Professional Documents
Culture Documents
IT – WS04
Web System Vulnerabilities
Name: Date:
Section: Score:
General Instructions:
Read each question carefully and choose the BEST answer from the options provided.
Use black ballpen for your answers.
Erasure is considered as wrong.
1. Multiple Choices:
1. What is the primary focus of Chapter 6?
a. Website design
b. Injection attacks
c. Browser security
d. HTTP protocols
2. What is the meaning of this "--" in sql injection query
a. beautiful query
b. strong query
c. comment
d. For faster query
3. Which type of injection attack involves manipulating SQL statements to gain unauthorized access to a
database?
a. Cross-site scripting (XSS)
b. Command injection
c. SQL injection
d. Remote code execution
4. In the SQL injection attack example, what character is used to terminate the email parameter early and trick
the database driver?
a. !
b. '
c. #
d. ;
COLLEGE OF INFORMATION TECHNOLOGY
6. Which of the following statements accurately describes the significance of SQL injection attacks on
websites?
a. They only affect websites with a small user base.
b. They are limited to disrupting website design.
c. They pose a significant risk as they can lead to unauthorized access and data manipulation.
d. They primarily target browser vulnerabilities.
7. What type of attack involves passing malicious code in an HTTP request to trick the server into executing the
code?
a. Cross-site scripting (XSS)
b. Remote code execution
c. Cross-site request forgery (CSRF)
d. Command injection
8. In the SQL databases, what is the purpose of the SQL SELECT statement?
a. Add rows to the database
b. Update rows in the database
c. Read rows from the database
d. Remove rows from the database
9. How can a hacker exploit a vulnerable website using SQL injection beyond bypassing authentication?
a. Execute arbitrary SQL statements
b. Upload malicious files to the server
c. Inject JavaScript code into web pages
d. All of the above
10. What is the recommended mitigation technique to protect against SQL injection attacks in web
development?
a. Use strong encryption for database connections.
b. Regularly update the server's operating system.
c. Implement input validation and sanitization.
d. Increase the server's processing speed.
COLLEGE OF INFORMATION TECHNOLOGY
16. How does the principle of least privilege apply to mitigating command injection attacks?
A. Granting maximum permissions to web servers
B. Limiting web server privileges to required actions
C. Using complex command strings
D. Disabling all command line calls
17. What distinguishes remote code execution from SQL and command injection attacks?
A. Nature of injected code
B. Involvement of error messages
C. Targeted server components
D. Execution location of malicious code
18. What is the role of serialization in remote code execution vulnerabilities?
A. Preventing code execution
B. Converting data structures to binary data
C. Enhancing server performance
D. Reducing network latency
19. How can developers protect against insecure deserialization leading to remote code execution?
A. Use less secure serialization libraries
B. Enable active code execution features
C. Apply relevant configuration settings to disable code execution
D. Avoid third-party serialization libraries
20. How does a developer, who doesn't write web server code, protect against remote code execution in their
web stack?
A. Write custom serialization libraries
B. Disable all security features
C. Stay aware of security advisories and disable active code execution
D. Use only first-party serialization libraries
COLLEGE OF INFORMATION TECHNOLOGY
23. When you’re running a Python web server on Linux you can set file permissions when creating a file by
using the ___?
a) or module
b) og module
c) os module
d) iso module
26. The first, most important approach to securing file upload functions is
to ensure that your web server treats uploaded files as inert rather than
executable objects.
a) Ensure Uploaded Files Cannot Be Executed
b) Validate the Content of Uploaded Files
c) Host Files on a Secure System
d) Run Antivirus Software
27. this is what the Websites use for a variety of purposes: letting users add images to their profile or
posts, adding attachments to messages, submitting paperwork, sharing documents with other users, and so on.
a) file download function
b) file function
c) file readable function
d) file upload function
28. If you’re uploading files with a known file type, consider adding some filetype checking in your code.
a) Ensure Uploaded Files Cannot Be Executed
b) Validate the Content of Uploaded Files
c) Host Files on a Secure System
d) Run Antivirus Software
COLLEGE OF INFORMATION TECHNOLOGY
Answers: 1-10
1. b. Injection attacks
2. c. comment
3. c. SQL injection
4. b. '
5. c. To securely replace input values.
6. c. They pose a significant risk as they can lead to unauthorized access and data manipulation.
7. b. Remote code execution
8. c. Read rows from the database
9. d. All of the above
10. c. Implement input validation and sanitization.
Answer to 11-20
Answer: B. Redundant security measures at every level of the stack
Answer: C. Restricting processes and applications to minimal necessary permissions
Answer: A. Presence of error messages
Answer: C. Command injection attacks
Answer: C. Replacing sensitive control characters with safe alternatives
Answer: B. Limiting web server privileges to required actions
Answer: D. Execution location of malicious code
Answer: A. Preventing code execution
Answer: C. Apply relevant configuration settings to disable code execution
Answer: C. Stay aware of security advisories and disable active code execution.
Answer to 21-30 Members:
1.A 5.D Kyan G. Gonzales
2.B 6.C Ric Darrel Pajarillaga
Erica M. Bote
3.C 7.D Mary Jane Dela Cruz
Hennryx Samson
4.A 8.B
Ivan R. Bulacan
5.D 9.B Mc Perez
Danica Amboy
9.B 10.A Leonel Salvador
COLLEGE OF INFORMATION TECHNOLOGY