What Is OWASP?
OWASP Top 10 Vulnerabilities is a nonprofit organization focused on software security. Their projects include a number of open-source software development programs and toolkits, local chapters and conferences, among other things. One of their projects is the maintenance of the OWASP Top 10, a list of the top 10 security risks faced by web applications.
Below are the OWASP Top 10 Vulnerabilities
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
OWASP Top 10 Vulnerabilities Questions and Answers
Question:1 Which of the following actions should you take to verify the implementation of a web application?
a) Use policy mechanisms
b) Verify that each URL in your application is appropriately protected
c) Use a simple and positive model at every layer
Correct Answer :- Verify that each URL in your application is appropriately protected
Question:2 What attack can be prevented by links or forms that invoke state-changing functions with an unpredictable token for each user?
a) Cross Site Request Forgery
b) Cross Site Tracing
c) OS Commanding
d) Cross Site Scripting
Correct Answer :- OS Commanding
Question:3 What is the attack technique used to exploit websites by altering the backend database queries through inputting manipulated queries?
a) LDAP Injection
b) SQL Injection
c) OS Commanding
d) XML Injection
Correct Answer :- SQL Injection
Question:4 Which of the following depict the typical impact of failure to restrict URL access?
a) Attackers impersonate any user on the system
b) Attackers access other users accounts and data
c) Broken Authentication and Session Management
Correct Answer :- Attackers access other users accounts and data
Question:5 What happens when an application takes user inputted data, and sends it to a web browser without proper validation and escaping?
a) Cross Site Scripting
b) Broken Authentication and Session Management
c) Insecure Direct Object References
d) Security Misconfiguration
Correct Answer :- Cross Site Scripting
Question:6 In which of the following scenarios should you use the escaping technique?
a) When you need to tell the interpreter that input is data and not code
b) When you need to validate any input as valid input
c) When you are trying to protect against regular expression injection
Correct Answer :- When you need to tell the interpreter that input is data and not code
Question:7 Which of the following are the best ways to implement transport layer protection?
a) Both IPSec & SSL Enable
b) Install IDS
c) Set the HttpOnly flag on session ID cookies
d) Enable IPSec
e) Enable SSL
Correct Answer :- Both IPSec & SSL Enable
Question:8 What is an attack that exploits the trust a site has in a user’s browser?
a) SQL Injection
b) Cross Site Scripting
c) Cross Site Request Forgery
d) Session Hijacking
Correct Answer :- Cross Site Request Forgery
Question:9 Which attack can execute scripts in the user’s browser and is capable of hijacking user sessions, defacing websites or redirecting the user to malicious sites?
a) Man in the middle attack
b) Malware Uploading
c) SQL Injection
d) Cross Site Scripting
Correct Answer :- Cross Site Scripting
Question:10 Client-side scripts can be allowed to execute in the browsers for needed operations.
a) True
b) False
Correct Answer :- False
Question:11 What threat arises from not flagging HTTP cookies with tokens, as secure?
a) Session Hijacking
b) Access Control Violation
c) Insecure Cryptographic Storage
d) Session Replay
Correct Answer :- Access Control Violation
Question:12 For a connection that changes from HTTP to HTTPS, what flaw arises if you do not change the session identifier?
a) Cross Site Scripting
b) Session Hijacking
c) Security Misconfiguration
d) Session Replay
Correct Answer :- Session Replay
Question:13 What is an example of a session-related vulnerability?
a) Session Hijacking
b) Data Transfer Protocol
c) Security Tracing
d) Session Spoofing
Correct Answer :- Session Hijacking
Question:14 What type of flaw occurs when untrusted user-entered data is sent to the interpreter as part of a query or command?
a) Cross Site Request Forgery
b) Insecure Direct Object References
c) Injection
d) Insufficient Transport Layer Protection
e) Improper Authentication
Correct Answer :- Injection
Question:15 Which of the following are the best ways to protect against injection attacks?
a) Memory size checks
b) Escaping
c) Validate integer values before referencing arrays
Correct Answer :- Escaping
Question:16 Which of the following consequences are most likely to occur due to an injection attack?
a) Denial of service
b) Spoofing
c) Data loss
Correct Answer :- Denial of service
Question:17 What flaw arises from session tokens having poor randomness across a range of values?
a) Session Replay
b) Session Fixation
c) Insecure Direct Object References
d) Session Hijacking
Correct Answer :- Session Hijacking
Question:18 Which of the following languages are the primary targets of cross-site scripting?
a) SQL
b) Java Script
c) XML Injection
d) XSLT
Correct Answer :- Java Script
Question:19 What is an attack that forces a user’s session credential or session ID to an explicit value?
a) Brute Force Attack
b) Session Fixation
c) Session Hijacking
d) Dictionary Attack
Correct Answer :- Session Fixation
Question:20 What happens when an application takes user inputted data and sends it to a web browser, without proper validation?
a) Security Misconfiguration
b) Cross Site Scripting
c) Insecure Direct Object References
d) Broken Authentication and Session Management
Correct Answer :- Cross Site Scripting
Question:21 Role-based access control helps prevent which OWASP Top 10 vulnerability?
a) Security Misconfiguration
b) Unvalidated Redirect or Forward
c) Failure to restrict URL Access
d) Failure to restrict URL Access
Correct Answer :- Failure to restrict URL Access
Question:22 Which of the following are most likely to result in insecure cryptography?
a) Unsalted hash
b) Missing patches
c) New products
Correct Answer :- Unsalted hash
Question:23 Which threat can be prevented by having unique usernames generated with a high degree of entropy?
a) Spamming
b) Authorization Bypass
c) Crypt-analysis of hash values
d) Authentication Bypass
Correct Answer :- Authentication Bypass
