PreAssessment Flashcards
What is the primary defense against log injection attacks?
A. Sanitize outbound log messages
B. Do not use parameterized stored procedures in the database
C. Allow all users to write to these logs
D. Use API calls to log actions
A. Sanitize outbound log messages
An attacker exploits a cross-site scripting vulnerability. What is the attacker able to do?
A. Access the user’s data
B. Execute a shell command or script
C. Discover other users’ credentials
D. Gain access to sensitive files on the server
A. Access the user’s data
Which Python function is prone to a potential code injection attack?
A. eval()
B. type()
C. print()
D. append()
A. eval()
What are two common defensive coding techniques?
A. Check functional preconditions and postconditions
B. Encrypt passwords and email submissions
C. Adjust length and encoding of messages
D. Develop code with exceptions to find errors
A. Check functional preconditions and postconditions
Which package is meant for internal use by Python for regression testing?
A. test
B. regress test
C. doctest
D. assert
A. test
A security analyst is reviewing code for improper input validation.
Which type of input validation does this code show?
isValidNumber = False
while not isValidNumber:
try:
pickedNumber = int(input(‘Pick a number from 1 to 10’))
if pickedNumber >= 1 and pickedNumber <= 10:
isValidNumber = True
except:
print(‘You must enter a valid number from 1 to 10’)
print(‘You picked the number ‘ + str(pickedNumber))
A. Type and range check
B. Type and length check
C. Length and range check
D. Invalid number check
A. Type and range check
Consider the following penetration test:
import requests urls = open(“websites.txt”, “r”)
for url in urls:
url = url.strip()
req = requests.get(url)
print (url, ‘report’)
try:
transport_security = req.headers[‘Strict-Transport-Security’] except:
print (‘HSTS header not set properly’)
Which security vulnerability is shown?
A. Man-in-the-middle
B. Cross-site scripting
C. Denial of service
D. Code injection
A. Man-in-the-middle
A security analyst has noticed a vulnerability in which an attacker took over multiple users’ accounts.
Which vulnerability did the security analyst encounter?
A. Broken access control
B. Broken function level authorization
C. API mass assignment
D. Privilege escalation
A. Broken access control
When creating a new user, an administrator must submit the following fields to an API endpoint:
Name
Email Address
Password
IsAdmin
What is the best way to ensure the API is protected against privilege escalation?
A. Implement resource and field-level access control
B. Ensure incoming requests are rate limited
C. Remove IsAdmin from the endpoint
D. Encrypt the incoming request
A. Implement resource and field-level access control
Which method is used for a SQL injection attack?
A. Exploiting query parameters
B. Passing safe query parameters
C. Using SQL composition
D. Utilizing literal parameters
A. Exploiting query parameters
Consider the following assertion statement:
def authorizeAdmin(usr):
assert isinstance(usr, list) and usr != [], “No user found”
assert ‘admin’ in usr, “No admin found.”
print(“You are granted full access to the application.”)
If name == ‘main’:
authorizeAdmin([‘user’])
What should be the response after running the code?
A. AssertionError: No admin found
B. AssertionError: No user found
C. Authorized User
D. You are granted full access to the application
A. AssertionError: No admin found
What does cross-origin resource sharing (CORS) allow users to do?
A. Override same starting policy for specific resources
B. Connect web security models
C. Prevent the passing of credentials
D. Protect the client header from exposure
A. Override same starting policy for specific resources
Which protocol caches a token after it has been acquired?
A. MSAL
B. Auth0
C. LDAP
D. ACL
A. MSAL (Microsoft Authentication Library)
Consider the following API code snippet:
import requests url = ‘https://website.com/’
”# Get request”
result = requests.get(url)
”# Print request”
print(result.content.decode())
Which status code will the server return?
A. 403
B. 200
C. 401
D. 400
403 (CORRECT):
The user submits the following request to an API endpoint that requires a header:
import requests url = ‘https://api.github.com/invalid’
try: request_response = requests.get(url)
”# If the response was successful, no Exception will be raised”
request_response.raise_for_status()
except Exception as err:
print(f’Other error occurred: {err}’)
else: print(‘Success!’)
Which response code will the user most likely be presented with?
A. 404—”Not found”
B. 200—”OK”
C. 400—”Bad request”
D. 401—”Unauthorized”
A. 404—”Not found”
Which response method, when sent a request, returns information about the server’s response and is delivered back to the console?
A. response.content
B. response.history
C. response.status_code
D. response.get
A. response.content
