection B) Broken Access Control C) Cross-Site Scripting D) Security Misconfiguration

Answer: B) Broken Access Control. Previously ranked #5, Broken Access Control moved to #1 in the 2021 edition, with 94% of applications tested showing some form of broken access control.

Question 2

Which HTTP response header prevents a browser from interpreting files as a different MIME type than what is specified?

A) Content-Security-Policy B) X-Frame-Options C) X-Content-Type-Options D) Strict-Transport-Security

Answer: C) X-Content-Type-Options with the value "nosniff" prevents MIME type sniffing, ensuring the browser respects the Content-Type header.

Question 3

A penetration tester discovers that requesting /api/v2/admin/users returns a 403 Forbidden status, while /api/v2/admin/nonexistent returns a 404 Not Found. What does this indicate?

A) The WAF is blocking the request B) The admin/users endpoint exists and is protected C) The application uses rate limiting D) The server is misconfigured

Answer: B) The different status codes confirm that the /admin/users endpoint exists (403 = forbidden, not not-found) while the nonexistent path correctly returns 404. A secure application would return the same response for both to avoid information disclosure.

Question 4

Which cookie attribute prevents JavaScript from accessing the cookie via document.cookie?

A) Secure B) SameSite=Strict C) HttpOnly D) Path=/

Answer: C) HttpOnly. This flag tells the browser that the cookie should not be accessible via client-side JavaScript, which is the primary defense against cookie theft via XSS.

Question 5

Which Burp Suite component is used to manually modify and resend individual HTTP requests?

A) Intruder B) Scanner C) Repeater D) Sequencer

Answer: C) Repeater. It allows manual modification of requests and immediate resending, making it the primary tool for exploratory testing and payload refinement.

Question 6

What is the primary purpose of parameterized queries (prepared statements)?

A) To improve database query performance B) To separate SQL code structure from user-supplied data C) To encrypt data before storing it in the database D) To validate input length and type

Answer: B) Parameterized queries ensure that user-supplied data is always treated as data by the database engine, never as part of the SQL command structure, regardless of what the data contains. This is the definitive defense against SQL injection.

Question 7

In Burp Suite Intruder, which attack type uses a single payload list and inserts each payload into each position one at a time?

A) Battering Ram B) Pitchfork C) Cluster Bomb D) Sniper

Answer: D) Sniper. It tests one position at a time with each payload from the list. Battering Ram places the same payload in all positions simultaneously. Pitchfork uses parallel lists. Cluster Bomb tests all combinations.

Question 8

What is the significance of the SameSite=Strict cookie attribute?

A) The cookie is only sent over HTTPS B) The cookie is never sent on cross-origin requests C) The cookie can only be read by same-origin JavaScript D) The cookie expires when the browser is closed

Answer: B) SameSite=Strict ensures the cookie is never included in cross-origin requests, providing strong CSRF protection. The cookie is only sent when the request originates from the same site.

Question 9

Which of the following is a NEW category added to the OWASP Top 10 in the 2021 edition?

A) Broken Authentication B) Insecure Design C) XML External Entities D) Insufficient Logging

Answer: B) Insecure Design (A04:2021) was added as a new category to address vulnerabilities that exist because of fundamental design flaws, not implementation errors. It cannot be fixed with better code alone.

Question 10

A web application returns the Server: Apache/2.4.51 header. From a security perspective, what is the concern?

A) Apache is inherently insecure B) The exact version number reveals potential vulnerabilities C) The header indicates missing TLS D) Apache cannot handle modern web applications

Answer: B) Revealing the exact server version allows attackers to look up known vulnerabilities (CVEs) for that specific version. The Server header should either be removed or display a generic value.

Question 11

What does the CSP directive script-src 'self' 'nonce-abc123' mean?

A) Scripts are blocked from all sources B) Only scripts from the same origin or with the matching nonce attribute are allowed to execute C) All inline scripts are allowed D) Scripts are allowed from any HTTPS source

Answer: B) The 'self' keyword allows scripts from the same origin, and 'nonce-abc123' allows inline scripts that include the attribute nonce="abc123". All other scripts, including those injected by an attacker, will be blocked.

Question 12

During web application reconnaissance, a tester discovers /api/v1/ endpoints alongside /api/v2/ endpoints. Why is this significant?

A) Older API versions often have fewer security controls B) It indicates the application uses microservices C) It means the application is poorly maintained D) API versioning is a security vulnerability

Answer: A) Older API versions frequently lack security improvements added to newer versions, such as rate limiting, input validation, or access controls. They represent a priority testing target because developers may have forgotten to deprecate or restrict them.

Question 13

What is the purpose of Gobuster in web application testing?

A) Intercepting HTTP traffic B) Brute-forcing directories and files on a web server C) Scanning for SQL injection vulnerabilities D) Analyzing TLS certificates

Answer: B) Gobuster performs directory and file brute-forcing by sending requests for common paths from a wordlist, identifying resources that are not linked from the visible application.

Question 14

Which HTTP method reveals CORS configuration and supported methods?

A) HEAD B) GET C) OPTIONS D) TRACE

Answer: C) OPTIONS. A preflight OPTIONS request reveals the CORS policy (Access-Control-Allow-Origin, Access-Control-Allow-Methods) and which HTTP methods the server accepts via the Allow header.

Question 15

What is the difference between input validation and output encoding?

A) They are the same thing B) Input validation checks data format on entry; output encoding transforms data for safe rendering in a specific context C) Input validation happens on the client; output encoding happens on the server D) Input validation prevents CSRF; output encoding prevents SQL injection

Answer: B) Input validation verifies that incoming data conforms to expected formats (allowlisting). Output encoding transforms data so it is safely rendered in a specific context (HTML, JavaScript, URL) without being interpreted as code. Both are needed: validation on input, encoding on output.

Question 16

A ShopStack API endpoint returns JWT tokens for authentication. Which of the following is the most critical JWT security concern to test?

A) Whether the token is too long B) Whether the none algorithm is accepted for signature verification C) Whether the token uses base64 encoding D) Whether the token contains the username

Answer: B) If the server accepts the none algorithm, an attacker can forge tokens without any signature. This is a critical vulnerability that allows complete authentication bypass. The JWT "none" algorithm attack has been found in many real-world implementations.

Question 17

In a three-tier architecture, at which trust boundary should input validation primarily occur?

A) Only at the browser (client-side) B) Only at the database C) At every trust boundary (defense in depth) D) Only at the application server

Answer: C) Defense in depth requires validation at every trust boundary: client-side for user experience, server-side for security enforcement, and database-level for data integrity. No single layer is sufficient because any layer might be bypassed.