Web Application Vulnerabilities Bonus Content

30 questions on Web Application Vulnerabilities.

Question 1: What is the most effective primary defense against SQL Injection (SQLi) vulnerabilities?

A. Using JavaScript to validate inputs on the client side.
B. Replacing all SQL databases with NoSQL databases.
C. Using parameterized queries / prepared statements to separate query structures from raw data variables. — (correct answer)
D. Filtering inputs using basic string replacement functions (e.g., str_replace).

Explanation: Parameterized queries ensure the database engine compiles the SQL query structure first, treating user input strictly as parameters (data), not executable code.

Question 2: What is the difference between Stored (Persistent) XSS and Reflected (Non-Persistent) XSS?

A. Stored XSS runs on the server, while Reflected XSS runs on client machines.
B. Stored XSS is saved in the target database and loaded into pages for all visitors, whereas Reflected XSS is parsed from parameters and returned on a single immediate response page. — (correct answer)
C. Reflected XSS can only target administrative users.
D. Stored XSS does not use JavaScript payloads.

Explanation: Stored XSS is highly dangerous as it resides in databases (e.g. comments), affecting any user viewing that content. Reflected XSS targets users clicking a malicious link.

Question 3: How does a Cross-Origin Resource Sharing (CORS) policy protect web resources?

A. It encrypts requests sent from mobile applications.
B. It blocks malicious SQL queries coming from other domains.
C. It instructs browsers to restrict client-side scripts from reading responses fetched from a different origin unless explicit access headers exist. — (correct answer)
D. It whitelists IP addresses for SSH access.

Explanation: CORS is a browser security mechanism that controls whether scripts on one domain can access resources fetched from another domain.

Question 4: What does the Secure flag on a cookie instruct the browser to do?

A. Restrict client-side scripts (JavaScript) from accessing the cookie.
B. Force the cookie to expire within 60 minutes.
C. Send the cookie only over encrypted HTTPS connections, preventing interception on open networks. — (correct answer)
D. Store the cookie in encrypted local storage.

Explanation: The Secure flag blocks transmission of cookies over unencrypted HTTP requests, mitigating packet sniffing risks.

Question 5: What is the security risk of using an Outdated/Vulnerable Component in an application's dependencies?

A. The application compile size will increase.
B. It can open a direct attack vector (e.g., Remote Code Execution) if the component contains a known CVE that has been publicly documented. — (correct answer)
C. The search engine ranking (SEO) will decrease.
D. Database indexes will fail to sync.

Explanation: Outdated packages often contain known, public vulnerabilities (CVEs) that attackers can scan for and exploit using automated tools.

Question 6: What does CSRF (Cross-Site Request Forgery) involve?

A. Injecting SQL statements to drop databases.
B. Forcing an authenticated user's browser to submit unauthorized requests to a target application where they are logged in. — (correct answer)
C. Stealing user passwords over open Wi-Fi.
D. Modifying URL routing rules.

Explanation: CSRF exploits trust in browser sessions, mitigated using anti-CSRF token verification.

Question 7: How does the SameSite=Lax cookie attribute differ from SameSite=Strict?

A. Lax blocks cookies on all cross-origin requests.
B. Lax allows cookies to be sent on safe, top-level cross-site navigations (like clicking links), while Strict blocks cookies on all cross-site requests. — (correct answer)
C. Strict is deprecated.
D. Lax works only on mobile browsers.

Explanation: Lax balances security and UX, sending cookies when users navigate to domains via links.

Question 8: What security flaw is exploited in an XML External Entity (XXE) attack?

A. Parsing JSON payloads in API gateways.
B. Weakly configured XML parsers that resolve external entity references, allowing attackers to read local files or trigger SSRF. — (correct answer)
C. Writing SQL code in URL strings.
D. Overflowing memory buffers.

Explanation: Disabling external entity resolution (DTD) in XML parsers is the primary remediation for XXE.

Question 9: What does 'OWASP' publish to help developers identify common security risks?

A. A list of hosting servers.
B. The OWASP Top 10, a guide listing the most critical web application security vulnerabilities. — (correct answer)
C. A PHP compile engine.
D. A network scanner tool.

Explanation: The OWASP Top 10 is standard for AppSec compliance and secure coding guidelines.

Question 10: What is Directory Traversal (Path Traversal)?

A. Scanning ports on network routers.
B. An attack that exploits unsanitized file path inputs to read arbitrary files (like /etc/passwd) outside the web root directory. — (correct answer)
C. Deleting index files.
D. Routing requests.

Explanation: Insufficient file path validation allows '../' characters to traverse folder structures.

Question 11: What is Server-Side Request Forgery (SSRF)?

A. Attackers forcing browsers to execute code.
B. An exploit where attackers abuse server functionality to force the server to make unauthorized HTTP requests to internal or external systems. — (correct answer)
C. Modifying server settings files.
D. Hacking local MySQL ports.

Explanation: SSRF allows attackers to target metadata endpoints or private LAN services behind firewalls.

Question 12: Which header attribute blocks JavaScript from accessing session cookies?

A. Secure
B. HttpOnly — (correct answer)
C. SameSite
D. Cache-Control

Explanation: HttpOnly shields cookies from script queries (document.cookie), mitigating XSS theft risks.

Question 13: What does 'Broken Object Level Authorization' (BOLA) represent?

A. A SQL query syntax failure.
B. Accessing other users' resources by modifying key parameter values (e.g. /api/user/5 to /api/user/6) due to missing validation. — (correct answer)
C. Deleting system directories.
D. Disabling firewall blocks.

Explanation: BOLA occurs if backends fetch records matching parameters without confirming ownership rights.

Question 14: How does Command Injection differ from SQL Injection?

A. Command Injection targets database columns.
B. Command Injection executes arbitrary shell commands on the host operating system, while SQLi targets database systems. — (correct answer)
C. Command Injection is only possible on Windows.
D. There is no difference.

Explanation: Command injection occurs when unsanitized inputs are passed straight to system execution calls.

Question 15: What is 'Cross-Site Scripting' (XSS)?

A. Running SQL scripts on remote databases.
B. Injecting malicious JavaScript payloads into trusted web pages, which then execute in visitors' browsers. — (correct answer)
C. Sniffing packets on Wi-Fi routers.
D. Overwriting server RAM blocks.

Explanation: XSS exploits browser trust, stealing cookies or redirecting users to malicious domains.

Question 16: What security header instructs browsers to strictly use HTTPS connections?

A. Content-Security-Policy (CSP)
B. HTTP Strict Transport Security (HSTS) — (correct answer)
C. X-Content-Type-Options
D. Referrer-Policy

Explanation: HSTS prevents browsers from sending unencrypted requests, stopping protocol downgrade hacks.

Question 17: How does a Content Security Policy (CSP) protect against XSS?

A. By encrypting cookie values.
B. By restricting the origins from which scripts, styles, and other resources can be loaded and executed by the browser. — (correct answer)
C. By blocking database injections.
D. By terminating inactive connections.

Explanation: A strict CSP blocks inline script execution and unauthorized external script sources.

Question 18: Which vulnerability is characterized by weak passwords, default credentials, or missing security headers?

A. SQL Injection
B. Security Misconfiguration — (correct answer)
C. SSRF
D. Buffer Overflow

Explanation: Misconfigurations include default setups, exposed debug panels, or verbose error logs.

Question 19: What does 'Broken Function Level Authorization' (BFLA) mean?

A. Code compiler crashes on functions.
B. A security flaw where users can access restricted actions (e.g. administrative API routes) due to missing validation checks. — (correct answer)
C. Deleting template directories.
D. Disabling SSL certifications.

Explanation: BFLA occurs if admin routes (/admin/delete) aren't gated, letting standard users run them.

Question 20: What is the risk of utilizing deserialization of untrusted payloads?

A. The payload file size increases.
B. It can lead to Remote Code Execution (RCE) if the serialized data object instantiates malicious classes during unpack. — (correct answer)
C. The SQL database indexes drop.
D. Browsers block page rendering.

Explanation: Unsafe deserialization runs code callbacks dynamically, creating high-risk execution holes.

Question 21: What does HTML encoding do to input text?

A. It compresses strings to base64.
B. It converts characters like '<' to safe text entities like '<', rendering them safely in browsers. — (correct answer)
C. It blocks SQL commands.
D. It redirects requests.

Explanation: Encoding sanitizes data, ensuring browsers render code tags as text rather than executing them.

Question 22: What is standard Session Hijacking?

A. A SQL injection drop.
B. Stealing or intercepting a user's session identifier (session cookie) to gain unauthorized access to their account. — (correct answer)
C. Modifying configuration files.
D. Deleting log records.

Explanation: Hijacking bypasses logins, accessing sessions using active tokens stolen from client systems.

Question 23: What is the security risk of verbose database error messages shown in production?

A. It slows down page loading speeds.
B. It leaks sensitive information (database tables, columns, query layouts), helping attackers design SQL exploits. — (correct answer)
C. It blocks CORS headers.
D. It prevents SSL validation.

Explanation: Production logs should be private. Errors shown to users should be generic.

Question 24: What is a 'Brute Force' attack on login systems?

A. An exploit of buffer memory spaces.
B. Attempting to guess usernames and passwords systematically using automated lists. — (correct answer)
C. Sniffing router packets.
D. Hacking system hardware directly.

Explanation: Brute-force attacks test combinations, mitigated using lockouts and rate limits.

Question 25: What does the SameSite=Strict cookie attribute define?

A. Cookies are only sent over HTTPS.
B. Cookies are completely blocked on all cross-origin requests, including standard link clicks. — (correct answer)
C. Cookies never expire.
D. Cookies are encrypted using AES.

Explanation: Strict ensures cookies are only sent when the browser request originates from the target domain.

Question 26: How do you remediate an IDOR (Insecure Direct Object Reference) vulnerability?

A. By obfuscating the database IDs using Base64.
B. By implementing access control checks to verify that the logged-in user owns the requested resource ID before returning data. — (correct answer)
C. By changing database connection keys.
D. By blocking all GET requests.

Explanation: IDOR fixes require authorization checks on every fetch, confirming owner relationships.

Question 27: What is the risk of using HTTP instead of HTTPS?

A. HTML templates will fail to compile.
B. Traffic is sent in plaintext, allowing network sniffers to capture passwords and sensitive payloads. — (correct answer)
C. Page layouts will align incorrectly.
D. Database connections will crash.

Explanation: HTTPS encrypts traffic, preventing sniffing and Man-in-the-Middle alterations.

Question 28: What does the 'X-Frame-Options' header protect against?

A. XSS script injections.
B. Clickjacking attacks by preventing the website from being embedded inside frames or iframes on other domains. — (correct answer)
C. SQL command runs.
D. Session leaks.

Explanation: X-Frame-Options blocks framing, stopping attackers from overlaying transparent click interfaces.

Question 29: What is a 'Server-Side Template Injection' (SSTI) attack?

A. Injecting CSS styles into templates.
B. Inputting malicious code that is compiled by the server-side template engine, leading to arbitrary code execution. — (correct answer)
C. Hacking database schemas.
D. Modifying routing lists.

Explanation: SSTI occurs if template engines compile raw inputs, executing code payload expressions.

Question 30: What does 'Vulnerability Disclosure' mean?

A. Publishing server access passwords.
B. The practice of reporting security flaws to vendors or owners so they can patch them before public release. — (correct answer)
C. Deleting logs folders.
D. Compiling model weights.

Explanation: Responsible disclosure helps secure web ecosystems, alerting teams to bugs privately.

Web Application Vulnerabilities Bonus Content

Test your knowledge with interactive questions.

Ready to test your skills?

You are about to start a comprehensive quiz containing questions covering Web Application Vulnerabilities. You have 30 minutes to complete it.

Discussion (0)

Comments are reviewed before appearing.

No comments yet — be the first!

Featured

Browse All 21+ Subject Areas

Popular Topics

More Topics

Quick Links

Featured

Visual Algorithm Labs

Sorting Algorithms

Data Structures

Featured

Frontend Dev

Career Paths

Skill Tracks

Featured

The Future of Web Architecture in 2026

Categories

Community

Practice Quizzes

Web Application Vulnerabilities Bonus Content

Ready to test your skills?

Correct!

Incorrect

Explanation

Quiz Navigator /

Current Score

Discussion (0)

Send Feedback / Bug

Feedback Submitted!