Common web security threats (e.g., cross-site scripting, SQL injection) MCQs

The primary goal of Security Awareness Training is to educate users and staff about security risks and best practices.

Security Information and Event Management (SIEM) is a comprehensive solution for managing and analyzing security events in real-time.

The primary goal of a Threat Model is to identify and understand potential threats and vulnerabilities in a system or application.

Clickjacking is an attack that tricks users into clicking on hidden malicious elements by overlaying them on top of legitimate content.

A Security Token is a unique token used to verify the authenticity of a user or request, often used to prevent CSRF attacks.

Security as Code is a security approach that relies on automated security checks and testing integrated into the development process.

A Bastion Host is a secure gateway used to access other systems, providing an additional layer of security.

Cross-Origin Resource Sharing (CORS) is a security approach that controls how web pages can request resources from different domains to prevent unauthorized access.

Cross-Site Scripting (XSS) is a vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users.

SQL Injection targets databases and their queries, allowing attackers to manipulate the database.

The primary goal of CSRF attacks is to force a user to perform actions on a web application without their consent.

SSL/TLS is used to encrypt data transmission between a client and a server, ensuring confidentiality and integrity.

Unvalidated input is not directly related to DDoS attacks, which focus on overwhelming a server's resources.

Clickjacking involves tricking users into clicking on something different from what they perceive.

A Man-in-the-Middle (MitM) attack involves intercepting data between a client and a server.

The primary goal of a DDoS attack is to overwhelm a server's resources, making it unavailable to users.

A Web Application Firewall (WAF) is designed to prevent common web security threats like XSS and SQL Injection.

Session Hijacking involves taking over a user's active session, often through stolen session tokens.

Phishing attacks aim to trick users into revealing sensitive information, such as login credentials.

Input validation and output encoding are common countermeasures against XSS attacks.

A Zero-Day Exploit targets a software vulnerability on the same day it's discovered, before a fix is available.

CSP defines which resources are allowed to be loaded by a web page, helping prevent certain types of attacks.

Input Validation helps prevent SQL Injection and other similar attacks by validating and sanitizing user input.

CDNs accelerate content delivery and reduce server load, improving website performance.

Input validation and output encoding are common countermeasures against SQL Injection attacks.

Session Management aims to manage user sessions securely and prevent session hijacking.

A Security Token is a token that identifies a user's session and is often used to prevent session hijacking.

CAPTCHAs are used to differentiate between human users and automated bots, helping prevent abuse.

Security Through Obscurity relies on keeping vulnerabilities secret, which is not a recommended security practice.

Data Encryption aims to protect sensitive data from unauthorized access.

Directory Traversal is an attack that allows unauthorized access to restricted directories.

Rate Limiting controls the rate at which requests are allowed, helping prevent abuse.

Access Control aims to control and restrict user access to resources, ensuring proper authorization.

Server-Side Request Forgery (SSRF) is an attack that tricks the server into making malicious requests.

The primary goal of Content Spoofing is to display fake content to deceive users.

Security Misconfiguration refers to vulnerabilities resulting from improper security settings and configurations.

Insecure Deserialization is an attack that exploits insecure handling of serialized objects in web applications.

The primary goal of a Security Assessment is to evaluate and identify vulnerabilities in a web application.

XML External Entity (XXE) is an attack that exploits insecure XML processing in web applications.

A Brute Force Attack involves attempting to guess a user's password through repeated trials.

The primary goal of Security Patch Management is to regularly update and apply security patches to software to fix known vulnerabilities.

Data Exfiltration involves the unauthorized theft, copying, or retrieval of data from a system.

Remote File Inclusion (RFI) involves an attack that includes files from a remote server in a web application.

Credential Stuffing is an attempt to guess a user's password through repeated trials using previously leaked credentials.

Two-Factor Authentication (2FA) provides an additional layer of security using two authentication factors, typically something the user knows and something the user possesses.

Pharming is an attack that redirects users to malicious websites, often through DNS manipulation.

A CSRF Token is a security token used to prevent Cross-Site Request Forgery (CSRF) attacks.

Honeypots are used to trick attackers into revealing their methods and tactics by simulating vulnerable systems.

Zero Trust is a trust model that verifies and validates users and devices continuously, regardless of their location or network.

Third-Party Risk Management involves managing and mitigating risks associated with third-party vendors who have access to your systems or data.