Ch.6 Application Security Flashcards
Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
A. Mutation testing
B. Static code analysis
C. Dynamic code analysis
D. Fuzzing
✅ B. Static code analysis – This method reviews the application’s source code without executing it to detect potential vulnerabilities.
❌ A. Mutation testing – Tests the effectiveness of test cases by intentionally altering code.
❌ C. Dynamic code analysis – Involves executing the application.
❌ D. Fuzzing – Sends random or invalid data to the application to uncover flaws.
💡 Security+ Tip:
If the question mentions code review without execution, it’s referring to static code analysis. If the code is running during the test, it’s dynamic.
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
A. Using secure session management
B. Enabling logging on the database
C. Performing user input validation
D. Implementing TLS
✅ C. Performing user input validation – This ensures user-supplied data is clean and prevents malicious SQL statements from being executed.
❌ A. Using secure session management – Helps protect sessions, not SQL queries.
❌ B. Enabling logging on the database – Useful for detection, but not prevention.
❌ D. Implementing TLS – Encrypts data in transit but doesn’t protect against injections.
💡 Security+ Tip:
SQL injection prevention almost always points to input validation or parameterized queries. Look for phrases like user input or malformed SQL.
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
A. Parameterized queries
B. Encoding data
C. Input validation
D. Appropriate access controls
✅ A. Parameterized queries – These separate SQL code from user input, preventing injection attacks.
❌ B. Encoding data – Useful for XSS, not SQL injection.
❌ C. Input validation – Validates input but doesn’t structure the query like parameterization does.
❌ D. Appropriate access controls – Manages user privileges, not query structure.
💡 Security+ Tip:
When the question mentions precompiled statements or separating input from SQL, the answer is almost always parameterized queries.
During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?
A. Improper error handling
B. Code exposure
C. SQL injection
D. A default configuration issue
✅ A. Improper error handling – Revealing internal code or SQL errors to users is a security risk and poor coding practice.
❌ B. Code exposure – Not a standard term for this specific issue.
❌ C. SQL injection – Could be the result, but the behavior itself is due to error handling, not the injection.
❌ D. A default configuration issue – This is too vague and not specific to error messages.
💡 Security+ Tip:
If the system reveals technical details or internal code in error messages, it’s usually a question about improper error handling.
The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?
A. Dereferencing
B. A race condition
C. An insecure function
D. Improper error handling
✅ B. A race condition – This happens when the timing or order of operations affects the result, creating a security flaw.
❌ A. Dereferencing – Refers to using a pointer incorrectly, not timing.
❌ C. An insecure function – Not a specific or accurate match.
❌ D. Improper error handling – Involves revealing sensitive info, not timing.
💡 Security+ Tip:
If the question mentions issues with timing or sequence of events, especially with concurrent operations, think race condition.
Every time Susan checks code into her organization’s code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this?
A. Continuous integration
B. Continuous delivery
C. A security nightmare
D. Agile development
✅ B. Continuous delivery – Refers to automated build, test, and release processes that push validated code into production.
❌ A. Continuous integration – Only includes building and testing, not deployment.
❌ C. A security nightmare – Not a real term.
❌ D. Agile development – A methodology, not a deployment process.
💡 Security+ Tip:
If code is automatically deployed to production after testing, it’s continuous delivery. If it stops at testing, it’s continuous integration.
Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?
A. Test
B. Development
C. Staging
D. Production
✅ B. Development – This is where code is written and modified before it’s tested or staged.
❌ A. Test – Used after development to validate functionality.
❌ C. Staging – Mimics production for final checks.
❌ D. Production – Live environment; changes shouldn’t be made directly here.
💡 Security+ Tip:
If the question involves coding or bug fixing, the correct environment is usually development.
Ricky is concerned that developers in his organization make use of third-party code in their applications, which may introduce unknown vulnerabilities. He is concerned about the risk of the organization running code that it is not aware it is using. Which one of the following activities would best address this risk?
A. Web application firewalls
B. Package monitoring
C. Static analysis
D. Dynamic analysis
✅ B. Package monitoring – Tracks and monitors third-party libraries and dependencies for vulnerabilities or unauthorized changes.
❌ A. Web application firewalls – Protect against web attacks, not third-party code usage.
❌ C. Static analysis – Reviews code for flaws but doesn’t monitor external packages.
❌ D. Dynamic analysis – Tests running code, but doesn’t track package sources.
💡 Security+ Tip:
If the concern is third-party or hidden libraries, the answer is package monitoring — it helps detect and manage software supply chain risks.
Which one of the following is not an advantage of automation in cybersecurity operations?
A. Enforcing baselines
B. Technical debt
C. Employee retention
D. Standardizing infrastructure configurations
✅ B. Technical debt – This is a risk, not a benefit. It refers to outdated or unmaintained automation scripts causing long-term problems.
❌ A. Enforcing baselines – A benefit of automation.
❌ C. Employee retention – Automation helps reduce burnout.
❌ D. Standardizing infrastructure configurations – Another automation advantage.
💡 Security+ Tip:
If the answer is something negative or requiring long-term maintenance, it’s likely part of “Other Considerations”, not a benefit.
Chris is creating a script that will automatically screen any user requests and flag those that exceed normal thresholds for manual review. What term best describes this automation use case?
A. User provisioning
B. Guard rails
C. Ticket creation
D. Escalation
✅ B. Guard rails – Guard rails are policy-enforcing scripts that prevent misconfigurations, violations, or abnormal activity.
❌ A. User provisioning – Refers to account and access automation.
❌ C. Ticket creation – Creates incidents or support tickets.
❌ D. Escalation – Notifies higher levels when issues need urgent attention.
💡 Security+ Tip:
If the question involves enforcing rules or preventing actions, think guard rails. If it involves creating accounts or tickets, that’s a different use case.
Which one of the following is not a common drawback of automating cybersecurity operations?
A. Reducing employee satisfaction
B. Creating single points of failure
C. Costs
D. Complexity
✅ A. Reducing employee satisfaction – This is not a known drawback of automation. In fact, automation often improves satisfaction by removing repetitive tasks.
❌ B. Creating single points of failure – A valid risk if automation isn’t properly designed.
❌ C. Costs – Automation may involve high upfront investment.
❌ D. Complexity – Developing and managing automation requires technical skill.
💡 Security+ Tip:
Watch for answers that sound plausible but aren’t in the official list. Reducing employee satisfaction is not listed as a common automation drawback on the exam.
Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?
A. Cross-site request forgery
B. Server-side request forgery
C. Command injection
D. Buffer overflow
✅ D. Buffer overflow – The attacker overfilled memory buffers and executed additional code (like a system command).
❌ A. Cross-site request forgery – Tricks a user into making an unintended request.
❌ B. Server-side request forgery – Forces a server to make a request on the attacker’s behalf.
❌ C. Command injection – Involves submitting OS commands, but not necessarily via buffer manipulation.
💡 Security+ Tip:
If the scenario mentions excessive input size and memory manipulation, it’s most likely a buffer overflow.
What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?
A. On-path attack
B. Session hijacking
C. Buffer overflow
D. Meet-in-the-middle
✅ A. On-path attack – Formerly known as man-in-the-middle, this attack lets the adversary intercept, alter, or observe communications between two systems.
❌ B. Session hijacking – Focuses on stealing session tokens, not necessarily listening in.
❌ C. Buffer overflow – A memory attack, unrelated to network traffic.
❌ D. Meet-in-the-middle – A cryptographic attack targeting encryption processes, not eavesdropping.
💡 Security+ Tip:
If the attacker intercepts or relays communication between two parties, the exam is pointing to an on-path (MITM) attack.
Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
A. Code signing
B. Code endorsement
C. Code encryption
D. Code obfuscation
✅ A. Code signing – Uses digital signatures to verify authenticity and integrity of code from a trusted source.
❌ B. Code endorsement – Not a real cryptographic term.
❌ C. Code encryption – Hides content but doesn’t prove origin.
❌ D. Code obfuscation – Makes code harder to reverse-engineer but doesn’t validate authorship.
💡 Security+ Tip:
If the question mentions verifying authorship or preventing tampered code, think code signing
Chris is reviewing evidence of a cross-site scripting attack where the attacker embedded JavaScript in a URL that a user clicked. The web page then sent the JavaScript to the user in the displayed page. What term best describes this attack?
A. Reflected XSS
B. Stored XSS
C. Persistent XSS
D. DOM-based XSS
✅ A. Reflected XSS – Occurs when the malicious script is reflected off a web server, typically via a URL, and sent back in the immediate response.
❌ B. Stored XSS – The malicious code is saved on the server and shown to multiple users.
❌ C. Persistent XSS – Another name for stored XSS.
❌ D. DOM-based XSS – The payload is executed purely in the browser via DOM manipulation.
💡 Security+ Tip:
If the script is delivered via a URL or link and not stored, it’s reflected XSS. Stored = persistent = saved on server.
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:
www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’%20;DROP%20TABLE%20Services;–
What type of attack was most likely attempted?
A. Cross-site scripting
B. Session hijacking
C. Parameter pollution
D. On-path
✅ C. Parameter pollution – This attack passes duplicate or manipulated parameters to confuse the application or inject malicious code.
❌ A. Cross-site scripting – Targets browsers, not databases.
❌ B. Session hijacking – Involves stealing a session ID.
❌ D. On-path – Involves traffic interception, not query manipulation.
💡 Security+ Tip:
If multiple values are passed for the same parameter (e.g., serviceID=892&serviceID=892’), think parameter pollution.
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:
www.mycompany.com/servicestatus.php?serviceID=1
www.mycompany.com/servicestatus.php?serviceID=2
www.mycompany.com/servicestatus.php?serviceID=3
What type of vulnerability was the attacker likely trying to exploit?
A. Insecure direct object reference
B. File upload
C. Unvalidated redirect
D. Session hijacking
✅ A. Insecure direct object reference – The attacker is enumerating resource IDs to gain unauthorized access to data via predictable URLs.
❌ B. File upload – Irrelevant to what the logs show.
❌ C. Unvalidated redirect – Involves redirecting users to malicious sites.
❌ D. Session hijacking – No evidence of session token theft.
💡 Security+ Tip:
If you see someone guessing or brute-forcing object IDs in a URL (like ?id=1 to ?id=9999), it’s likely an IDOR attack.
Joe’s adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request:
www.mycompany.com/../../../etc/passwd
What type of attack was most likely attempted?
A. SQL injection
B. Session hijacking
C. Directory traversal
D. File upload
✅ C. Directory traversal – The attacker is trying to navigate outside the intended directory structure to access sensitive files.
❌ A. SQL injection – Targets databases, not file paths.
❌ B. Session hijacking – Not related to file access.
❌ D. File upload – No uploading is shown here.
💡 Security+ Tip:
Look for patterns like ../ or ..\ — they indicate directory traversal, especially if targeting files like /etc/passwd.
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?
A. Session ticket
B. Session cookie
C. Username
D. User password
✅ B. Session cookie – This identifies the user’s session and is required to hijack it.
❌ A. Session ticket – A generic term; not typically used in hijacking.
❌ C. Username – Useful, but not enough to hijack a session.
❌ D. User password – That would be credential theft, not session hijacking.
💡 Security+ Tip:
If the attack involves taking over an active session, the attacker needs the session cookie/token.
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
A. Timing-based SQL injection
B. HTML injection
C. Cross-site scripting
D. Content-based SQL injection
✅ A. Timing-based SQL injection – The keyword WAITFOR is used to delay SQL execution, often to test for SQL injection vulnerabilities.
❌ B. HTML injection – This targets rendered web pages, not databases.
❌ C. Cross-site scripting – Involves JavaScript or HTML, not SQL commands.
❌ D. Content-based SQL injection – Relies on differences in error or content, not timing delays.
💡 Security+ Tip:
If you see keywords like WAITFOR, SLEEP(), or response delays, it’s a timing-based SQL injection attack.
Explain difference between Static and Dynamic testing in Application Security
Static Testing analyzes code without executing it.
- It identifies vulnerabilities directly in the code.
- Often provides specific remediation suggestions to developers.
Dynamic Testing analyzes code while it is running.
- It tests all user-exposed interfaces with various inputs.
- Searches for vulnerabilities during execution.
A security team is reviewing a newly developed application. To identify vulnerabilities before the code is executed, they choose a method that scans the source code and provides developers with direct feedback and remediation suggestions.
Which of the following BEST describes this type of testing?
A. Fuzz testing
B. Static analysis
C. Dynamic analysis
D. Penetration testing
✅ Correct Answer: B. Static analysis
Explanation:
Static analysis examines application source code without executing it. It’s used during the development phase to identify security vulnerabilities such as hardcoded credentials, unsafe function calls, or logic errors. This approach provides specific remediation guidance and allows developers to fix issues early in the software development lifecycle (SDLC).
❌ Incorrect Answers:
A. Fuzz testing – This is a type of dynamic testing that sends random or malformed input to an application to find vulnerabilities like crashes or buffer overflows. It requires code execution.
C. Dynamic analysis – This analyzes the application while it is running, interacting with its interfaces. It helps uncover vulnerabilities that might not be visible through static methods, such as authentication issues or logic flaws that occur during execution.
D. Penetration testing – This simulates real-world attacks to exploit vulnerabilities. It’s typically conducted after deployment, not during the development/testing phase, and is broader than static or dynamic analysis.
A web application security analyst is investigating a report from a user who clicked on a blog comment and was immediately redirected to a fake login page that mimicked the company’s portal. The user had not installed any browser extensions, and the site is hosted on the company’s internal web server.
Which of the following is the MOST likely explanation for what occurred?
A. The attacker used a cross-site request forgery (CSRF) attack to trick the server into executing unauthorized commands.
B. The attacker exploited a buffer overflow vulnerability in the browser to gain remote code execution.
C. The attacker performed a SQL injection attack to retrieve stored login credentials.
D. The attacker performed a cross-site scripting attack to inject client-side code into the website.
✅ Correct Answer: D. The attacker performed a cross-site scripting attack to inject client-side code into the website.
Explanation:
This describes a stored XSS attack, where the attacker embedded malicious code (e.g., a redirect) into the blog comment field. When the unsuspecting user viewed the page, their browser executed the injected code, redirecting them to a fake login page. The attack relies on tricking the user into executing code from a trusted site, which fits the definition from your Exam Note.
❌ Incorrect Answers:
A. CSRF – Forces a logged-in user’s browser to make unwanted requests. It’s about exploiting trust between browser and server, not executing code in the browser.
B. Buffer overflow – This affects memory and system stability, often used for remote code execution, but not likely triggered by clicking a blog comment.
C. SQL injection – Targets the database, not the browser. It retrieves or manipulates data, not execute client-side redirects.
💡 Security+ Tip:
If the question involves malicious code executing in the user’s browser after visiting a legitimate site, think XSS. Even if the question doesn’t show code, focus on behavior like redirects, pop-ups, or data exfiltration happening on the client side.
A developer is updating a customer-facing web application after a penetration test revealed that users could inject JavaScript into form fields and manipulate SQL queries using specially crafted input.
Which of the following would BEST help mitigate both types of attacks?
A. Implementing output encoding for web responses
B. Enforcing strong password policies
C. Performing input validation on all user-supplied data
D. Using HTTPS to encrypt traffic between clients and servers
✅ Correct Answer: C. Performing input validation on all user-supplied data
Explanation:
Input validation ensures that data entered by users conforms to expected formats and rejects malicious input such as embedded JavaScript (for XSS) or SQL syntax (for SQL injection). It is a core defense mechanism that protects against a wide range of input-based attacks.
❌ Incorrect Answers:
A. Output encoding – Helps mitigate XSS, but does not address SQL injection.
B. Strong password policies – Improve account security but don’t prevent injection attacks.
D. HTTPS encryption – Protects data in transit, but doesn’t validate or sanitize user input.
💡 Security+ Tip:
If a question asks how to defend against XSS and SQL injection, always think input validation. It’s one of the most fundamental and universal defenses against input-based web attacks.
