Web Security MCQ Questions PDF
Document Details
Uploaded by HarmoniousPlateau8094
Tags
Related
- Lecture 6 - Web Security & Front-end Frameworks PDF
- SQL Injection (SQLi) Demonstration and Prevention (lab2) PDF
- DAT152 - Advanced Web Applications - SQL Injection PDF
- OWASP Web Application Security Project Guide 07 PDF
- Database Security - Chapter 7 SQL Injection I: Identification PDF
- Database Security (Chapter 8) PDF
Summary
This document contains multiple-choice questions (MCQs) on web security topics, including SQL injection, cross-site scripting (XSS), and session hijacking. The questions cover various aspects of these vulnerabilities and potential solutions. It's a good resource for learning web security.
Full Transcript
1\. SQL Injection Q1: What is SQL Injection? A. A technique used to inject malicious SQL code into a database B. A method to prevent SQL queries from running C. A way to secure a database from unauthorized access D. A technique used to encrypt SQL queries Answer: A. A technique used to inject...
1\. SQL Injection Q1: What is SQL Injection? A. A technique used to inject malicious SQL code into a database B. A method to prevent SQL queries from running C. A way to secure a database from unauthorized access D. A technique used to encrypt SQL queries Answer: A. A technique used to inject malicious SQL code into a database Q2: Which of the following is a common consequence of a successful SQL injection attack? A. Data encryption B. Unauthorized data access C. Slower database performance D. Data compression Answer: B. Unauthorized data access Q3: What can prevent SQL injection attacks? A. Using stored procedures without user input validation B. Disabling the database C. Using parameterized queries D. Writing longer SQL queries Answer: C. Using parameterized queries Q4: Which of the following is an example of a SQL injection payload? A. 1=1 B. alert(\"XSS\") C. DROP DATABASE D. \alert(\'Hi\')\ Answer: A. 1=1 2\. Cross-Site Scripting (XSS) Q1: What is Cross-Site Scripting (XSS)? A. A vulnerability that allows an attacker to insert malicious JavaScript into a webpage B. A technique for encrypting user data C. A method of stealing user credentials through phishing D. A database injection attack Answer: A. A vulnerability that allows an attacker to insert malicious JavaScript into a webpage Q2: Which type of XSS occurs when malicious code is embedded in a URL and executed in the user\'s browser? A. Stored XSS B. Reflected XSS C. DOM-based XSS D. Blind XSS Answer: B. Reflected XSS Q3: What is a common consequence of a successful XSS attack? A. Database corruption B. Unauthorized access to server logs C. Session hijacking D. Server-side encryption failures Answer: C. Session hijacking Q4: Which of the following can prevent XSS attacks? A. Escaping user input B. Allowing all HTML tags in input C. Disabling JavaScript D. Encrypting the URL Answer: A. Escaping user input 3\. Session Hijacking Q1: What is Session Hijacking? A. Taking over a user's session after they have logged out B. Intercepting a valid user session to steal data or perform unauthorized actions C. Locking a user's session to prevent unauthorized access D. Encrypting the session data to protect user credentials Answer: B. Intercepting a valid user session to steal data or perform unauthorized actions Q2: Which of the following is a common method of session hijacking? A. SQL injection B. Cross-site scripting (XSS) C. Password brute-forcing D. Encryption algorithms Answer: B. Cross-site scripting (XSS) Q3: Which technique can help prevent session hijacking? A. Using encrypted cookies and HTTPS B. Disabling session cookies C. Storing sessions in the database D. Logging user activities in plain text Answer: A. Using encrypted cookies and HTTPS Q4: What is the main security flaw exploited in session hijacking? A. Weak session encryption B. Insecure transmission of session cookies C. Poorly designed HTML forms D. Weak database encryption Answer: B. Insecure transmission of session cookies 1\. SQL Injection Q5: Which of the following is an indication of a possible SQL Injection vulnerability? A. Users can view sensitive data they are not authorized to access B. The website loads faster than usual C. The login page requires CAPTCHA verification D. The database uses SSL encryption Answer: A. Users can view sensitive data they are not authorized to access Q6: What is the primary goal of an attacker using SQL injection? A. To cause a denial-of-service (DoS) B. To manipulate or retrieve data from the database C. To intercept network traffic D. To create new admin users in the system Answer: B. To manipulate or retrieve data from the database Q7: Which of the following is a simple SQL injection attack string? A. \' OR \'1\'=\'1\' \-- B. \alert(\"XSS\")\ C. \'; DROP TABLE users \-- D. \#!/bin/bash Answer: A. \' OR \'1\'=\'1\' \-- Q8: A parameterized query is effective in preventing which type of attack? A. Cross-Site Scripting (XSS) B. Buffer Overflow C. SQL Injection D. Denial-of-Service (DoS) Answer: C. SQL Injection Q9: Which database error might indicate an attempted SQL injection attack? A. HTTP 404 Not Found B. SQL syntax error C. Network timeout 1\. SQL Injection Q5: Which of the following is an indication of a possible SQL Injection vulnerability? A. Users can view sensitive data they are not authorized to access B. The website loads faster than usual C. The login page requires CAPTCHA verification D. The database uses SSL encryption Answer: A. Users can view sensitive data they are not authorized to access Q6: What is the primary goal of an attacker using SQL injection? A. To cause a denial-of-service (DoS) B. To manipulate or retrieve data from the database C. To intercept network traffic D. To create new admin users in the system Answer: B. To manipulate or retrieve data from the database Q7: Which of the following is a simple SQL injection attack string? A. \' OR \'1\'=\'1\' \-- B. \alert(\"XSS\")\ C. \'; DROP TABLE users \-- D. \#!/bin/bash Answer: A. \' OR \'1\'=\'1\' \-- Q8: A parameterized query is effective in preventing which type of attack? A. Cross-Site Scripting (XSS) B. Buffer Overflow C. SQL Injection D. Denial-of-Service (DoS) Answer: C. SQL Injection Q9: Which database error might indicate an attempted SQL injection attack? A. HTTP 404 Not Found B. SQL syntax error C. Network timeout D. SSL certificate error Answer: B. SQL syntax error 2\. Cross-Site Scripting (XSS) Q5: Which type of XSS attack occurs when malicious scripts are permanently stored on a target server? A. Stored XSS B. Reflected XSS C. DOM-based XSS D. Persistent Cross-Site Request Forgery (CSRF) Answer: A. Stored XSS Q6: How can Content Security Policy (CSP) help in preventing XSS attacks? A. By blocking access to the server B. By only allowing trusted sources to execute scripts C. By disabling JavaScript on the website D. By encrypting the webpage content Answer: B. By only allowing trusted sources to execute scripts Q7: Which of the following is a likely symptom of a successful XSS attack? A. A user sees unexpected pop-ups or alerts on a webpage B. The website displays a 500 Internal Server Error C. The webpage stops loading altogether D. The page redirects to an HTTPS version automatically Answer: A. A user sees unexpected pop-ups or alerts on a webpage Q8: Which HTML element is most likely to be exploited in an XSS attack? A. \ B. \ C. \ D. \ Answer: C. \ Q9: In a reflected XSS attack, what is the main characteristic that distinguishes it from stored XSS? A. The malicious script is immediately reflected back to the user\'s browser without being stored B. The attack is executed on the server-side C. The malicious script is stored in the database D. The attack can only be executed on mobile devices Answer: A. The malicious script is immediately reflected back to the user\'s browser without being stored 3\. Session Hijacking Q5: Which of the following could be a sign that session hijacking has occurred? A. Multiple failed login attempts B. The user is logged out unexpectedly, and unauthorized actions are taken C. The website displays a maintenance message D. Browser crashes frequently Answer: B. The user is logged out unexpectedly, and unauthorized actions are taken Q6: Which of the following attacks involves stealing cookies to hijack a session? A. Cross-Site Scripting (XSS) B. SQL Injection C. Denial-of-Service (DoS) D. Man-in-the-Middle (MitM) Answer: A. Cross-Site Scripting (XSS) Q7: Which of the following can reduce the risk of session hijacking? A. Using long session IDs B. Disabling firewalls C. Encrypting only the database D. Using plain-text cookies Answer: A. Using long session IDs Q8: Why is HTTPS important in preventing session hijacking? A. It encrypts the data, making it harder for attackers to intercept session tokens B. It makes the website load faster C. It disables cookies D. It ensures that all scripts are signed by the server Answer: A. It encrypts the data, making it harder for attackers to intercept session tokens Q9: What is a common technique used in session hijacking to gain control over a session? A. Stealing the session ID via a browser cookie B. Injecting SQL commands into the session C. Crashing the web server D. Using CAPTCHA to prevent login Answer: A. Stealing the session ID via a browser cookie These additional questions further explore key concepts and techniques used in SQL injection, XSS, and session hijacking attacks, as well as prevention strategies. 1\. Types of SQL Injections Q1: Which of the following is a type of SQL Injection where the attacker can retrieve data directly from the database? A. Error-based SQL Injection B. Time-based Blind SQL Injection C. Boolean-based Blind SQL Injection D. Stacked Queries SQL Injection Answer: A. Error-based SQL Injection Q2: What type of SQL Injection occurs when the application does not return any database error messages, but the attacker can infer database information through conditional responses? A. Error-based SQL Injection B. Time-based Blind SQL Injection C. Boolean-based Blind SQL Injection D. Union-based SQL Injection Answer: C. Boolean-based Blind SQL Injection Q3: Which type of SQL Injection uses the UNION operator to combine results from multiple SELECT statements? A. Boolean-based Blind SQL Injection B. Union-based SQL Injection C. Error-based SQL Injection D. Time-based Blind SQL Injection Answer: B. Union-based SQL Injection Q1: What is the main goal of a SQL injection attack? Answer: The main goal of a SQL injection attack is to manipulate a web application\'s database by injecting malicious SQL queries to retrieve, modify, or delete sensitive data, bypass authentication, or execute administrative operations. \*\*Q2: Describe Error-based SQL Injection. Answer: Error-based SQL Injection relies on causing database errors that return information about the database structure, such as table names or column names, to the attacker. This technique is used to extract data by exploiting error messages. \*\*Q3: How does Boolean-based Blind SQL Injection work? Answer: Boolean-based Blind SQL Injection works by sending SQL queries that cause the application to return different responses (e.g., true or false) depending on the query's result. The attacker can infer information about the database without seeing actual data or error messages. \*\*Q4: What is Union-based SQL Injection? Answer: Union-based SQL Injection uses the UNION operator to combine the results of a legitimate query with the results of a malicious query. This allows the attacker to retrieve additional data from the database and append it to the original query\'s result. Q1: What is Cross-Site Scripting (XSS)? Answer: Cross-Site Scripting (XSS) is a type of web security vulnerability that allows attackers to inject malicious scripts, usually JavaScript, into web pages viewed by other users. This can result in data theft, session hijacking, or unauthorized actions on behalf of the user. Q2: What are the three main types of XSS attacks? Answer: The three main types of XSS attacks are: Stored XSS: Malicious scripts are permanently stored on the target server (e.g., in a database) and executed when users load the affected page. Reflected XSS: The malicious script is included in a URL or form input and executed immediately when the server reflects it back in the response. DOM-based XSS: The attack happens on the client-side when JavaScript modifies the web page's DOM (Document Object Model), allowing malicious code to be executed. \*\*Q3: How does Stored XSS differ from Reflected XSS? Answer: In Stored XSS, the malicious script is stored on the server (e.g., in a database) and executed whenever users access the page. In Reflected XSS, the script is not stored but rather injected into a URL or input, and it is immediately executed as part of the server's response to the user. Q1: What is session hijacking? Answer: Session hijacking is an attack where an attacker takes over a valid user session, typically by stealing the session ID, allowing them to impersonate the legitimate user and gain unauthorized access to sensitive information or services. Q2: How does session hijacking typically occur? Answer: Session hijacking typically occurs when an attacker steals or intercepts a user's session ID, usually through methods like network sniffing, cross-site scripting (XSS), or session fixation. Once the attacker has the session ID, they can use it to impersonate the user. \*\*Q3: What is a session ID, and why is it important in session management? Answer: A session ID is a unique identifier that a server assigns to each user during a session, allowing the server to track user actions and maintain their authenticated state. It is important because it ensures continuity between multiple requests during a session, such as when a user logs in and navigates a website.
