Unit 4 - Practice Quiz

INT245 50 Questions
0 Correct 0 Wrong 50 Left
0/50

1 Which organization manages the standard awareness document for developers and web application security known as the 'Top 10'?

A. ISO
B. IEEE
C. OWASP
D. NIST

2 In the context of OWASP Top 10, which vulnerability allows an attacker to access unauthorized functionality or data, such as viewing another user's account details by simply changing a URL parameter?

A. Injection
B. Broken Access Control
C. Security Misconfiguration
D. Cryptographic Failures

3 Which attack involves an attacker stealing a valid session ID to gain unauthorized access to a web server?

A. Directory Traversal
B. Session Hijacking
C. SQL Injection
D. Buffer Overflow

4 What is the primary mechanism of a Cross-Site Request Forgery (CSRF) attack?

A. Executing scripts in the victim's browser via a reflected input
B. Injecting malicious SQL scripts into a database
C. Brute-forcing the admin password
D. Tricking a user's browser into sending an unwanted request to a trusted site where the user is authenticated

5 Which input would most likely be used to test for a basic SQL Injection vulnerability?

A. <script>alert(1)</script>
B. ping 127.0.0.1
C. ../../etc/passwd
D. ' OR '1'='1

6 What is the primary defense mechanism against SQL Injection attacks?

A. Using Parameterized Queries (Prepared Statements)
B. Disabling JavaScript
C. Using Hashing algorithms
D. Using SSL/TLS

7 Which type of XSS attack occurs when the malicious script is permanently stored on the target server (e.g., in a database or forum post)?

A. DOM-based XSS
B. Blind XSS
C. Reflected XSS
D. Stored (Persistent) XSS

8 In a DOM-based XSS attack, where does the security vulnerability lie?

A. In the web server configuration
B. In the server-side database code
C. In the client-side code (JavaScript) processing data
D. In the network transport layer

9 Which flag should be set on a Set-Cookie HTTP response header to prevent client-side scripts (like XSS payloads) from accessing the cookie?

A. HttpOnly
B. Expires
C. Secure
D. SameSite

10 BeEF is a popular penetration testing tool. What does the acronym stand for?

A. Binary Encryption and Encoding Facility
B. Browser Exploitation Framework
C. Basic Exploitation Environment Frontend
D. Backend Engineering Exploitation File

11 Which SQL injection technique involves asking the database true/false questions and determining the answer based on the application's response time?

A. Time-based Blind SQLi
B. Error-based SQLi
C. Union-based SQLi
D. Out-of-band SQLi

12 What is the mathematical logic often used in tautology-based SQL injection?

A. (Imaginary)
B. where A is false
C.
D. (Always True)

13 Which mobile deployment model allows employees to use their personal devices for work but requires them to install a Mobile Device Management (MDM) agent?

A. Direct Access
B. BYOD (Bring Your Own Device)
C. COPE (Corporate Owned, Personally Enabled)
D. CYOD (Choose Your Own Device)

14 Which OWASP Mobile Top 10 vulnerability refers to the storage of sensitive data (like passwords or API keys) in plain text within the device's file system?

A. Insecure Communication
B. Extraneous Functionality
C. Improper Platform Usage
D. Insecure Data Storage

15 What is 'Jailbreaking' in the context of mobile security?

A. Creating a sandbox environment for apps
B. Encrypting the file system of an Android device
C. Escaping a physical prison using a mobile phone
D. Removing software restrictions imposed by the manufacturer on iOS devices

16 Which Bluetooth attack involves sending unsolicited messages (often vCards or images) to a Bluetooth-enabled device?

A. Blueborne
B. Bluesnarfing
C. Bluebugging
D. Bluejacking

17 Which Bluetooth attack allows an attacker to steal data (contacts, calendars, emails) from a device?

A. Frequency Hopping
B. Pairing Spoofing
C. Bluesnarfing
D. Bluejacking

18 Which tool is commonly used to automate the detection and exploitation of SQL injection flaws?

A. sqlmap
B. Hydra
C. John the Ripper
D. Aircrack-ng

19 What does a 'Union-based' SQL injection allow an attacker to do?

A. Combine the results of the original query with the results of a malicious injected query
B. Delete the database schema
C. Encrypt the database contents
D. Shut down the database server

20 Which social engineering attack targets mobile users via SMS messages containing malicious links?

A. Smishing
B. Whaling
C. Phishing
D. Vishing

21 In the context of browser exploitation, what is a 'hook'?

A. A hardware keylogger
B. A method to close the browser remotely
C. A script that binds the victim's browser to the attacker's framework (e.g., BeEF)
D. A phishing email subject line

22 Which mitigation technique involves generating a unique random token for every user session and validating it with every state-changing request to prevent CSRF?

A. Turning off Cookies
B. Input Sanitization
C. Database Encryption
D. Anti-CSRF Token (Synchronizer Token Pattern)

23 What is 'Bluebugging'?

A. Taking full control of a Bluetooth device to make calls or listen to conversations
B. Scanning for Bluetooth devices
C. Sending a virus via Bluetooth
D. Jamming a Bluetooth signal

24 Which vulnerability allows an attacker to inject malicious code into a website that is then executed by other users?

A. XSS
B. SSRF
C. RCE
D. XXE

25 Which COPE deployment model stands for?

A. Corporate Owned, Public Enabled
B. Company Operated, Public Entry
C. Corporate Owned, Personally Enabled
D. Computer Operated, Private Encryption

26 Which type of malware disguises itself as legitimate software to trick the user into installing it?

A. Keylogger
B. Trojan Horse
C. Logic Bomb
D. Worm

27 What is the primary risk associated with 'Side-Loading' apps on Android?

A. It requires root access
B. It automatically deletes system files
C. It slows down the internet connection
D. It bypasses the official app store security checks, increasing malware risk

28 Which attack involves an attacker creating a fake mobile transmission tower to intercept mobile traffic?

A. IMSI Catcher (Stingray)
B. Evil Twin
C. Rogue Access Point
D. NFC Replay

29 Identify the vulnerability: An application allows uploading a file named shell.php without validating the file type.

A. Unrestricted File Upload
B. XSS
C. SQL Injection
D. Path Traversal

30 Which component is essential for a 'Reflected XSS' attack to succeed?

A. Access to the database
B. Social engineering to trick a user into clicking a crafted link
C. A stored comment on a blog
D. Root access to the server

31 What does the 'SameSite' cookie attribute helps prevent?

A. SQL Injection
B. Buffer Overflows
C. Password Cracking
D. CSRF (Cross-Site Request Forgery)

32 Which of the following is a symptom of a mobile device being infected with spyware?

A. Unexpected high data usage and rapid battery drain
B. Faster performance
C. Screen becomes brighter
D. Improved battery life

33 Reverse engineering an Android app (APK) is often used in penetration testing to:

A. Increase the app's speed
B. Upgrade the Android OS
C. Compress the file size
D. Identify hardcoded API keys and logic vulnerabilities

34 Which attack involves overlaying a legitimate application with a fake window to trick users into entering sensitive data on a mobile device?

A. Tapjacking / Overlay Attack
B. SIM Swapping
C. Bluejacking
D. Rooting

35 In SQL Injection, what is the purpose of the -- or # characters?

A. To encrypt the payload
B. To comment out the rest of the original SQL query
C. To execute the query immediately
D. To start a new table

36 Which of the following represents a 'Blind' SQL Injection scenario?

A. The application returns the full database error message
B. The application returns the results of the UNION SELECT query on the screen
C. The application crashes the server immediately
D. The application does not return data but behaves differently (true/false) based on the injection

37 Which mobile vulnerability involves an app accidentally sharing access to its components (Activities, Services) with other malicious apps?

A. Improper Platform Usage (Exported Components)
B. Insecure Data Storage
C. Broken Cryptography
D. Client Code Quality

38 What is 'Vishing'?

A. Voice Phishing (using phone calls)
B. Virtual Phishing
C. VPN Phishing
D. Video Phishing

39 Which technique is used to bypass mobile device screen locks using residues left by fingers?

A. Smudge Attack
B. Rainbow Table
C. Brute Force
D. Dictionary Attack

40 Which of the following is a valid method to secure a session ID?

A. Storing it in a public folder
B. Storing it in the URL
C. Regenerating the Session ID after a successful login
D. Using a short, predictable sequence

41 Malware that encrypts a user's files and demands payment for the decryption key is known as:

A. Ransomware
B. Adware
C. Rootkit
D. Spyware

42 In the context of malware, what is a 'Wrapper' or 'Binder'?

A. A type of antivirus
B. A tool used to combine a malicious executable with a legitimate file
C. A firewall rule
D. A secure coding standard

43 What is the function of a C2 (Command and Control) server in a malware attack?

A. To store the company's backups
B. To issue instructions to compromised devices (botnet) and receive stolen data
C. To prevent DDOS attacks
D. To validate SSL certificates

44 Which encoding is often used in XSS payloads to bypass basic keyword filters (e.g., converting < to %3C)?

A. Base64
B. Rot13
C. URL Encoding (Percent Encoding)
D. MD5

45 What is 'Session Fixation'?

A. An attacker stealing a session cookie via XSS
B. Fixing a broken session link
C. The server crashing due to too many sessions
D. An attacker setting a user's session ID to a known value before the user logs in

46 Which tool is specifically designed for decompiling Android applications into readable Java source code?

A. Metasploit
B. Nmap
C. Jadx / APKTool
D. Wireshark

47 If an attacker inputs admin' -- into a login field, they are attempting to bypass authentication via:

A. Buffer Overflow
B. SQL Injection
C. Cross-Site Scripting
D. Path Traversal

48 Which of the following is an example of a Social Engineering attack utilizing authority?

A. Injecting SQL code
B. A brute force attack on a password
C. Scanning ports on a server
D. An attacker pretending to be the CEO asking for an urgent wire transfer

49 What defines a 'Hybrid' mobile application?

A. It is a web application wrapped in a native container
B. It is written purely in Assembly language
C. It runs only on Android
D. It runs only on iOS

50 Which mathematical concept is primarily compromised when an attacker successfully performs a 'Integer Overflow' attack on a web application?

A. Data Integrity / Correctness of calculation
B. Bandwidth
C. Confidentiality
D. Network Latency