Chapter 51 Β· Quiz

Application Attacks Quiz

6 multiple-choice questions and a matching section. Submit to reveal answers and explanations.

Question 1 of 6
An attacker enters admin' -- into a login form's username field with any value in the password field. How does this input bypass authentication?
Question 2 of 6
An attacker attempts a buffer overflow but supplies random data without knowing the target application's memory layout. What is the most likely outcome?
Question 3 of 6
CVE-2023-29336 is a vulnerability in the Win32k kernel driver. An attacker who already has a low-privilege user shell on an affected machine exploits it. What does this exploitation achieve?
Question 4 of 6
A web application processes fund transfers. A logged-in user clicks a link in a phishing email; the link causes their browser to silently submit a transfer to the attacker's account. The server processes it as legitimate. Which defense would have most directly prevented this outcome?
Question 5 of 6
A web server access log contains the entry: GET /view.php?page=../../../etc/passwd HTTP/1.1" 200. What does this entry indicate?
Question 6 of 6
Why do parameterized queries prevent SQL injection architecturally, while input escaping and WAF filters are only considered secondary controls?
Matching β€” Application Attack Types
Match each term on the left to its correct description on the right.
1. SQL Injection
2. Buffer Overflow
3. CSRF
4. Directory Traversal
A. Web application attack that exploits the browser's automatic session cookie inclusion β€” the attacker causes the victim's authenticated browser to submit state-changing requests to a trusted site without the user's knowledge or intent
B. Attack that inserts malicious commands into database queries through unsanitized application input fields, enabling authentication bypass, unauthorized data access, record modification, or table deletion
C. Attack that uses ../ sequences in URL parameters to navigate outside the web server's intended directory, allowing access to system files, configuration files, or credentials that are outside the web root
D. Vulnerability where a program writes more data to a fixed-size memory buffer than it can hold, potentially overwriting adjacent memory including the return address with attacker-controlled values to achieve arbitrary code execution