Web Security Quiz
Description: This quiz is about the security on Web, contains question related to Cross Site Scripting (XSS), Security Best practices. | |
Number of Questions: 20 | |
Created by: Aliensbrain Bot | |
Tags: security |
Web server will log which part of a GET request?
-
Hidden tags
-
Query Strings
-
Header
-
Cookies
AI Explanation
To answer this question, we need to understand the components of a GET request.
A GET request is a type of HTTP request that is used to retrieve information from a server. It consists of several components, including the URL, headers, and query parameters.
The correct answer is B) Query Strings. Query strings are a part of the URL that follows a question mark (?) and contains key-value pairs. They are used to send additional information to the server, such as parameters or filters for the requested data.
Web servers typically log the query strings of a GET request in their access logs. This allows administrators to monitor and analyze the incoming requests and track the specific parameters and values used in each request.
Let's go through each option to understand why it is correct or incorrect:
A) Hidden tags - Hidden tags are not a part of a GET request. They are typically used in HTML forms to include additional data that is not visible to the user. Web servers do not log hidden tags.
B) Query Strings - This option is correct because query strings are a part of the URL and contain additional information sent to the server. Web servers typically log the query strings of a GET request.
C) Header - The header of a GET request contains metadata about the request, such as the user agent, accepted content types, and cookies. While headers are logged by web servers, they do not specifically log the header as a separate part of the request.
D) Cookies - Cookies are a separate component of a GET request and are used to store session information or user preferences. While web servers may log the cookies sent in a request, they are not specifically logged as a part of the GET request.
Therefore, the correct answer is B) Query Strings, as web servers log the query strings of a GET request.
How can we prevent dictionary attacks on password hashes ?
-
Hashing the password twice
-
Encrypting the password using the private key
-
Use an encryption algorithm you wrote your self so no one knows how it works
-
Salting the hash
Implementing Access Control based on a hard coded IP address
-
Can be done as it as an internal IP
-
Can be done for internet facing servers as there are no chances of IP conflicts
-
Is a good security practice
-
Is a bad security practice
Temporary files
-
Should be placed securely in a folder called “temp” in the web root
-
Can be placed anywhere in the web root as long as there are no links to them
-
Should be completely removed from the server
-
Can be placed anywhere after changing the extension
What is the preferred medium for backing up log files ?
-
Print the logs to a paper
-
Create a copy of data in your laptop/desktop
-
Copy the files to CD-R's
-
None of the above
AI Explanation
To answer this question, let's go through each option to understand why it is correct or incorrect:
Option A) Print the logs to paper - This option is not the preferred medium for backing up log files. While printing logs to paper can provide a physical backup, it is not efficient or practical for large volumes of data. Additionally, paper backups can be easily lost, damaged, or destroyed.
Option B) Create a copy of data in your laptop/desktop - This option is also not the preferred medium for backing up log files. While creating a copy of the data on your laptop or desktop can provide a backup, it is not a reliable solution. If the laptop or desktop is damaged, lost, or stolen, the backup would also be lost.
Option C) Copy the files to CD-R's - This option is the correct answer. Copying log files to CD-R's is a common and preferred method for backing up log files. CD-R's provide a reliable and portable storage medium, allowing you to easily store and transport log files. They are also relatively inexpensive and have a long shelf life.
Option D) None of the above - This option is incorrect. Option C, copying the files to CD-R's, is the preferred medium for backing up log files.
Therefore, the correct answer is option C.
What is the common cause of buffer over flows, cross-site scripting, SQL injection and format string attacks?
-
Unvalidated input
-
Lack of authentication
-
Improper error handing
-
Insecure configuration management
Out of the following which one can be considered as a possible solutions for SQL injection vulnerability?
-
Data Validation
-
Secure Cookies
-
Encryption
-
Comprehensive exception handling
Which of the following is appropriate for customer emails regarding a limited time promotional offer?
-
Request that the user authenticate him/herself by replying to the email with their account credentials.
-
Personalized greeting line
-
Providing easy access to the customer's account via a “Click Here” style link
-
Sending the email from a domain set up specifically for the special offer
AI Explanation
To answer this question, let's go through each option to understand why it is correct or incorrect:
Option A) Request that the user authenticate him/herself by replying to the email with their account credentials - This option is incorrect. Asking customers to reply to an email with their account credentials is not a secure practice and could put their personal information at risk.
Option B) Personalized greeting line - This option is correct. When sending customer emails regarding a limited time promotional offer, it is important to use a personalized greeting line to make the email feel more personal and engaging for the customer.
Option C) Providing easy access to the customer's account via a “Click Here” style link - This option is incorrect. While it is important to provide easy access to the customer's account, including a "Click Here" style link in an email can be considered unsafe as it may lead to phishing attempts or malicious websites.
Option D) Sending the email from a domain set up specifically for the special offer - This option is incorrect. While using a domain specifically for the special offer might make the email appear more official, it is not a necessity for customer emails regarding a limited time promotional offer.
The correct answer is B) Personalized greeting line. This option is correct because it creates a more personalized and engaging experience for the customer.
Cross Site Scripting is an attack against
-
Client (Browser)
-
Database
-
Web Application
-
Web Server
AI Explanation
To answer this question, you need to understand Cross-Site Scripting (XSS) and the target of this attack.
Cross-Site Scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can be used to steal sensitive information, manipulate web content, or perform other malicious actions.
The correct answer is:
Option A) Client (Browser) - This option is correct. Cross-Site Scripting attacks target the client-side, specifically the web browser. The attacker injects malicious scripts into a web page that is then executed by the victim's browser. This can lead to the compromise of user data or the unauthorized manipulation of web content.
Option B) Database - This option is incorrect. Cross-Site Scripting attacks do not directly target databases. However, if the injected scripts are able to manipulate the web application's database queries, it could indirectly impact the database.
Option C) Web Application - This option is incorrect. Cross-Site Scripting attacks exploit vulnerabilities in web applications, but the actual attack is against the client-side browser.
Option D) Web Server - This option is incorrect. Cross-Site Scripting attacks do not directly target web servers. The attack occurs when the malicious scripts are executed by the victim's browser.
Therefore, the correct answer is Option A) Client (Browser) because Cross-Site Scripting attacks are against the client-side browser.
Which cookie flag, when set, will prevent their transmission over non secure channel?
-
Secure
-
Domain
-
Expires
-
Static
The main risk to a web application in a cross site scripting attack is …
-
Compromise of users
-
Loss of data integrity
-
Destruction of data
-
None of the above
Out of the following which can be considered as user input for which validation is not required
-
Host Header
-
Cookie
-
Referrer Header
-
None of the above
Which languages are vulnerable to Cross Site Scripting attacks ?
-
Java
-
ASP.Net
-
Perl
-
All of the above
What does “White List” data validation means?
-
Data is validated against a list of values that are known to be valid
-
Data is validated against a list of values that are known to be invalid
-
Both of the above
-
None of the above
Failing to properly validate uploaded files could result in:
-
Arbitrary code execution
-
Inadequate caching headers
-
Distributed Denial of Service Attack against clients
-
None of the above
In which of the following exploits does an attacker insert malicious code into a link that appears to be from a trustworthy source?
-
Cross-Site Scripting
-
Buffer over flows
-
Command injection
-
Path traversal attack
Which of the following should be stored in the cookie?
-
Session ID
-
Account Privileges
-
UserName
-
Password
What should be considered the most while doing data classification
-
The type of users who would be accessing the data
-
Availability, Integrity and Confidentiality
-
The threat level the company faces
-
Access controls protecting the data
AI Explanation
To answer this question, you need to understand the key factors to consider while doing data classification.
Option A) The type of users who would be accessing the data - This option is incorrect because although the type of users accessing the data is important, it is not the most crucial factor to consider in data classification.
Option B) Availability, Integrity, and Confidentiality - This option is correct because data classification should primarily focus on ensuring the availability, integrity, and confidentiality of the data. Availability refers to ensuring that the data is accessible when needed, integrity refers to maintaining the accuracy and consistency of the data, and confidentiality refers to protecting the data from unauthorized access.
Option C) The threat level the company faces - This option is incorrect because while the threat level is important in determining security measures, it is not directly related to data classification. Data classification focuses on categorizing data based on its sensitivity and determining appropriate security controls.
Option D) Access controls protecting the data - This option is incorrect because access controls are part of the security measures implemented to protect data. While access controls are important, they are not the only consideration in data classification.
The correct answer is B) Availability, Integrity, and Confidentiality. This option is correct because data classification should primarily focus on ensuring the availability, integrity, and confidentiality of the data.
What are the fundamental principles of Security?
-
Availability, Integrity, Confidentiality
-
Usability, Reliability, Accountability
-
Quality, Accountability, Integrity
-
None of the above
AI Explanation
To answer this question, you need to understand the fundamental principles of security.
Option A) Availability, Integrity, Confidentiality - This option is correct because it encompasses the three fundamental principles of security.
- Availability refers to the guarantee that information and resources are accessible to authorized users when needed.
- Integrity ensures that data is accurate, complete, and has not been altered or modified in an unauthorized manner.
- Confidentiality ensures that sensitive information is protected from unauthorized access or disclosure.
Option B) Usability, Reliability, Accountability - This option is incorrect because it does not cover all the fundamental principles of security. While usability and reliability are important aspects, accountability is not considered a fundamental principle of security.
Option C) Quality, Accountability, Integrity - This option is incorrect because it does not include the principle of confidentiality, which is one of the fundamental principles of security.
Option D) None of the above - This option is incorrect because option A, Availability, Integrity, Confidentiality, is indeed the correct answer.
The correct answer is A) Availability, Integrity, Confidentiality. This option is correct because it includes all three fundamental principles of security.