• security Online Quiz - 21
Back
0

security Online Quiz - 21

Description: security Online Quiz - 21
Number of Questions: 20
Created by:
Tags: security
Start the Quiz
Attempted 0/20 Correct 0 Score 0

When is the best time to think about application security
technology security

  1. During testing

  2. During development

  3. During design

  4. During all phases of application development

Show answer
Correct Option: D

What is OWASP WebScarab?

technology security

  1. An insecure J2EE web application

  2. A framework for analyzing applications that communicate using the HTTP and HTTPS, most common usage is an intercepting proxy

  3. Static Source Code Analyser

  4. Penetration Testing Tool

Show answer
Correct Option: B

Which among the below is a browser based HTTP tampering tool for Firefox browser?

technology security

  1. LiveHTTPHeaders

  2. Sqlninja

  3. Bobcat

  4. WebGoat

Show answer
Correct Option: A

AI Explanation

To answer this question, you need to understand the different tools available for tampering with HTTP requests in a browser.

Option A) LiveHTTPHeaders - This option is correct. LiveHTTPHeaders is a browser-based HTTP tampering tool for the Firefox browser. It allows users to view and manipulate HTTP headers and requests in real-time.

Option B) Sqlninja - This option is incorrect. Sqlninja is not a browser-based HTTP tampering tool. It is a tool used for exploiting SQL injection vulnerabilities.

Option C) Bobcat - This option is incorrect. Bobcat is not a browser-based HTTP tampering tool. It is a tool used for load testing and analyzing the performance of web applications.

Option D) WebGoat - This option is incorrect. WebGoat is not a browser-based HTTP tampering tool. It is a deliberately insecure web application designed to teach web application security lessons.

The correct answer is A) LiveHTTPHeaders. This option is correct because LiveHTTPHeaders is a browser-based HTTP tampering tool for the Firefox browser.

What product among the below can be used as a static code analyzer?

technology security

  1. Ounce

  2. WebInspect

  3. IBM RAD

  4. None of the above

Show answer
Correct Option: A

Which product among the below can be used as a penetration testing tool?

technology security

  1. Ounce

  2. DevInspect

  3. AppScan

  4. FXCop

Show answer
Correct Option: C

What is OWASP WebGoat?

technology security

  1. Web Proxy

  2. XSS Scanner

  3. An insecure J2EE web application

  4. None of the above

Show answer
Correct Option: C

Which of the following best describes the difference between white-box testing and black-box testing?

technology security

  1. White-box testing is performed by an independent programmer team

  2. Black-box testing uses the bottom-up approach

  3. Black-box testing involves the business units

  4. White-box testing examines the program internal logical structures

Show answer
Correct Option: D

Scanning underlying source code with a database of regular expressions to quickly identify suspicious code, application inputs, outputs etc primarily relates to ..

technology security

  1. Grey-box testing

  2. Black-box testing

  3. White-box testing

  4. None of these

Show answer
Correct Option: C

What is the difference between network vulnerability assessment and a penetration test?

technology security

  1. A penetration test enumerates resources, and a vulnerability assessment enumerates vulnerabilities

  2. They are one and the same

  3. A penetration test identifies running services, and vulnerability assessments provide a more in-depth understanding of vulnerabilities

  4. A penetration test exploits vulnerabilities, and a vulnerability assessment finds vulnerabilities

Show answer
Correct Option: D

The three steps to successful patch management are …

technology security

  1. Acquiring, Testing, Installing

  2. Testing, Remediation, Peer Review

  3. Determine needs, Acquire resources, Install the patch

  4. Both A & B

Show answer
Correct Option: A

The correct way to disable autocomplete in the browser for certain forms is to ….

technology security

  1. Set autocomplete to “0”

  2. Set autocomplete to “Off”

  3. Set autocomplete to some other value

  4. Set autocomplete to “no-store”

Show answer
Correct Option: B

AI Explanation

To answer this question, you need to understand how to disable autocomplete in a browser for certain forms. Let's go through each option to understand why it is correct or incorrect:

Option A) Set autocomplete to "0" - This option is incorrect because the correct attribute value to disable autocomplete is "off", not "0".

Option B) Set autocomplete to "Off" - This option is correct because setting the autocomplete attribute to "off" will disable autocomplete for the specific form.

Option C) Set autocomplete to some other value - This option is incorrect because the attribute value "off" is specifically used to disable autocomplete. Using any other value will not have the desired effect.

Option D) Set autocomplete to "no-store" - This option is incorrect because "no-store" is used to indicate that the browser should not store the form data in its cache, but it does not disable autocomplete.

The correct answer is B) Set autocomplete to "Off". This option is correct because setting the autocomplete attribute to "off" will effectively disable autocomplete for the specific form.

Credit card numbers should be logged into the log file during exception

technology security

  1. No. Because leads to insecure storage of private information of the customer

  2. Yes. Because it is a good logging practice to log all relevant information during an exception

  3. Yes. Because it will help in troubleshooting specific customer problems

  4. No. Because its an additional over head

Show answer
Correct Option: A

Web Service interfaces are prone to which of the following standard web application attacks ?

technology security

  1. SQL Injection

  2. Denial of Service

  3. XML Injection

  4. All of the above

Show answer
Correct Option: D

AI Explanation

To answer this question, you need to understand the different types of standard web application attacks. Let's go through each option to understand which attacks are relevant to web service interfaces:

Option A) SQL Injection - SQL Injection is a type of attack where an attacker injects malicious SQL code into a database query, allowing them to manipulate the behavior of the database. While SQL Injection is commonly associated with web applications that interact with a database, it can also be a potential attack vector for web service interfaces that use SQL queries. Therefore, SQL Injection is a relevant attack for web service interfaces.

Option B) Denial of Service - Denial of Service (DoS) is a type of attack where an attacker overwhelms a system or network with excessive requests or traffic, causing it to become unavailable to legitimate users. DoS attacks can target web service interfaces, just like they can target web applications. By overwhelming the web service with requests, an attacker can disrupt its normal functioning and make it unavailable to users.

Option C) XML Injection - XML Injection is a type of attack where an attacker injects malicious XML code into an application that processes XML data. This attack is specifically relevant to web service interfaces that use XML as a data format. By injecting malicious XML code, an attacker can manipulate the behavior of the web service interface and potentially gain unauthorized access or perform unauthorized actions.

Option D) All of the above - This option is correct because all of the mentioned attacks (SQL Injection, Denial of Service, and XML Injection) are relevant and possible for web service interfaces. Web service interfaces can be vulnerable to these standard web application attacks, and it is important to implement proper security measures to mitigate these risks.

Therefore, the correct answer is D) All of the above.

A race condition in a web server can cause …
technology security

  1. Resources to become unavailable to legitimate users

  2. Cross Site Tracing

  3. Server Instability

  4. Both A and B

Show answer
Correct Option: C

It is a leading practice to suppress detailed errors in the following places:

technology security

  1. Web Server configuration files

  2. Application configuration files

  3. Application error handlers

  4. All of the above

Show answer
Correct Option: D

Which of the following is true regarding reverse engineering of compiled Java code

technology security

  1. Java sand box environment provides protection against decompilation

  2. Java is compiled into ELF binaries and cannot be decompiled

  3. Java byte code can always be decompiled, code obfuscators can make the reverse engineering process more time confusing but cannot prevent it

  4. Java is difficult to decompile because the Just-In-Time compiler automatically perform string encryption by default

Show answer
Correct Option: C

AI Explanation

To answer this question, you need to understand the concept of reverse engineering in relation to compiled Java code. Let's go through each option to understand why it is correct or incorrect:

Option A) Java sandbox environment provides protection against decompilation - This option is incorrect because a Java sandbox environment provides protection against certain security risks, but it does not specifically protect against decompilation.

Option B) Java is compiled into ELF binaries and cannot be decompiled - This option is incorrect because Java is actually compiled into bytecode, not ELF binaries. Bytecode can be decompiled, although the process may vary in difficulty depending on certain factors.

Option C) Java bytecode can always be decompiled, code obfuscators can make the reverse engineering process more time confusing but cannot prevent it - This option is correct. Java bytecode can be decompiled, meaning that it is possible to obtain the original source code from the compiled code. While code obfuscators can make the reverse engineering process more challenging and time-consuming, they cannot completely prevent it.

Option D) Java is difficult to decompile because the Just-In-Time compiler automatically performs string encryption by default - This option is incorrect because the Just-In-Time (JIT) compiler in Java does not automatically perform string encryption by default. The JIT compiler is responsible for optimizing the execution of Java bytecode, but it does not directly affect the decompilation process.

The correct answer is C) Java bytecode can always be decompiled, code obfuscators can make the reverse engineering process more time confusing but cannot prevent it. This option is correct because while it is possible to decompile Java bytecode, code obfuscators can make the process more difficult and time-consuming. However, they cannot completely prevent reverse engineering.

Requirements for administrator authentication should be

technology security

  1. Equivalent to normal users

  2. Less than those of normal users as all administrators are trustworthy

  3. No authentication is required for administrators

  4. Greater than those of normal users

Show answer
Correct Option: D

AI Explanation

To answer this question, you need to understand the concept of administrator authentication.

Option A) Equivalent to normal users - This option is incorrect because administrators typically have higher privileges and access to sensitive information or system settings. Therefore, their authentication requirements should be greater than those of normal users.

Option B) Less than those of normal users as all administrators are trustworthy - This option is incorrect because even though administrators are trusted individuals, it is still important to have strong authentication measures in place to prevent unauthorized access or misuse of administrative privileges.

Option C) No authentication is required for administrators - This option is incorrect because administrators should still go through some form of authentication to ensure the security of the system and its resources.

Option D) Greater than those of normal users - This option is correct because administrators should have stronger authentication requirements compared to normal users. This can include additional factors such as multi-factor authentication, stricter password policies, or even biometric authentication to ensure the security and integrity of the system.

The correct answer is Option D. This option is correct because administrators typically require greater authentication measures to protect sensitive information and maintain the security of the system.

Account lockouts should

technology security

  1. Only be used on administrator accounts to ensure continuous access to users

  2. Only be used on user accounts to ensure that administrators are not locked out of the application

  3. Only be used when there is a secure process to unlock the account

  4. None of the above

Show answer
Correct Option: C

AI Explanation

To answer this question, we need to understand the purpose and implications of account lockouts.

Option A) Only be used on administrator accounts to ensure continuous access to users - This option is incorrect because account lockouts should be applied to all accounts, not just administrator accounts. Account lockouts are a security measure that helps protect user accounts from unauthorized access attempts, regardless of the type of account.

Option B) Only be used on user accounts to ensure that administrators are not locked out of the application - This option is incorrect because account lockouts are not solely focused on preventing administrators from being locked out. Account lockouts are implemented to protect user accounts from brute-force attacks and unauthorized access attempts, regardless of the user's role.

Option C) Only be used when there is a secure process to unlock the account - This option is correct. Account lockouts should only be used when there is a secure process in place to unlock the account. This ensures that if an account is locked due to multiple failed login attempts, the account owner can safely regain access through a secure and authenticated process.

Option D) None of the above - This option is incorrect because option C is the correct answer. Account lockouts should only be used when there is a secure process to unlock the account.

Therefore, the correct answer is C) Only be used when there is a secure process to unlock the account. This option is correct because it emphasizes the importance of having a secure process in place to unlock an account that has been locked due to multiple failed login attempts.

Hard Coding credentials
technology security

  1. Cannot be treated as a secure practice

  2. Is a good way to hide passwords from hackers

  3. Is perfectly fine for internal applications

  4. Is perfectly fine for external user facing applications

Show answer
Correct Option: A

Configuration Management Security principles apply to
technology security

  1. Commercial applications

  2. Custom built applications

  3. In house developed applications

  4. All of the above

Show answer
Correct Option: D
- Hide questions
ADVERTISEMENT

Find more quizzes from top tags

general knowledge
3615 Quizzes
119858 Questions
 technology
307 Quizzes
36705 Questions
 sports
963 Quizzes
19148 Questions
 history
1187 Quizzes
13475 Questions
 physics
598 Quizzes
13441 Questions
 biology
1160 Quizzes
12174 Questions
 science & technology
551 Quizzes
11015 Questions
 chemistry
490 Quizzes
9892 Questions
 maths
518 Quizzes
9324 Questions
 softskills
0 Quizzes
7131 Questions