You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" Certified Application Security Engineer JAVA Practice Test 2 "
0 of 50 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
Certified Application Security Engineer JAVA
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Answered
Review
Question 1 of 50
1. Question
Which of the following are DOS attacks?
Correct
All of these are examples of DOS Attacks that render application unavailable or reasonably slow to respond
Incorrect
All of these are examples of DOS Attacks that render application unavailable or reasonably slow to respond
Unattempted
All of these are examples of DOS Attacks that render application unavailable or reasonably slow to respond
Question 2 of 50
2. Question
Use java.sql.Statement class to prevent SQL Injection
Correct
You must use java.sql.PreparedStatement to prevent SQL Injection as it performs string type checking of user inputs. They increase performance of the code in case of repeated SQL statements
Incorrect
You must use java.sql.PreparedStatement to prevent SQL Injection as it performs string type checking of user inputs. They increase performance of the code in case of repeated SQL statements
Unattempted
You must use java.sql.PreparedStatement to prevent SQL Injection as it performs string type checking of user inputs. They increase performance of the code in case of repeated SQL statements
Question 3 of 50
3. Question
In a __ attack, the attacker tricks the user to access a genuine webserver using an explicit sessionId value
Correct
In a Session Fixation attack , attacker assumes the identify of the vicitim using his sessionId and exploits their credentials at the server
Incorrect
In a Session Fixation attack , attacker assumes the identify of the vicitim using his sessionId and exploits their credentials at the server
Unattempted
In a Session Fixation attack , attacker assumes the identify of the vicitim using his sessionId and exploits their credentials at the server
Question 4 of 50
4. Question
A HttpSession can be validated with the invalidate() method
__ provides a security layer that protects the web server from the malicious traffic
Correct
WAF. A traditional firewall cannot secure webservers froma malicious traffic attack as the attack occurs at layer 7 of the network stack.
Incorrect
WAF. A traditional firewall cannot secure webservers froma malicious traffic attack as the attack occurs at layer 7 of the network stack.
Unattempted
WAF. A traditional firewall cannot secure webservers froma malicious traffic attack as the attack occurs at layer 7 of the network stack.
Question 12 of 50
12. Question
__ provides a structured approach for identifying, prioritizing and managing te security risks in an organization
Correct
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) ian an information risk evaluation method the enables organization to determine the risk factors affeting the confidentiality, integrity and availability of assets
Incorrect
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) ian an information risk evaluation method the enables organization to determine the risk factors affeting the confidentiality, integrity and availability of assets
Unattempted
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) ian an information risk evaluation method the enables organization to determine the risk factors affeting the confidentiality, integrity and availability of assets
Question 13 of 50
13. Question
The Key Management system provides private keys to create digital singatures and public keys for verifying the digitial signatures
Correct
True.Elements of KMS include Keys, Certificates and Identities
Incorrect
True.Elements of KMS include Keys, Certificates and Identities
Unattempted
True.Elements of KMS include Keys, Certificates and Identities
__ vulnerability exists when a developer uses internal object implementation directly on the user interface
Correct
Due to Insecure Direct Object References, attacker gets the idea about internal implementation and may use the objects as part of URL to access and modify sensitive information without any authorization
Incorrect
Due to Insecure Direct Object References, attacker gets the idea about internal implementation and may use the objects as part of URL to access and modify sensitive information without any authorization
Unattempted
Due to Insecure Direct Object References, attacker gets the idea about internal implementation and may use the objects as part of URL to access and modify sensitive information without any authorization
Question 17 of 50
17. Question
__ is a time consuming process and has less chance of getting false-positives and false-negatives
Correct
Manual Secure Code Review has less chance of getting false-postive and false-negatives but is time consuming
Incorrect
Manual Secure Code Review has less chance of getting false-postive and false-negatives but is time consuming
Unattempted
Manual Secure Code Review has less chance of getting false-postive and false-negatives but is time consuming
Question 18 of 50
18. Question
Security requirements are __ requirements specifying what the software should not do
Correct
Security requirements are negative requirements specifying what the software should not do
Incorrect
Security requirements are negative requirements specifying what the software should not do
Unattempted
Security requirements are negative requirements specifying what the software should not do
Information disclosure is aimed to read a file that one was not granted access to, or to read data in transit
Incorrect
Information disclosure is aimed to read a file that one was not granted access to, or to read data in transit
Unattempted
Information disclosure is aimed to read a file that one was not granted access to, or to read data in transit
Question 23 of 50
23. Question
__ is aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations
Correct
A system that does not perform auditing can be exploited by repudiation
Incorrect
A system that does not perform auditing can be exploited by repudiation
Unattempted
A system that does not perform auditing can be exploited by repudiation
Question 24 of 50
24. Question
Which of the following is not part of SDLC ?
Correct
SDLC consists of Requirement, Design, Development, Testing , Deployment and Maintenance
Incorrect
SDLC consists of Requirement, Design, Development, Testing , Deployment and Maintenance
Unattempted
SDLC consists of Requirement, Design, Development, Testing , Deployment and Maintenance
Question 25 of 50
25. Question
You must avoid printing stack trace while an error occurs
Correct
True. Printinting the stack trace can provide information to attacker about the structure and state of the process
Incorrect
True. Printinting the stack trace can provide information to attacker about the structure and state of the process
Unattempted
True. Printinting the stack trace can provide information to attacker about the structure and state of the process
Question 26 of 50
26. Question
Always validate file extensions while uploading files
Correct
True. An attacker can send any file and execute a command from the file
Incorrect
True. An attacker can send any file and execute a command from the file
Unattempted
True. An attacker can send any file and execute a command from the file
Question 27 of 50
27. Question
__ may provide path to the attackers to perform injection attacks such as XSS attack, SQL injection attack, etc,.
Correct
Application recieves inputs form various sources asuch as human users, browsers and network devices that can be suspicious or untrusted and hence you must validate it
Incorrect
Application recieves inputs form various sources asuch as human users, browsers and network devices that can be suspicious or untrusted and hence you must validate it
Unattempted
Application recieves inputs form various sources asuch as human users, browsers and network devices that can be suspicious or untrusted and hence you must validate it
Question 28 of 50
28. Question
__ provides means for eliciting, categorizing and priortizing security requiremetns for information technology systems and applications
Correct
Security Quality Requirements Engineering (SQUARE) provides means fo eliciting, categorizing and priortizing security requiremetns for information technology systems and applications
Incorrect
Security Quality Requirements Engineering (SQUARE) provides means fo eliciting, categorizing and priortizing security requiremetns for information technology systems and applications
Unattempted
Security Quality Requirements Engineering (SQUARE) provides means fo eliciting, categorizing and priortizing security requiremetns for information technology systems and applications
Question 29 of 50
29. Question
java.crypto.SecretKey is used in __ encryption alogirthms and uses the same key for the encryption and decryption
One should always set time period of session to be shorter.
Correct
True. If the time period of session is set for a shorter duration, then the attacker gets less time to steal the cookies, thus reducing the risk of stolen cookies
Incorrect
True. If the time period of session is set for a shorter duration, then the attacker gets less time to steal the cookies, thus reducing the risk of stolen cookies
Unattempted
True. If the time period of session is set for a shorter duration, then the attacker gets less time to steal the cookies, thus reducing the risk of stolen cookies
Question 31 of 50
31. Question
__ is aimed to maliciously change/modify persistent data
Correct
Tampering is aimed to maliciously change/modify persitent data, such as persistent data in a database, alteration of data in transit between two computers over an open network such as the internet
Incorrect
Tampering is aimed to maliciously change/modify persitent data, such as persistent data in a database, alteration of data in transit between two computers over an open network such as the internet
Unattempted
Tampering is aimed to maliciously change/modify persitent data, such as persistent data in a database, alteration of data in transit between two computers over an open network such as the internet
Question 32 of 50
32. Question
__ in Java are caused due to irrecoverable conditions such as memory leak, LinkageError,etc,. that cannot be handled in programs
False. Checked Exceptions are compile time exceptions and can be handled by programmers
Incorrect
False. Checked Exceptions are compile time exceptions and can be handled by programmers
Unattempted
False. Checked Exceptions are compile time exceptions and can be handled by programmers
Question 36 of 50
36. Question
In which phase of SDLC should you use SAST?
Correct
SAST must be used in Development phase of SDLC
Incorrect
SAST must be used in Development phase of SDLC
Unattempted
SAST must be used in Development phase of SDLC
Question 37 of 50
37. Question
You should remove server banner from Tomcat
Correct
True. Server Banner gives out the product and version details which leads to information disclosure vulnerability
Incorrect
True. Server Banner gives out the product and version details which leads to information disclosure vulnerability
Unattempted
True. Server Banner gives out the product and version details which leads to information disclosure vulnerability
Question 38 of 50
38. Question
An application is said to be secure when it ensures __ of its restricted resources.
Correct
Remember the Confidentiality, Integrity and Availability (CIA) Triad
Incorrect
Remember the Confidentiality, Integrity and Availability (CIA) Triad
Unattempted
Remember the Confidentiality, Integrity and Availability (CIA) Triad
Question 39 of 50
39. Question
__ attacks exploit web pag vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send mailicous requests, which they did not intend to send.
Correct
In CSRF attack the user, who is the victim holds an active session with a trusted site and simulatenously visits a malicious site which injects an HTTP request for the trusted site into the victim user’s session
Incorrect
In CSRF attack the user, who is the victim holds an active session with a trusted site and simulatenously visits a malicious site which injects an HTTP request for the trusted site into the victim user’s session
Unattempted
In CSRF attack the user, who is the victim holds an active session with a trusted site and simulatenously visits a malicious site which injects an HTTP request for the trusted site into the victim user’s session
Question 40 of 50
40. Question
You must allow trace in production deployed applications
Which are the logging levels available in Java log4j?
Correct
Log levels available in log4j are Debug, Warn, Info, Fatal, Error and Off
Incorrect
Log levels available in log4j are Debug, Warn, Info, Fatal, Error and Off
Unattempted
Log levels available in log4j are Debug, Warn, Info, Fatal, Error and Off
Question 42 of 50
42. Question
Invalid Data Input can cause __
Correct
Invalida Data Input can cause HTML Splitting, XFS, XSS, LDAP Injection, SQL Injection, Xpath Injection, XML Injection, XXE Injection, Buffer Overflows and File uploads
Incorrect
Invalida Data Input can cause HTML Splitting, XFS, XSS, LDAP Injection, SQL Injection, Xpath Injection, XML Injection, XXE Injection, Buffer Overflows and File uploads
Unattempted
Invalida Data Input can cause HTML Splitting, XFS, XSS, LDAP Injection, SQL Injection, Xpath Injection, XML Injection, XXE Injection, Buffer Overflows and File uploads
Question 43 of 50
43. Question
__ gives insight into source code such as logic flaws,default accounts, etc,.
Correct
Using the information received from an error message, an attacker identifies vulnerabilities for launching various web application attacks
Incorrect
Using the information received from an error message, an attacker identifies vulnerabilities for launching various web application attacks
Unattempted
Using the information received from an error message, an attacker identifies vulnerabilities for launching various web application attacks
Question 44 of 50
44. Question
__ is free open source API for securing web applications provided by OWASP
__ is an open framewprk to help organization formaulate and implement a strategy for software security that is tailored for the specific risks faced by the organization