Unit 4 - Practice Quiz

INT245 50 Questions
0 Correct 0 Wrong 50 Left
0/50

1 Which organization manages the standard awareness document for developers and web application security known as the 'Top 10'?

A. OWASP
B. ISO
C. IEEE
D. NIST

2 In the context of OWASP Top 10, which vulnerability allows an attacker to access unauthorized functionality or data, such as viewing another user's account details by simply changing a URL parameter?

A. Broken Access Control
B. Security Misconfiguration
C. Injection
D. Cryptographic Failures

3 Which attack involves an attacker stealing a valid session ID to gain unauthorized access to a web server?

A. Directory Traversal
B. Buffer Overflow
C. Session Hijacking
D. SQL Injection

4 What is the primary mechanism of a Cross-Site Request Forgery (CSRF) attack?

A. Tricking a user's browser into sending an unwanted request to a trusted site where the user is authenticated
B. Injecting malicious SQL scripts into a database
C. Brute-forcing the admin password
D. Executing scripts in the victim's browser via a reflected input

5 Which input would most likely be used to test for a basic SQL Injection vulnerability?

A. ../../etc/passwd
B. ' OR '1'='1
C. ping 127.0.0.1
D. <script>alert(1)</script>

6 What is the primary defense mechanism against SQL Injection attacks?

A. Using Parameterized Queries (Prepared Statements)
B. Using Hashing algorithms
C. Disabling JavaScript
D. Using SSL/TLS

7 Which type of XSS attack occurs when the malicious script is permanently stored on the target server (e.g., in a database or forum post)?

A. Reflected XSS
B. Blind XSS
C. DOM-based XSS
D. Stored (Persistent) XSS

8 In a DOM-based XSS attack, where does the security vulnerability lie?

A. In the network transport layer
B. In the server-side database code
C. In the client-side code (JavaScript) processing data
D. In the web server configuration

9 Which flag should be set on a Set-Cookie HTTP response header to prevent client-side scripts (like XSS payloads) from accessing the cookie?

A. Secure
B. SameSite
C. HttpOnly
D. Expires

10 BeEF is a popular penetration testing tool. What does the acronym stand for?

A. Browser Exploitation Framework
B. Binary Encryption and Encoding Facility
C. Backend Engineering Exploitation File
D. Basic Exploitation Environment Frontend

11 Which SQL injection technique involves asking the database true/false questions and determining the answer based on the application's response time?

A. Time-based Blind SQLi
B. Out-of-band SQLi
C. Union-based SQLi
D. Error-based SQLi

12 What is the mathematical logic often used in tautology-based SQL injection?

A. (Imaginary)
B.
C. (Always True)
D. where A is false

13 Which mobile deployment model allows employees to use their personal devices for work but requires them to install a Mobile Device Management (MDM) agent?

A. BYOD (Bring Your Own Device)
B. CYOD (Choose Your Own Device)
C. COPE (Corporate Owned, Personally Enabled)
D. Direct Access

14 Which OWASP Mobile Top 10 vulnerability refers to the storage of sensitive data (like passwords or API keys) in plain text within the device's file system?

A. Insecure Data Storage
B. Improper Platform Usage
C. Insecure Communication
D. Extraneous Functionality

15 What is 'Jailbreaking' in the context of mobile security?

A. Escaping a physical prison using a mobile phone
B. Removing software restrictions imposed by the manufacturer on iOS devices
C. Creating a sandbox environment for apps
D. Encrypting the file system of an Android device

16 Which Bluetooth attack involves sending unsolicited messages (often vCards or images) to a Bluetooth-enabled device?

A. Bluejacking
B. Bluesnarfing
C. Bluebugging
D. Blueborne

17 Which Bluetooth attack allows an attacker to steal data (contacts, calendars, emails) from a device?

A. Bluejacking
B. Pairing Spoofing
C. Frequency Hopping
D. Bluesnarfing

18 Which tool is commonly used to automate the detection and exploitation of SQL injection flaws?

A. Aircrack-ng
B. sqlmap
C. Hydra
D. John the Ripper

19 What does a 'Union-based' SQL injection allow an attacker to do?

A. Shut down the database server
B. Delete the database schema
C. Encrypt the database contents
D. Combine the results of the original query with the results of a malicious injected query

20 Which social engineering attack targets mobile users via SMS messages containing malicious links?

A. Smishing
B. Whaling
C. Vishing
D. Phishing

21 In the context of browser exploitation, what is a 'hook'?

A. A phishing email subject line
B. A method to close the browser remotely
C. A script that binds the victim's browser to the attacker's framework (e.g., BeEF)
D. A hardware keylogger

22 Which mitigation technique involves generating a unique random token for every user session and validating it with every state-changing request to prevent CSRF?

A. Turning off Cookies
B. Anti-CSRF Token (Synchronizer Token Pattern)
C. Input Sanitization
D. Database Encryption

23 What is 'Bluebugging'?

A. Taking full control of a Bluetooth device to make calls or listen to conversations
B. Jamming a Bluetooth signal
C. Sending a virus via Bluetooth
D. Scanning for Bluetooth devices

24 Which vulnerability allows an attacker to inject malicious code into a website that is then executed by other users?

A. RCE
B. SSRF
C. XXE
D. XSS

25 Which COPE deployment model stands for?

A. Corporate Owned, Public Enabled
B. Company Operated, Public Entry
C. Computer Operated, Private Encryption
D. Corporate Owned, Personally Enabled

26 Which type of malware disguises itself as legitimate software to trick the user into installing it?

A. Keylogger
B. Trojan Horse
C. Logic Bomb
D. Worm

27 What is the primary risk associated with 'Side-Loading' apps on Android?

A. It bypasses the official app store security checks, increasing malware risk
B. It requires root access
C. It slows down the internet connection
D. It automatically deletes system files

28 Which attack involves an attacker creating a fake mobile transmission tower to intercept mobile traffic?

A. Rogue Access Point
B. IMSI Catcher (Stingray)
C. Evil Twin
D. NFC Replay

29 Identify the vulnerability: An application allows uploading a file named shell.php without validating the file type.

A. Unrestricted File Upload
B. SQL Injection
C. XSS
D. Path Traversal

30 Which component is essential for a 'Reflected XSS' attack to succeed?

A. Access to the database
B. Root access to the server
C. Social engineering to trick a user into clicking a crafted link
D. A stored comment on a blog

31 What does the 'SameSite' cookie attribute helps prevent?

A. Buffer Overflows
B. Password Cracking
C. SQL Injection
D. CSRF (Cross-Site Request Forgery)

32 Which of the following is a symptom of a mobile device being infected with spyware?

A. Improved battery life
B. Unexpected high data usage and rapid battery drain
C. Screen becomes brighter
D. Faster performance

33 Reverse engineering an Android app (APK) is often used in penetration testing to:

A. Identify hardcoded API keys and logic vulnerabilities
B. Increase the app's speed
C. Upgrade the Android OS
D. Compress the file size

34 Which attack involves overlaying a legitimate application with a fake window to trick users into entering sensitive data on a mobile device?

A. SIM Swapping
B. Bluejacking
C. Tapjacking / Overlay Attack
D. Rooting

35 In SQL Injection, what is the purpose of the -- or # characters?

A. To encrypt the payload
B. To start a new table
C. To execute the query immediately
D. To comment out the rest of the original SQL query

36 Which of the following represents a 'Blind' SQL Injection scenario?

A. The application crashes the server immediately
B. The application returns the results of the UNION SELECT query on the screen
C. The application returns the full database error message
D. The application does not return data but behaves differently (true/false) based on the injection

37 Which mobile vulnerability involves an app accidentally sharing access to its components (Activities, Services) with other malicious apps?

A. Insecure Data Storage
B. Client Code Quality
C. Broken Cryptography
D. Improper Platform Usage (Exported Components)

38 What is 'Vishing'?

A. VPN Phishing
B. Video Phishing
C. Virtual Phishing
D. Voice Phishing (using phone calls)

39 Which technique is used to bypass mobile device screen locks using residues left by fingers?

A. Dictionary Attack
B. Smudge Attack
C. Rainbow Table
D. Brute Force

40 Which of the following is a valid method to secure a session ID?

A. Using a short, predictable sequence
B. Regenerating the Session ID after a successful login
C. Storing it in a public folder
D. Storing it in the URL

41 Malware that encrypts a user's files and demands payment for the decryption key is known as:

A. Rootkit
B. Ransomware
C. Spyware
D. Adware

42 In the context of malware, what is a 'Wrapper' or 'Binder'?

A. A tool used to combine a malicious executable with a legitimate file
B. A secure coding standard
C. A type of antivirus
D. A firewall rule

43 What is the function of a C2 (Command and Control) server in a malware attack?

A. To store the company's backups
B. To prevent DDOS attacks
C. To issue instructions to compromised devices (botnet) and receive stolen data
D. To validate SSL certificates

44 Which encoding is often used in XSS payloads to bypass basic keyword filters (e.g., converting < to %3C)?

A. Rot13
B. MD5
C. URL Encoding (Percent Encoding)
D. Base64

45 What is 'Session Fixation'?

A. An attacker stealing a session cookie via XSS
B. An attacker setting a user's session ID to a known value before the user logs in
C. The server crashing due to too many sessions
D. Fixing a broken session link

46 Which tool is specifically designed for decompiling Android applications into readable Java source code?

A. Metasploit
B. Nmap
C. Jadx / APKTool
D. Wireshark

47 If an attacker inputs admin' -- into a login field, they are attempting to bypass authentication via:

A. Cross-Site Scripting
B. Path Traversal
C. Buffer Overflow
D. SQL Injection

48 Which of the following is an example of a Social Engineering attack utilizing authority?

A. An attacker pretending to be the CEO asking for an urgent wire transfer
B. Scanning ports on a server
C. A brute force attack on a password
D. Injecting SQL code

49 What defines a 'Hybrid' mobile application?

A. It is written purely in Assembly language
B. It is a web application wrapped in a native container
C. It runs only on Android
D. It runs only on iOS

50 Which mathematical concept is primarily compromised when an attacker successfully performs a 'Integer Overflow' attack on a web application?

A. Bandwidth
B. Data Integrity / Correctness of calculation
C. Confidentiality
D. Network Latency