Chapter 80 · Quiz

Application Security — Quiz

10-question assessment covering input validation, fuzzing, secure cookies, SAST capabilities and limitations, code signing, sandboxing, and application security monitoring.

Question 1 of 6
A development team wants to discover input validation gaps before deploying a new web application. They use an automated tool that generates thousands of unexpected, malformed, and boundary-value inputs — including oversized strings, null bytes, special characters in numeric fields, and negative numbers where positive values are expected — and submits them to the application to observe crashes or unexpected behavior. What technique is this?
Question 2 of 6
A web application sets a session cookie after successful login. A security auditor finds that the cookie lacks the Secure attribute. What specific risk does this create?
Question 3 of 6
A SAST tool scans an application and flags a call to gets() as a potential buffer overflow vulnerability. The same application uses AES encryption with a 128-bit key and a hardcoded initialization vector (IV) that never changes across sessions — a serious cryptographic flaw. Which of these two vulnerabilities will the SAST tool most likely identify?
Question 4 of 6
A user downloads a software update from a vendor's website. Before installation, the operating system verifies the code signing signature and displays a warning: "The digital signature of this file is invalid." What does this warning most likely indicate, and what should the user do?
Question 5 of 6
An attacker exploits a vulnerability in a mobile banking app's PDF viewer feature. They achieve code execution within the PDF viewer process. Despite this, they cannot access the user's stored account credentials in the banking app's secure storage, cannot read messages from the messaging app, and cannot silently activate the microphone. Which security control most directly limited the attacker's capabilities after exploitation?
Question 6 of 6
An application security monitoring system generates an alert: in the past 10 minutes, a single user account has made 847 requests to the application — compared to a baseline of fewer than 30 per 10-minute period for this user. The account is attempting to access administrative endpoints it has never accessed before. Which monitoring capability detected this, and what does the pattern most likely indicate?

Matching

Match each application security scenario to the term it best represents.

1. A developer's automated build pipeline runs a security scan on every code commit. After one commit, the scan flags line 203 as using a function that performs no bounds checking on the destination buffer, recommending a safer alternative.
2. A web application rejects any username containing single quotes, double dashes, or semicolons, returns an error message asking the user to re-enter valid characters, and normalizes all input by decoding percent-encoded characters before applying the character check.
3. A mobile gaming app has been granted permission to use the device's display and speakers. When the app is compromised through a malicious in-game ad, the attacker can manipulate the game but cannot read the user's contact list, access their photos, or interact with other installed applications.
4. Before a software installer executes, the operating system uses the application's attached certificate (issued by a trusted CA) and the developer's public key to verify that the installer binary matches the hash the developer computed when they released it.
A. SAST
B. Input validation
C. Sandboxing
D. Code signing