MOST POPULAR AROUND THE WORLD

SUCCESS

PRACTICE BOOK» NOT FOR SALE

SERIES

WEB SECURITY
BOOST YOUR KNOWLEDGE

DESIGNED FOR SURE SUCCESS

MCQ EDITION
NARAYAN CHANGDER

+ S
5 6 ON
2 TI RS
ES WE
QU NS
A
USEFUL FOR
4STUDENTS 4
□ □TEACHERS 4
□PARENTS 4□KIDS 4
□QUIZ TEST
□EXAM 4
4 □TRIVIA TEST 4
□COMPETITIVE EXAM 4
□OTHERS
 Preface:
This book has undergone rigorous scrutiny to ensure its accuracy. I eagerly invite constructive
feedback on its content. Feel free to reach out to me via Facebook at https://www.facebook.
com/narayanchangder. Additionally, you can access all of my books on Google Play Books at
https://play.google.com/store/books/author?id=Narayan+Changder.

JAI SHREE RAM

NARAYAN CHANGDER
This E-book is dedicated to the loving memory of my mother:

PRACTICE BOOK» NOT FOR SALE

my guiding light, my shining star,
forever

It is my deepest gratitude and warmest

affection that I dedicate this Ebook.

To my mother JOYTSNA CHANGDER

who could not see this Ebook.

who has been a constant source of Knowledge and in-

spiration. Mom, Covid did not take you, it took our
many dreams. wherever you are we will meet again.
 Disclaimer

The aim of this publication is to sup-

ply information taken from sources be-
lieved to be valid, reliable and authen-
ticate. The author bear no responsibil-
ity for any damage arising from inad-
verent omissions, negligence or inac-
curacies (typographical or factual) that
♣

NARAYAN CHANGDER
may have found their way into this PDF
booklet.
Due care has been taken to ensure that
the information provided in this book
is correct. Author is not responsible
for any errors, omissions or damage
arising out of use of this information.

nt
Importa inter-
s , s e ar ch the de
er to inclu -
i t h t h e answ w a n t
w u au
atisfied . If yo ontact
If not s rrect answers klet, please c t s:
p
net for
co
i n t h is boo F a c e b ook ht
estions on
tact him arayanchangd
er/
new qu a n c o n n
ou c om/
thor. Y acebook.c
. f
//www
CRUCIAL INFORMATION: PLEASE READ BEFORE
CONTINUING:

PRACTICE BOOK» NOT FOR SALE

1. If you require practice sets on various sub-
jects, kindly send us a message on Facebook
with the subject name. Our team will be happy
to create them for you. Message us on Face-
book at https://www.facebook.com/
narayanchangder
2. Additionally, you can access all of my books
with answers on Google Play Books at »>
https://play.google.com/store/books/
author?id=Narayan+Changder
3. Answers are given at the end of every page
to help you identify your strengths and weak-
nesses.
4. It shows you how to build your own techni-
cal and pedagogical skills to enable them to
create their own materials and activities for
students.
5. It helps you to see how you can make the
 transition from classroom teaching to blended
and online teaching.
6. It’s the cheapest good quality ebook that you
can buy online on google play books.

NARAYAN CHANGDER
7. The money raised from creating the sales of
the book will help to ensure that I’m able to
produce similar books like this at a compara-
ble price.
8. YOU CAN DOWNLOAD 4000+ FREE PRACTICE
SET PDF EBOOK ON VARIOUS SUBJECTS (NURS-
ERY to UNIVERSITY LEVEL) FROM GOOGLE
DRIVE LINK https://drive.google.com/
drive/u/1/folders/19TbUXltOSN5S7FV3sL
 PRACTICE BOOK» NOT FOR SALE
Contents

1 GENERAL KNOWLEDGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 GENERAL KNOWLEDGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
 1. GENERAL KNOWLEDGE

NARAYAN CHANGDER
1.1 GENERAL KNOWLEDGE
1. The following is an example of an in- D. Confidentiality, Integrity and Account-
put URL that can be used to carry ability
out an RCE attack on an application.
What can be improved about this 4. Wordpress and Joomla are examples of
URL?http://example.com/page?command=ls%20-
la
A. Content management system
A. Using escape characters on spaces
(%20) B. Elearning platforms

B. Adds quotes to parameter values C. Social networking websites

C. Rigorously validate every user input D. Ecommerce platforms
D. Nothing to fix
5. Websites used to sell and buy stuff are cat-
2. OWASP Zap and Burp Suite are tools used egorized under
to test the security of
A. Search Engine
A. encryption algorithms
B. E-Commerce Website
B. database servers
C. Entertainment Sites
C. the network
D. web applications D. Social Networking Sites

3. Security triad CIA stands for
A. Confidentiality, Integrity and Availabil-
ity
B. Confirmentiality, Integrity and Avail-
ability
C. Confidentiality, Identity and Availabil-
ity
6. Attribute which specifies redirection URL
on login error
A. authentication-failure-url
B. authentication-failure login-url
C. authentication-login-url
D. none of the mentioned

1. C 2. D 3. A 4. A 5. B 6. A
1.1 GENERAL KNOWLEDGE 3

7. What is Same-Origin Policy and how does 12. An attacker injects malicious code through
it affect web security? a form input. He uses a <script> tag to in-
ject this code. What kind of attack is that?

PRACTICE BOOK» NOT FOR SALE

A. Policies to escalate unauthorized
cross-domain access A. Stored XSS
B. Policies to reduce web security B. Reflected XSS
C. Policies to limit unauthorized cross- C. Dom-based XSS
domain access D. SQL Injection
D. Security policies implemented by web
browsers to prevent unauthorized cross- 13. CORS is an important concept in the web
domain access. application security model, in which, a web
browser permits scripts contained in a first
8. Encryption can be used to preserve web page to access data in a second web
A. Confidentiality page, but only if both web pages have the
same origin
B. Availability
A. true
C. Speed
B. false
D. Bandwidth
14. Common techniques used to prevent XSS
9. SQL Injection is an attack that uses
vulnerabilities are?
code inserted into a string which is then
passed to an instance of SQL Server A. running
A. Malicious B. escaping
B. Redundant C. writing
C. Not Malicious D. eating
D. Clean 15. What does Pwn mean in CTF?
10. A method that uses two independent A. Utilize the web page to find the Flag
pieces/processes of information to iden- B. Utilize the server to find the Flag
tify a user is known as
C. Reverse engineering or exploitation of
A. Authentication through encryption binary files
B. Password-method authentication D. Find information hidden in files
C. Two-method authentication
16. The Internet is WWW.
D. Two-factor authentication
A. true
11. The following is an example of security B. false
misconfiguration in the web server config-
uration. What can be improved about this 17. You work for a company that has an in-
configuration? tranet you use on a daily basis. If your
A. Nothing to fix company sends you to Colorado for a meet-
ing and you access your company’s in-
B. Enables the FollowSymLinks option tranet, this means that your company is
C. Enable AllowOverride All employing the use of a
D. Minimize access rights on directories A. VPN

7. D 8. A 9. A 10. A 11. D 12. A 13. B 14. B 15. B 16. B 17. A

1.1 GENERAL KNOWLEDGE 4

B. SSL B. document.write(“<HTML> Tags and

C. SMPT markup”);
D. Proxy Server C. document.writeln(“<HTML> Tags
and markup”);
18. Which of these is not the major element D. tag.innerText=”<%untrusted
of WSDL document which describes the de- data%>”
scribes a web service?
A. <portType> 23. Which phase of hacking performs actual at-

NARAYAN CHANGDER
tack on a network or system
B. <message>
A. Reconnaissance
C. <binding>
B. Maintaining Access
D. <attribute>
C. Scanning
19. Select that following that are true about D. Gaining Access
using Cookie to transmit session identi-
fiers 24. Here is a snippet of PHP code that is vul-
nerable to IDOR. What can be improved
A. Cookies are name/value pairs
about this code?
B. SID is sent by the server in Set-Cookie
A. Using the htmlentities() function
header field in the HTTP request
B. Ensure users have permission before
C. cookie is stored in the browser as doc-
providing files
ument.cookie
C. Rigorously validate each parameter
D. browser includes SID in requests with
a domain matching the cookie’s origin D. Added quotes to the variable $file id

20. Which of the following accurately defines
digital certificates?
A. Online purchase orders which state
the details of a purchase
B. Government-issued documents which
allow you to sell online
C. Unique pieces of information used to
identify a user
D. Notices of online misconduct
21. Most legitimate websites use the en-
cryption protection called “secure sockets
layer” (SSL).
A. True
B. False
22. Which of the following HTML methods and
attributes can be categorized as safe?
A. element.innerHTML = “<HTML>
Tags and markup”;
25. Which of the following is a code for send-
ing e-mail messages between servers?
A. Simple Mail Transfer Protocol (SMTP)
B. Secure Sockets Layer (SSL)
C. Internet Protocol (IP)
D. Hypertext Preprocessor (PHP)
26. Form-based login is configured by
A. servlet filters
B. refresh-check-delay
C. form-login
D. none of the mentioned
27. An attacker found out that the input for a
field is appended to the end of an URL (e.g
www.localhost.com/search/toiletpaper)
when he enters toilet paper in the field.
The attacker makes use of this vulnera-
bility to get users to open a malicious link
sent by them. What kind of attack is that?

18. D 19. A 19. C 19. D 20. C 21. A 22. D 23. D 24. B 25. A 26. C 27. B
1.1 GENERAL KNOWLEDGE 5

A. Stored XSS 34. What type of Cross-site Scripting is in-

B. Reflected XSS cluded when untrusted user data is en-
tered into the HTML response generated

PRACTICE BOOK» NOT FOR SALE

C. Dom-based XSS by the server?
D. SQL Injection
A. Client XSS
28. Tomcat is an example of
B. Reflected XSS
A. database
C. Server XSS
B. browser
D. DOM Based XSS
C. application server
D. payload 35. XSS can be prevented by
29. The DOM does NOT have A. input validation and output encoding
A. if statements B. Same Origin Policy
B. events
C. Cross Origin Policy
C. methods
D. Content Security Policy
D. nodes
E. Data authentication of scripts
30. Under SOP policy, a web browser denys
scripts contained in a first web page to ac-
36. If https:abc.com/123 is my Ori-
cess data in a second web pageonly if both
gin and I try to load images from
web pages have the same origin
https:xyz.com/123 and https:abc.com/346,
A. true what would happen?(Assuming cors are
B. false enabled)

31. What is the target of a CSRF attack?
A. Status change request.
B. Data theft.
C. Server crash.
D. Client destruction.
32. Web application is a computer program
that runs locally on a computer device like
a desktop or a laptop
A. true
B. false
33. What are the types of scanning
A. Port, network, and services
B. Network, vulnerability, and port
C. Passive, active, and interactive
D. Server, client, and network
A. Images from both URL would load be-
cause CORS are enabled.
B. Image would load from https:abc.com/123Image
would not load from https:xyz.com/123
C. Image would not load from
https:xyz.com/123, Image would load
from https:xyz.com/123
D. Both images would not load because
CORS are enabled
37. Which of the following is an authentication
method
A. Biometric
B. Password
C. RFID Card
D. All mentioned options

28. C 29. A 30. B 31. A 32. B 33. B 34. C 35. A 35. D 35. E 36. A 36. B
37. D 38. C
1.1 GENERAL KNOWLEDGE 6

38. Performing hacking activities with the in- 43. When building a Web site, the Internet ser-
tent on gaining visibility for an unfair situ- vice provider you choose is an important
ation is called factor
A. Cracking A. True
B. Analysis B. False
C. Hacktivism 44. Can Encryption also be used in Cyber-
D. Exploitation crimes?

NARAYAN CHANGDER
A. Yes
39. How do attackers exploit weaknesses in
authentication and session management B. No
functions?
45. The most common and problematic secu-
A. Attackers modify the ‘CC’ parameters rity issue when implementing CORS is only
in their browsers. in the misconfiguration of access-control-
B. The attacker modified the ‘id’ parame- allow-origin
ter value in his browser to send ‘or’ 1 ‘=’ A. true
1
B. false
C. The attacker gains access to the sys-
tem’s password database. 46. The default connection type used by HTTP
is
D. The attacker simply monitors network
traffic and steals user session cookies. A. Persistent
B. Non-persistent
40. True or False:It’s OK to put sensitive in-
formation in HIDDEN form fields; after all, C. Can be either persistent or non-
they’re hidden persistent depending on connection re-
quest
A. TRUE
D. none of above
B. FALSE
47. Bagaimana contoh untuk memperoleh re-
41. Which characters are considered danger- sult dari accesing account information pada
ous? insecure direct object references?
A. < A. String query = “SELECT + FROM ac-
B. > cts WHERE account =?”;
C. & B. ResultSet and results = pstmt.executeQuery(
);
D. ‘’
C. PreparedStatement pastmt = connec-
E. !
tiion.prepareStatement (query, );
42. What are the propertie(s) of HTTPS D. patmt.setString( 1, request.getParameter(“acct”));
A. Media dependent
48. What is “Security Misconfiguration” in se-
B. Stateful curity testing?
C. Encrypted A. Poor access policy settings
D. Connectionless B. Misconfigured server settings

39. C 40. B 41. A 41. B 41. C 41. D 42. C 42. D 43. A 44. A 45. B 46. A
47. C 48. B
1.1 GENERAL KNOWLEDGE 7

C. Use of weak passwords 54. is used to create a static website.

D. Maintains default configuration A. PHP

PRACTICE BOOK» NOT FOR SALE

B. HTML
49. The following functions are used in the
ESAPI Access Control API to overcome “In- C. JAVA
secure Direct Object References” are as D. CSS
follows, except
55. The relationship between a User and a Ses-
A. isAuthorizedForData() sion is
B. isAuthorizedForObject() A. One to one
C. isAuthorizedForFunction() B. One to Many
D. isAuthorizedForFile() C. Many to one
D. Many to many
50. Dynamic web pages are
A. Same every time whenever it displays 56. What is meant by Self-XSS?

B. Generated on demand A. a social engineering attack used to

C. Executed on the client’s machine
D. Can be accessed offline
51. What is the primary goal of a CSRF at-
tack?
A. To encrypt sensitive data
B. To steal user session tokens
C. To trick the user into executing un-
wanted actions on a web application
where they are authenticated
D. To inject malicious scripts into a web-
page
52. What does http stand for
A. hyper activity text
B. hyper text transfer
take control of a victim’s web account.
B. The attacker Injects something that
appears safe, but is rewritten and mod-
ified by the browser, when parsing the
markup.
C. An attack that asks a database a true
or false question and determines the an-
swer based on the application’s response
D. Placement of malicious code in SQL
statements, via web page input.
57. An HTML document can contain embedded
Javascript code.
A. TRUE
B. FALSE
58. Two URLs have the same origin if the port
and host only are the same for both.

C. high tower transfer A. true

B. false
D. hoxie text template
59. Term that is considered as a basis for most
53. Which XSS attacks activates upon clicking robust authentication schemes, is said to
on a phishing/unknown link be
A. Stored XSS attacks A. Identification
B. Reflective XSS attacks B. Registration
C. DOM based XSS attacks C. Encryption
D. none of above D. Refine information

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE
60. A CSS document can contain embedded
Javascript code.
A. TRUE
B. FALSE
61. The first phase of hacking an IT system is
compromise of which foundation of secu-
rity
A. Availability
B. Confidentiality
C. Integrity
D. Authentication
62. Attempting to gain access to a network us-
ing an employee’s credentials is called the
mode of ethical hacking
A. Local networking
B. Social engineering
C. Physical entry
D. Remote networking
63. What is the role of Web Application Fire-
wall (WAF) in web security?
A. Manage web application databases
B. Optimize web appearance
C. Increase web access speed
D. Protect web applications from attacks
64. Confidentiality is the concept of the mea-
sures used to ensure the protection of the
of the data, objects, and resources.
A. secrecy
B. availability
C. integrity
D. encryption
65. What does XSS stand for?
A. Xross-Side Scripting
B. Xross-Site Scripting
C. Cross-Side Scripting
D. Cross-Site Scripting
CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS
8
66. Which of the following explains Secure
Sockets Layer (SSL)?
A. Data could be used for theft
or other damaging behavior Mi-
crosoft®SharePoint®
B. A small amount of data transmitted
across a network
NARAYAN CHANGDER
C. Code created by Netscape®for trans-
mitting private documentsover the Inter-
net
D. Regular procedure for controlling data
transmission betweencomputers
67. The shortcut key to access the developer
tools on most browsers is
A. F5
B. FZ
C. Fah
D. F12
68. URL 1-http://store.company.com/dir2/other.htmlURL
2-http://store.company.com:3000/dir2/other.htmlAre
they from the same path
A. Yes
B. No
69. Which of the following is/are correct
about Reflected XSS attacks
A. Malicious codes not stored in applica-
tion
B. Harder to perform than Stored XSS
C. Targets all users using that website
D. Causes more damage than XSS
70. Non-persistent XSS is known as
A. Stored XSS
B. Reflected XSS
C. DOM-Based XSS
D. Request-Based XSS
1.1 GENERAL KNOWLEDGE 9

71. One of the consequences of Missing Func- 76. Which of the following options includes an
tion Level Access Control is example of unvalidated redirection:

PRACTICE BOOK» NOT FOR SALE

A. The attacker accesses all reference- A. .http://www.example.com/redirect.php
able data via parameters.
B. Someone took over a user’s account. B. http://www.example.com/boring.jsp?fwd=admin.jsp
C. Account info from a user is leaked.
C. http://www.unsecurefwd.co.cc/
D. Attacker accesses unauthorized func-
tions. D. A, B and C are correct

72. The main goal of authentication is 77. Included in the Active SQL Injection cate-
gory is
A. Restrict what operations/data the
user can access A. ‘ SELECT name FROM syscolumns
WHERE id = (SELECT id FROM sysobjects
B. Determine if the user is an attacker WHERE name = tablename’)
C. Flag the user if he/she misbehaves B. ‘ and 1 in (select var from temp)
D. Determine who the user is C. ‘ or 1=1
73. The following URLs that can cause a “Bro- D. INSERT INTO mysql.user (user, host,
ken Authentication and Session Manage- password) VALUES (’name’, ‘localhost’,
ment” attack are: PASSWORD(’pass123’))
A. http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii
78. What does an ‘Attacker’ do to imperson-
ate a user?
B. http://example.com/post=951815591673480 A. Sends simple text-based attacks that
exploit the syntax.
C. http://example.com/profile?user=KeanuReevesB. Changing a URL or parameter to a priv-
ileged function
D. http://example.com/user/changepswd C. Changes the value of a parameter that
directly refers to a system object to an-
74. WWW in regards to the internet stands other object.
for
D. Exploit leaks in authentication func-
A. wild wild west tions
B. world wide web 79. session cookie is stored in a file on the
C. wild water world browser’s computer
D. world wildlife web A. true

75. In the context of web security, what does B. false

End-to-End Encryption (E2EE) ensure? 80. The following are authentication protocols
A. Only the communicating users can that do not require a password:
read the messages A. I ASK
B. Data is backed up securely B. XAML
C. Websites are free from vulnerabilities C. OK
D. Cookies are encrypted D. OpenId

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 10

81. In what type of attack does an intruder 85. . Cookies are programs that executed on
manipulate a URL in such a way that the client machine
Web server executes or reveals the con-
A. true
tents of a file anywhere on the server, in-
cluding those lying outside the document B. false
root directory
A. cross-site scripting 86. Which is true about XSS
B. command injection A. The developers of the application are

NARAYAN CHANGDER
the ones at risk
C. SQL injection
D. path traversal attacks B. Its main target is the application itself

82. The following are the types of XSS attacks, C. It is a form of code injection
except D. XSS attacks run a script in the browser
A. Unreflected XSS, Stored XSS, DOM- that was not written by the web applica-
Based XSS tion owner
B. Reflected XSS, Restored XSS, DOM-
87. Why is it important to properly configure
Based XSS
access rights on a web server?
C. Reflected XSS, Stored XSS, DBM-
Based XSS A. Increase internet access speed

D. Reflected XSS, Stored XSS, DOM- B. Reduce server operational costs

Based XSS C. Protect sensitive data and information
83. refers to protecting networks and com- from unauthorized access
puter systems from damage or the theft of D. Speeds up the software installation
software, hardware, or data. It includes process
protecting computer systems from misdi-
recting or disrupting the services they are 88. A type of SQL Injection attack that asks
designed to provide. the database a true or false question and
A. Confidentiality determines the answer based on the appli-
cation’s response
B. Web Security
C. Availability A. Quick detection
D. Encryption B. Initial Exploitation

84. Which of our efforts is not to prevent C. Blind SQL Injection

“Sensitive Data Exposure”? D. Date Exploitation
A. Do not store unnecessary sensitive
data. 89. The acronym, IP, stands for
B. Discards sensitive cache data immedi- A. individual practice
ately after use.
B. imagine protocol
C. Store sensitive data with a high-
security cache. C. internet protocol
D. Encrypts all sensitive data. D. imagine dragons

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE
90. An is an internal network that is used
by businesses and organizations for net-
works that are only accessible to the peo-
ple inside the organization.
A. Telenet
B. Code
C. Protocol
D. Intranet
91. In a client-server architecture, the applica-
tion server sits on the
A. server
B. client
92. What are some ways to defend against
XSS attacks through Improved Access Con-
trol
A. Server can sign scripts (PKI), client
uses public key to verify
B. Apply MAC to scripts, only server
needs secret key
C. Only allow authorized scripts to be
loaded for a given page (Content Security
Policy)
D. Create ACLs and Capabilities on the
DOM rendered on the client side.
93. is used to describe how an HTML page
is presented to the user, i.e. font size,
colour, layout, etc.
A. JQuery
B. CSS
C. Angular
D. Javascript
94. Why is it important to regularly update
software and plugins on your web server?
A. To improve the security and perfor-
mance of your web server.
B. Because there is nothing important in
updating software and plugins.
C. To make your web server slower.
D. To add color to your web server.
CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS
11
95. Encoding is the process of converting an
encoded format back intothe original se-
quence of characters.
PRACTICE BOOK» NOT FOR SALE
A. true
B. false
96. Fuzzing is a technique used to
A. obscure the value of a string
B. automate brute-force attacks
97. In the given SQL command, where does the
vulnerability lie?
A. In the use of the COUNT function
B. In the use of template literals without
input validation or parameterization
C. In the selection of data from the Users
table
D. In retrieving data from the request
body (req.body)
98. . Decoding is the process of putting a se-
quence of characters such as letters, num-
bers, and other special characters into a
specialized format for effcient transmis-
sion
A. true
B. false
99. What are the 2 types of Encryption?
A. Symmetric and Asymmetric Encryption
B. Data Encryption Standard and RAS
C. Advance Encryption Standard and
TwoFish
D. Public and Private Key
100. Which status code is correct
A. 1xx:Informational2xx:Success3xx:Redirection4xx:Server
error5xx:Client error
B. 1xx:Success2xx:Informational3xx:Redirection4xx:Server
error5xx:Client error
C. 1xx:Informational2xx:Success3xx:Redirection4xx:Client
error5xx:Server error
1.1 GENERAL KNOWLEDGE
D. 1xx:Redirection2xx:Success3xx:Informational4xx:Client
error5xx:Server error
101. What is a common purpose of SQL Injec-
tion attacks?
A. To corrupt the SQL database structure
B. To steal sensitive data from the
database
C. To perform a Denial of Service attack
D. To encrypt the database for ransom
102. What is HTTPS and why is it important
for web security?
A. Protocol to increase web access speed
B. Methods to avoid advertising on web-
sites
C. Ways to secure Wi-Fi connections
D. Security protocols to secure data com-
munications between users and websites.
103. What is the most important activity in
system hacking
A. Information gathering
B. Cracking passwords
C. Escalating privileges
D. Covering tracks
104. Which of the following passwords would
be the best choice?
A. CharlieBrown123
B. Buddy123
C. The last one is the last one
D. CharlieBrown
105. Things that must be considered to protect
direct object access directly are as follows,
except
A. Use index to access objects
B. Avoid exposing private objects from
users
C. Verify all authorizations for the desti-
nation object
CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS
12
D. Using indirect methods that are diffi-
cult to validate
106. Competition in the security sector where
participants are asked to look for hidden
flags, the meaning of?
A. Defender
B. Hacker
NARAYAN CHANGDER
C. CTF
D. Web Security
107. Use of <binding> element in WSDL
A. to communicate protocols used by web
service
B. to bind data among Web Sites.
C. to set protocol for Web Sites.
D. None of these
108. Applications that create queries dynami-
cally, can be considered as a risk source of
A. Active attacks
B. Passive attacks
C. Forgery
D. Injection
109. Web Services are
A. Loosely Coupled
B. Either Loosely or Tightly Coupled
C. Neither Loosely nor Tightly Coupled
D. All of the above
110. If a site has an unusually short session
timeout (e.g.:2 minutes) and has an unusu-
ally large logout button on the top of ev-
ery page, one might assume that the site
is trying to prevent what type of attack?
(choose exactly 1 answer):
A. SQL Injection
B. Cross-Site Request Forgery (CSRF)
C. Cross-Site Scripting (XSS)
D. Session Flaws
1.1 GENERAL KNOWLEDGE 13

111. Keyloggers are a form of 116. XSS attacks, can be carried out without
A. Spyware using <script>, which of the following op-
tions cannot replace the role of <script> in

PRACTICE BOOK» NOT FOR SALE

B. Shoulder surfing XSS attacks?
C. Trojan
A. <body>
D. Social engineering
B. <onmouseover>
112. A unique piece of information that is as- C. <img>
signed to each user to check for identifica-
D. <tag>
tion is known as a(n):
A. SET 117. http://store.company.com/dir/page.htmlstore.company.com
B. Digital Certification is the ?

C. Firewall A. Port

D. ISP B. Path
C. Tuple
113. What is true (select two)?
D. Protocol
A. Using vulnerability scanners is more
consistent than manual pen-tests 118. WEB applications need to be devel-
B. Vulnerability scanners generate less oped separately for different paltform ma-
false positives than manual pen-tests chines.
C. Scanners determine what vulnerabili- A. true
ties likely exist, without actually attacking B. false
them
119. You build a Web site that sells t-shirts
D. none of above
with personalized logos. The Web site is
114. The following are things that can cause full-service, meaning that you can pick out
a system to be weak against “Broken Au- the t-shirt, personalize it and purchase it.
thentication and Session Management” at- You would want to make sure that this
tacks, except Web site has a SSL.
A. Passwords, Session IDs, and other A. True
credentials are sent over unencrypted B. False
connections
B. Credentials can be guessed or over- 120. Which html tag(s) is used by the attacker
written due to weak account management to perform XSS
C. UI that displays navigation for unau- A. <div>
thorized functions B. <script>
D. The session ID is visible in the URL C. <exe>
115. What is security? D. <npm>
A. the quality or state of being secure 121. Which is not a way to deal with Security
B. freedom from danger:safety Misconfiguration?
C. freedom from fear or anxiety A. Default Password
D. All of the above B. Default Secure

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE
C. Secure Connection String
D. Database Security
122. Which of the following is a possible rea-
son for a website being vulnerable to hack-
ers?
A. Secure connections
B. Improper site design
C. Limited access to the site
D. Responsible users
123. When conducting a transaction electron-
ically, an attack can be carried out by
recording a piece of secure information and
then replaying it times to the Web server.
This attack is known as a(n)
A. bypass attack
B. insecure transaction attack
C. third party attack
D. repeat attack
124. A regular procedure for controlling data
transmission between computer is known
as what?
A. Telenet
B. Protocol
C. Code
D. Intranet
125. Which of the following are correct about
CORS
A. CORS are client and server-sided
B. CORS are client sided only
C. CORS are server sided only
D. You need to enable CORs on your
browser
126. Which of the following scripts is an ex-
ample of a SQL Injection Attack?
A. var Shipcity;ShipCity = Request.form
(”ShipCity”);var SQL = “select * from Or-
dersTable where ShipCity = ‘” + ShipCity
+ “’”;
CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS
14
B. var Shipcity;ShipCity = Request.form
(”ShipCity”);
C. var Shipcity;var SQL = “select *
from OrdersTable where ShipCity = ‘” +
ShipCity + “’”;
D. All True
127. What are the expert skills of today’s SI
NARAYAN CHANGDER
Academy presenters?
A. Pentesting, Programming, Cyber De-
fender
B. Programming, UI/UX, Web Security
C. Programming, Pentesting, UI/UX
D. Maintenance Software, Programming,
Web Security
128. is interpreted on the client.
A. PHP
B. Javascript
C. Groovy
D. Java
129. One operation that frequently has cross-
site scripting (XSS) vulnerabilities is
A. user visits a site’s homepage
B. site prompts the user for their user
name and password
C. site produces an error message for an
invalid user name
D. user clicks on a hyperlink to visit an-
other page in the same site
130. This HTTP method sends parameters as
query strings appended to the URL.
A. GET
B. POST
131. Which of the following terms is concerned
with the validity of data, ensuring there
are no errors, bugs or worms in data?
A. Data merit
B. Validity ranking
1.1 GENERAL KNOWLEDGE 15

C. Secure data 136. Pay attention to the following

URL:http://example.com/app/admin getappInfo
D. Data integrity
If ordinary users can access this URL, then

PRACTICE BOOK» NOT FOR SALE

132. Choose the correct option the system has weaknesses in attacks of
the type.
A. Using Components with Known Vulner-
abilities
B. Broken Authentication and Session
Management
A. true C. Missing Function Level Access Control
B. false D. Insecure Direct Object References

133. The main purpose of JavaScript in web 137. Client-side JavaScript code is embedded
browser is to within HTML documents in
A. A URL that uses the special
A. Creating animations and other visual
javascript:encoding
effects
B. A URL that uses the special
B. User Interface
javascript:stack
C. Visual effects C. A URL that uses the special
D. User experience javascript:protocol
D. A URL that uses the special
134. An attacker sends a malicious URL with javascript:code
a URL fragment appended at the end of
the URL. When the user clicks on the URL, 138. Which type of XSS attack involves a ma-
it modifies the HTML script on the user’s licious script being permanently stored on
browser. What kind of attack is that? a server?
A. Stored XSS A. Reflected XSS
B. Reflected XSS B. Document-Based XSS
C. Stored XSS
C. Dom-based XSS
D. DOM-Based XSS
D. SQL Injection
139. Which technology is used to transform
135. What is Cross-Site Scripting (XSS) and XML into HTML?
how to avoid it?
A. XHTML
A. Attacks stealing login information, B. XSLT
VPN usage
C. DOM
B. Attacks steal user cookies, input sani-
D. DTD
tization
C. The attack damages the server file 140. a session is data stored on the client,
structure, firewall while a cookie data is stored on the server

D. Attacks on server networks, HTTPS en- A. true

cryption B. false

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 16

141. HTTP and HTTPS are 146. Where can SQL injection be performed
A. Application layer protocols A. Web forms
B. Network layer protocols B. Browser URL
C. PDF documents
C. Physical layer protocols
D. Notepad
D. Data link layer protocol
147. is a company specializing in telecom-
142. The model representing the elements of munications.

NARAYAN CHANGDER
a web page in a tree structure, created by
A. Telenet
the browser, is called
B. Protocol
A. Domain Object Model
C. Code
B. HyperText Markup Model
D. Intranet
C. Document Object Model
148. What does XSS do?
D. Domain Oriented Model
A. This bug can provide entertainment
143. Which of the following is true about Web services to your users when accessing
services? your website
B. This bug could allow attackers to add
A. Web services are open standard (XML,
their own malicious JavaScript code to the
SOAP, HTTP etc.) based Web applications
HTML pages displayed to your users
B. Web services interact with other web C. This bug can help strengthen the secu-
applications for the purpose of exchang- rity of your website
ing data.
D. strengthen your website’s security.
C. Web Services can convert your exist- This bug can disrupt the life-cycle of your
ing applications into Web-applications. website
D. All of the above 149. Which of the following statements can
improve the security of an application?
144. What is tested in black-box penetration
testing? A. Set the use of case sensitive username
values
A. Application source code
B. Limit password size to 25 characters
B. Vulnerability without prior knowledge
C. Passwords can only use case insensi-
C. Server configuration tive alphabets
D. A and C combination D. Limit password size to a maximum of
20 characters
145. The main goal of authorisation is
150. The following are the topics in today’s
A. Restrict what operations/data the material, except?
user can access
A. Injection
B. Determine if the user is an attacker B. Defender
C. Flag the user if he/she misbehaves C. Hacking
D. Determine who the user is D. CTF

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 17

151. Why would a hacker use a proxy server 154. Which of the following accurately de-
scribes “digital footprints”?
A. To create a stronger connection with

PRACTICE BOOK» NOT FOR SALE

the target A. The remarks you post on a website
B. To create a ghost server on the net- B. The trail of different websites you visit
work C. The graphics on a site which will not
C. To obtain a remote access connection load properly

D. To hide malicious activity on the net- D. The security measures you take to pro-
work tect your computer

155. A proxy server allows users to be di-

152. Which of these are not the WSDL opera-
rectly connected to a Web site, but they
tion types?
have to ask permission from the proxy
A. One-way first.
B. error-message A. True
C. Request-response B. False
D. Solicit-response 156. CPE is a

153. Web intercepting proxies work at which
layer of the OSI model?
A. Standard for assessing the severity of
vulnerabilities
B. Standard for naming systems and soft-
ware
C. Framework for finding vulnerabilities
D. Framework for exploiting vulnerabili-
ties

157. Which of the following passwords would

be the best choice?
A. CharlieBrown123
B. Buddy123
C. 25Rock9N6RoLL
D. CharlieBrown

158. Session ID is assigned

A. After they authenticated
B. to a user on their first visit to a website
C. When they make a request to the
server
A. Network D. When they open the browser
B. Transport
159. CVSS is a
C. Application
A. Standard for assessing the severity of
D. Data Link vulnerabilities

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 18

B. Standard for naming systems and soft- B. Dumpster diving

ware
C. Framework for finding vulnerabilities
D. Framework for exploiting vulnerabili-
ties
160. What are the two ways of transmitting
Session Identifiers
C. Denial of Service (DoS)
D. Shoulder surfing
165. In ‘Broken Authentication and Session
Management’ it is caused by inaccurate au-
thentication when changing the password,
forgetting the password, etc. How to

NARAYAN CHANGDER
A. Cookies avoid this, EXCEPT?

B. Auth headers A. Password Strength

C. Hidden form field B. Password Change Controls

D. OpenId C. Check Access

161. Which of the following is not a factor
in securing the environment against an at-
tack on security
A. The education of the attacker
B. The system configuration
C. The network architecture
D. The business strategy of the company
D. Session ID Protection
166. The following classification of Blind SQL
Injection is correct
A. Boolean dan Time Based
B. Boolean dan Error-Based SQL-i
C. Time Based dan Union-based SQL-i
D. Boolean dan Union-based SQL-i

162. In the layer of OSI model, packet fil- 167. What is the root element of all WSDL doc-
tering firewalls are implemented. uments?
A. Application layer A. Definition
B. Session layer B. Description
C. Network layer C. Root
D. Presentation layer D. Wsdl-root

163. JavaScript (JS) is downloaded as a DOM 168. What makes DOM-based XSS different
object in an HTML page, which is being ex- from XSS/Reflected XSS?
ecuted after using an interpreter.What is A. It requires server sided flaws
the interpreter called?
B. It requires client sided flaws
A. HTML Renderer
C. It modifies the DOM environment
B. V8 Engine
D. It executes only on the victims
C. DOM bindings browser
D. Same Origin Policy
169. A computer on which the Web server
E. Cross Origin Policy is running and all the information is con-
164. A firewall protects which of the following tained is known as
attacks? A. Protocol
A. Phishing B. Telenet

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 19

C. Intranet 176. The most effective way of protecting

D. Host Computer against SQL injection is

PRACTICE BOOK» NOT FOR SALE

A. blacklisting strings such as “1 OR
170. Packet filtering firewalls are deployed on 1=1” and “UNION” from input
B. using an intrusion detection system to
A. routers detect attacks
B. switches
C. white listing input (e.g. only allowing
C. hubs alphanumerical characters and spaces)
D. repeaters D. use of prepared statements or
parametrized queries
171. Default port of HTTP is
A. 3000 177. How can you keep your personal com-
puter clean?
B. 80
C. 1337 A. Rinsing it with water

D. 90 B. Deleting your e-mail and social media

accounts
172. Do you know the trainer?:D C. Using the Internet only for shopping
A. NO
D. Deleting temporary Internet files and
B. YES I KNOW browsing history

173. Junk and spam e-mails do not contain 178. A web application dose not need an inter-
viruses and malicious content. net connection or some sort of network to
A. True work properly
B. False A. true

174. Cookies have the capacity to store rela- B. false

tively large data compared to Sessions
179. To hide information inside a picture, what
A. true technology is used
B. false A. Rootkits
175. The following are aspects that must be B. Bit mapping
ensured in logging and monitoring on the C. Stenography
Authentication Cheat Sheet, except
D. Image Rendering
A. Ensure that all failures are logged and
reviewed 180. Which of the following is NOT a factor
B. Ensure that all password failures are which influences Internet security?
logged and reviewed A. Web server and data
C. Ensure that all security system failures
B. Information exchanged
are recorded and reviewed
C. Internet Provider
D. Ensure that all account lockouts are
logged and reviewed D. Personal computers

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 20

181. is translated into language that can 187. What can be caused by XSS?
be communicated to the computer.
A. Changing the appearance and behav-
A. Intranet ior of the website
B. Code B. Stealing Personal Data
C. Telenet
C. Acting on Your Behalf
D. Protocol
D. Do all the things mentioned
182. To protect a prohibited object for normal

NARAYAN CHANGDER
users that is referenced directly, do the fol- 188. The following are included in the CTF
lowing, namely Tools, except?
A. Verify whether the object being ac- A. Binwalk
cessed is correct.
B. World Wide Web
B. Verify the user’s authority to access
the object. C. Burp Suite
C. Do not display the object. D. Stegsolve
D. Delete the object. 189. Which practice can help prevent SQL In-
183. How many digits does an Internet Proto- jection attacks?
col address have? A. Using prepared statements and pa-
A. 18 rameterized queries
B. 24 B. Encrypting data at rest and in transit
C. 32 C. Regularly updating user passwords
D. 36 D. Disabling cookies in the browser
184. Which is the way to protect applications
in Secure Network Transmission in Secu- 190. What is the purpose of a Denial of Ser-
rity Misconfiguration? vice attack
A. Use SSL to encrypt A. Exploit a weakness in the TCP/IP stack
B. Use Protocol B. To execute a Trojan on a system
C. Use ID and password C. To overload a system so it is no longer
D. Use the web operational

185. The URL is the D. To shutdown services by turning them

off
A. web page address
B. the post office for computers 191. The image is an example of against
C. the internet wifi account SQL injection
D. path of the page A. Filtering (Black listing)

186. The following two URLs have the same B. Replacing dangerous characters with
encoding
orgin https://ucc.qu.edu.sa/mypage.htmlhttps://ucc.qu.edu.sa:81/info.html
A. true C. Parameterized queries
B. fase D. Reassigning variables

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 21

192. The solution to session hijacking is: C. Spam Phishing Mail

A. Encrypt end to end with TLS D. Unvalidated Redirects and Forward

PRACTICE BOOK» NOT FOR SALE

B. Use VPN to avoid packet reads over lo- 197. In a typical client-server architecture, the
cal network browser sits on the
C. Session ID monitors A. server
D. CORs B. client
193. What type of vulnerability is described 198. PHP, ASP, ASP.net are examples of
by this CVSS vector:AV:N/AC:L/Au:N/C:N/I:N/A:C?A. Server-side programming language
A. Remove buffer overflow resulting in B. Client-side programming language
read-only access
199. Same Origin Policy (SOP) is a mechanism
B. Local buffer overflow resulting in full
that uses additional HTTP headers to tell
access
browsers to give a web application run-
C. Remote DoS which does not require ning at one origin, access to selected re-
authentication sources from a different origin
D. Local DoS which requires authentica- A. true
tion B. speak
194. Which database is queried by Whois 200. Which of the following is not a typical
A. ICANN characteristic of an ethical hacker?
B. ARIN A. Excellent knowledge of Windows
C. APNIC B. Understands the process of exploiting
network vulnerabilities
D. DNS
C. Patience, persistence and persever-
195. is a one-way hashing function which ance
produces output of fixed-lengh. D. Has the highest level of security for the
A. MD5 organization
B. ASCII 201. UDDI uses to describe interfaces to
C. UTF-8 web services
D. Base64 A. SOAP
B. WSDL
196. What type of attack is this?
C. UDDI
D. RPC
202. What are the web service platform ele-
ments?
A. Soap, Uddi, Kamal
B. HTTP, WSDL
A. Sensitive Data Exposure C. Uddi, Kamal, Soap
B. Sensible Data Exposure D. Soap, Uddi, Vasdal

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE 22

203. Which of the following security systems B. E-mailing personal secure information
acts as a filter between two Internet to your friends
servers? C. Installing anti-virus software
A. Router D. Setting up a password on your Wi-Fi
B. Password network
C. Firewall 208. Blocking script execution and CSP is
D. Switch one of the solution against XSS at-

204. What type of injection aims to execute
arbitrary commands in the host OS via a
vulnerable application?
A. Command Injection
B. Application Injection
C. SQL injection
D. XSS injection
205. The following is an example of an attack
carried out using
A. XSS
B. Security Misconfiguration
C. CSRF
D. Broken Authentication and Session
Management
206. What type of vulnerabilities is not in the
OWASP Top-10
A. Buffer overflow
B. SQL injection
C. Cross-site scripting
D. Security Misconfiguration
207. Which of the following is an example of
IRRESPONSIBLE Internet use?
A. Keeping your user’s passwords a se-
cret
NARAYAN CHANGDER
tacks.Mozilla’s Content Security Policies
does this by:
A. All scripts for a page must be loaded
from white-listed hosts
B. Scripts included via a <script> tag
pointing to a white-listed host will be
treated as valid
C. Do not load any pages where its script
came from Black-listed hosts
D. Scripts with a <script> tag will be ig-
nored
209. Every computer and device that is con-
nected to the internet is assigned an
unique numeric
A. IP Address
B. UP Address
C. Wifi Address
D. PO Box Address
210. Which of the following is true regarding
SQL
A. SQL can execute queries against a
database
B. SQL can retrieve data from a database
C. SQL can insert records in a database
D. All are true
211. Today online transactions are primarily
conducted in which of the following ways?
A. As Secure Electronic Transactions
(SET)
B. Through the World Wide Web (WWW)
C. As e-mails
D. By Telenet

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE
212. Google, DuckDuckGo, Bing and Ask are
examples of
A. Email clients
B. Search Engines
C. Web clients
D. Content Management Systems (CMS)
213. Which of the following best describes
Cross-Site Scripting (XSS)?
A. Injecting SQL queries into a database
through the webpage
B. Forcing an end user to execute un-
wanted actions on a web application
C. Injecting malicious scripts into web
pages viewed by other users
D. Encrypting data between two parties
to ensure security
214. One good way to avoid SQL injection at-
tacks is
A. Rename each table in the database so
that it is not easy to track
B. Storing the database on a local server
C. Restrict access rights to the database
to only admins and developers
D. eng-encapsulate a SQL statement by
making the input a parameter of a proce-
dure
215. What is not included in the exploitation
technique of SQL Injection is
A. Union Exploitation Technique
B. Stored Procedure Injection
C. Automated Exploitation
D. Binary Exploitation Technique
216. In a typical client-server architecture, the
database sits on the
A. server
B. client
CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS
23
217. Which DOM code is executes the script
tag?
PRACTICE BOOK» NOT FOR SALE
A. document.querySelectorAll()
B. document.Inject()
C. document.queryAll()
D. document.querySelector()
218. When you are building a Web site the
only people you want to visit your Web
site are authorized users that have permis-
sion to access your Web site.
A. True
B. False
219. What is a web server?
A. where every website and webpage
within that site sit on a computer.
B. where the internet spiders hang out
C. where the webpages are created
D. none of above
220. is an example of
A. Port number
B. IP address
C. MAC address
D. Hostname
221. Which is not an example of an injection
attack scenario
A. http://example.com/app/accountView?id=’lol’
or ‘1’=’1’
B. In password form enter:xxx’ OR 1=1
‘
C. In password form enter:gg’ OR 1=1
‘
D. http://example.com/app/accountView?id=’
or ‘1’=’1
222. Which application is known for its use of
End-to-End Encryption (E2EE)?
A. Google Chrome
1.1 GENERAL KNOWLEDGE
B. Microsoft Outlook
C. WhatsApp
D. SQL Server Management Studio
223. Perbedaan antara Insecure Direct Object
References dan Missing Function Level Ac-
cess Control adalah
A. File and function access verification ex-
ploit.
B. Exploit object and file access verifica-
tion.
C. Exploit object and function verification.
D. Exploit function and object verification.
224. The weakness of “Insecure Direct Object
Reference” cannot be detected by auto-
mated tools because
A. These tools cannot know what objects
need protection.
B. Tools do not have access to detect
these weaknesses.
C. Tools always experience errors in de-
tecting weaknesses.
D. All wrong
225. If you design a Web site that conducts fi-
nancial transactions, security risks on this
Web site are inevitable.
A. True
B. False
226. What is/are the purpose of enforcing
Same Origin Policy (SOP) when loading
web pages?
A. Allow scripts from the source origin to
interact with a resource from another ori-
gin
B. isolat potentially malicious documents,
reducing possible attack vectors
C. Ensure that web pages can only load
data if the port and host are the same
D. Manage the state of modern web
browsers
CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS
24
227. The authentication protocol that protects
many websites from phishing by using the
website URL to find the stored authentica-
tion key is
A. FIDO
B. OPENID
C. SAML
NARAYAN CHANGDER
D. OAuth
228. Which of the following types of network
is used by businesses and organizations
for networks only accessible to the people
inside the organization?
A. Internet
B. Intranet
C. Wide Area Network (WAN)
D. Metropolitan Area Network (MAN)
229. What is the OWASP Top Ten test in web
security testing?
A. Encryption standards for data connec-
tions
B. List of ten common web security vul-
nerabilities
C. Protocol to protect against DDoS at-
tacks
D. Website performance testing methods
230. GET, POST, PUT and DELETE are HTTP
methods used in
A. RPC (Remote Procedure Call)
B. REST (Representational State Trans-
fer)
C. SOAP (Simple Object Access Protocol)
D. FTP (File Transfer Protocol)
231. What is not a security scanner?
A. OpenVAS
B. Nessus
C. msf
D. nobody
1.1 GENERAL KNOWLEDGE 25

232. The service(s) that enables networking 238. Which are the three core components of
through scripted HTTP requests is a Web Architecture
A. XMLHttpResponse

PRACTICE BOOK» NOT FOR SALE

A. Addressing standards (URL), Data
B. XML Request Transmission Protocol (Http), Represen-
tation formats (html)
C. XMLHttpRequest
B. API methods (GET/POST), Data Trans-
D. XMLHttps mission Protocol (Http), Ports (TCP/UDP)
233. Which of the following is NOT informa- C. API methods (GET/POST), Data Trans-
tion your ISP has the ability to know? mission Protocol (Http), Representation
A. Your favorite website formats (html)

B. What you shop for online D. API methods (GET/POST), Data Trans-
mission Protocol (SMTP), Representation
C. The content of your e-mails formats (html)
D. Your computer monitor background
239. How many topics are there in today’s
234. The following are not components that web security material?
determine the complexity of security
A. 2
implementation of session management,
namely B. 3
A. Session Management C. 1
B. Authentication D. 4
C. Access Control
240. What type of vulnerability scan can de-
D. Cookies tect locally exploitable security issues?
235. Which of the following is NOT a type of A. none-credentialed scan
firewall? B. Credentialed scan
A. Secure Sockets Layer
241. What is NOT a part of a SOAP Message?
B. Packet filtering
A. SOAP Body
C. Network address translation
B. SOAP Envelop
D. Virtual private network
C. SOAP Headers
236. Status returned error code 404:Not
D. SOAP Footer
Found.What kind of error is this
A. Server error 242. Which of the following communicates
with server-side CGI scripts through HTML
B. Client error
form submissions and can be written with-
C. Redirection out the use of JavaScript?
D. Informational A. Static Web Pages
237. CORS policy is a security feature by itself B. Interactive Web Pages
A. true C. Conditional Web Pages
B. false D. All web pages

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS

1.1 GENERAL KNOWLEDGE
243. A web proxy is used to intercept commu-
nication
A. between the browser and the web ap-
plication.
B. between the web application and the
database.
244. This string is encoded in
A. MD5
B. ASCII
C. UTF-8
D. Base64
245. What are the limitations with Filtering in-
put/outputs for XSS?
A. Only works well with clear rules char-
acterzing good/bad inputs
B. Not centrally forcable due to scattered
code
C. Need constant updates on filters
D. Have to deal with unspecified browser
behaviour
246. Wang Xing was shopping for butt
plugs(bp) on Shopee. He accidentally
closed the browser. When he reopened it,
his selection of 2inch radius bp is still in
the cart despite being logged out. Why is
that so?
A. Session data is stored in the cookie in
his web browser
B. Session and user authentication are in-
dependent from each other
C. His cart items are tracked and stored
in Shopee’s server cache
D. His cart data is linked to his account
user id.
CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS
26
247. is interpreted on the server.
A. PHP
B. Javascript
C. CSS
D. HTML
248. Which are the most popular and highly
NARAYAN CHANGDER
recommended CSRF mitigation efforts?
A. Token based mitigation
B. Double submit cookies
C. Triple submit cookies
D. Login form
249. Below is a code snippet that re-
veals debug information in a pro-
duction environment. What’s wrong
with this code?DEBUG MODE =
True if DEBUG MODE:print(”Debug
Information: ”)
A. Nothing is wrong
B. Use of global variables for debug mode
C. Running debug information in a pro-
duction environment
D. Using the wrong logging method
250. Packet filtering firewalls work effec-
tively in networks.
A. a) very simple
B. large
C. smaller
D. very large 7 Complex
251. session’s data consists of a single
namevalue pair, sent in the header of the
client’s HTTP GET or POST request
A. true
B. false
252. The methods, tools, and personnel used
to defend an organization’s digital assets.
A. IT Security
1.1 GENERAL KNOWLEDGE 27

B. Encryption C. Does not validate input URL parame-

C. Policies ters

PRACTICE BOOK» NOT FOR SALE

D. Cipher D. Use prepared statements correctly

253. Web browsers communicate with web 257. The hierarchical representation of data is
servers using the HTML a
A. true A. Javascript
B. false B. Same Origin Policy
254. The following things can be protected in C. Document Object Model
cyberspace, except D. Cross Origin Policy
A. Internet Surf
258. What does URL stand for?
B. Account
A. uniform resource locator
C. Surat
B. uniform relocate limit
D. Platform Development
C. uniformed resistance locator
255. When a packet does not fulfil the ACL cri-
teria, the packet is D. unilateral resource limit

A. resend 259. Cookies can erase or read information

B. dropped from the user’s computer.
C. destroyed A. true
D. acknowledged as received B. false

256. Mengapa query SQL berikut rentan ter-
hadap SQL injection?$query = “SELECT *
FROM products WHERE id = “. $
GET[’product id’];
A. There is no SQL injection vulnerability
in this query
B. Using the htmlspecialchars function to
sanitize the input
260. Which of the following is the BEST option
to protect web servers and prevent XSS
attacks?
A. Column level access control
B. Code review & URL filtering
C. Baseline reporting
D. Input validation & WAF

CHECK GOOGLE PLAY BOOKS FOR ANSWERS KEYS