Q1) Types of SQL injection?

A) Error
B) Blind
C) Scripted
D) Query
Information is gathered by true or false statements from database is called BLIND.
Information is gathered by error statements from database is called ERROR.

Q2) what is vulnerability?

A) Security flaw
B) Loop hole
C) Bug
D) Attack
A vulnerability is a security flaw or loophole in development of an application or program or in
security team

Q3) what are SQL payloads?

A) 1=”1”--

B) "1"="1"#

C)1'='1'

D) 1=1

Q4) Attributes of security testing?

A) Infrastructure

B) Testing

C) Authentication

D) Authorization

Security testing team tests the infrastructure, authentication and authorization process to ensure
security

Q5) XSS is used by?

A) Html
B) Java
C) Java Script
D) Python
It is a scripting attack, we use javascript for this attack.

Q6) Find XSS payloads ?

 A) <Script>alert(1)</script>
B) </tag><svg onload=alert(1)>
C) Alert{
D) Alert()

Q7) Types of XSS ?

A) DOM
B) Reflected
C) Cross site
D) Requested
Reflected is a attack which is executed for certain period of time.

Q8) New vulnerability from 2017-2021?

A) Insufficient logging and monitoring

B) Stored cross site scripting
C) Broken Authentication
D) Using components with known vulnerabilities

Q9)XSS can be performed on?

A) Client side
B) Server side
C) User based
D) System based
This attack is performed on client side

Q10) SSL connection stands for?

A) Secured socket layer

B) Secured secondary layer

C) Secured social layer

D) Secured security layer

A secured layer created for sensitive data transferring

Q11)Broken Authentication means ?

A) Breaking user identity

B) Breaking application identity
C) Breaking servers identity
D) Breaking companies identity

Q12) what are application security risks?

A) Cyber Threats
 B) Crimes
C) Business impacts
D) Security impacts

Q13) Controlling Admin level access means?

A) Low privilege

B) High privilege.

C) User privilege

D) Admin privilege

Q14) What are security breaches?

A) Ransomware
B) Phishing
C) Password guessing
D) Password Enumeration

Q15) How many types of SQL injections are there?

A) 3
B) 5
C) 6
D) 2
Error based
Authentication bypass
blind

Q16) Types of Cybersecurity domains ?

A) Application Security
B) Domain Security
C) Internet Security
D) Web Security

Q17) Types of ethical hackers?

A) Authorized Hackers
B) Un-Authorized Hackers
C) Scripted Hackers
D) Grey- Hat Hackers

Q18) OWASP Priority Level – Injection

A) A1
B) A2
 C) A3
D) A4

Q19) what is the difference between CSRF & SSRF?

A) Cross site request forgery

B) client-side operation

C) server-side request forgery

D) server-side operation

Q20) what is meant by Mitigation?

A) Remedy for risk

B) Reducing risk
C) Reducing effect of cyber security
D) Reducing effect of cyber-Threats

Q21) Process of security misconfigurations and cyber-attacks ?

A) Threat agent- attack vectors – security impacts – technical impacts

B) Threat agent- attack vectors -security weakness technical impacts
C) Threat agent- attack vectors -security weakness -technical impacts- Business impacts

Q22) Mitigation for injection attacks?

A) Injections prevention
B) Input prevention
C) Input validation
D) Output validation

Q23) Sensitive data exposure means?

A) Exposing data
B) Exposing Un-Authorized data
C) Exposing information
D) Exposing URL

Q24) Serialization Means ?

A) Sending data in FILES

B) Sending data in E-MAIL
C) Uploading data in FILES
D) Uploading data in PACKETS.

Q25) Insufficient logging and Monitoring Means?

A) Verification of Data
B) Improper Function of Application
C) Verification Monitoring Failure
 D) Improper Implementation of Logging and logout

Q26) Difference between risk and vulnerability?

A) Security risk and security flaw

B) Potential of loss and weakness in security
C) Potential of loss and Loop hole in security
D) Security loss and Bug

Q27) phishing attack Example?

A) Doing fraudulent activities with unauthorized attempts

B) Attacking on accounts
C) Sending fraud mails
D) Practice of performing fraudulent activities

Q28) Types of phishing attacks?

A) Spear
B) Vishing
C) Mail
D) Account

Q29) Missing type of phishing attack on above question?

A) Login phishing
B) Password phishing
C) User phishing
D) Whaling

Q30) Remedy for XSS?

A) Input validation
B) Output validation
C) Data sanitization
D) Prevention of untrusted data from database

Q31) pick the wrong Http response code?

A) 402
B) 200
C) 99
D) 2000

Q32) what is the response of 400 status code?

A) Ok
B) Bad request
C) Un authorized
D) Forgery request
Q33)Cross site request Forgery needs a client application to be done -

A) True
B) False

Q34) What is Prerequisite for VAPT?

A) Knowledge on VAPT
B) Knowledge and working methodologies of VAPT
C) Knowledge and working operations of VAPT
D) NONE OF THE ABOVE

Q35) Penetration testing means?

A) Psychical testing
B) Manual testing
C) Automation testing
D) Security testing

Q36) What are the factors that cause Vulnerabilities?

A) Security Flaws
B) Security Misconfigurations
C) Human Error
D) All the Above

Q37) What is Enumeration?

A) To test the code

B) To test the URL
C) To extract username
D) To extract password

Q38) What is URL manipulation?

A) Hackers manipulation on the website

B) Hackers manipulation on the webpage
C) Hackers manipulation on the web Application
D) Hackers manipulation on the web URL

Q39) Tools for Security Testing?

A) OpenVAS
B) OWASP
C) SQL map
D) White box

Q40) What is Reconnaissance?

A) To secure the Applications

B) To secure the Network
 C) Gathering data
D) Gathering information by active and passive attention

Q41) Different password cracking methods?

A) Brute force
B) Guessing
C) Password Enumeration
D) Foot printing

Q42) Attack that uses to take over accounts?

A) Brute force
B) Phishing
C) CSRF
D) All the above

Q43) Data protection Using different methods?

A) Cryptography
B) Encryption
C) Decryption
D) Hiding data

Q44) Different brute force attacks?

A) O.T.P
B) Password
C) Login
D) User

Q45) IDOR comes under which category?

A) Authentication
B) Authorization
C) Business logic issues
D) Sensitive data exposure

Q46) which injection is used to perform SSRF?

A) SQL Injection
B) CSS injection
C) XML injection
D) Template injection

Q47) What is VPN?

A) Virtual network pin

B) Virtual key network
C) Private network
D) Virtual private network
Q48) what are authorization header analysis?

A) Barer token
B) Custom
C) Basic auth token
D) None

Q49) Is it possible to perform CSRF when we place an anti – CSRF Token –

A) Yes
B) No
If yes; mention the reason

Q50) Cookies contain information? What type of information?

A) Yes
B) No
C) Mention detailed explanation of information type.
User interests, logs, session details,

Q51) write down Complete Authentication process life cycle with a real time application as example

Q52) Perform 3 different password cracking attacks

Shoulder surfing: watching entering passwords from behind
Password enumeration: guessing passwords
Brute force: logical approach of guessing passwords

Q53) perform phishing attack on users using real-time approach

Q54) Name top 10 OWASP in order from 2017-2021

Injection attack
Broken authentication
Cryptographic failures
Security misconfiguration
Directory traversal
Broken access control
CSRF
Insufficient logging and monitoring
Using known vulnerabilities

Q55) write down the steps for securing a web and mobile application to prevent vulnerabilities
using prevention and mitigation techniques
26) What is network
Connection of multiple devices to ensure communication is called NETWORK.

27) What is internet

It is the interconnection of networks.

28) What is web

Accessing information via specified protocols like http, https

29) What is cyber threat

The threats related to digital crimes.

30) What is vulnerability

It is a security flaw, or loophole or error in code or in development process.

31) What is the difference between cyber threat and vulnerability

Threat executed with exploitation by using vulnerability

32) What is OSI model

it is standard for data transmission from two systems. It is a open systems interconnection. Which
determines the standard process for data transmission.

33) What is IP
It is the identification device on the network.

34) List different protocols

TCP/IP: for establishing connections
http: for for transferring text information
ftp: for transferring files
smtp: for message communication

35) Definition and description for protocols

A protocol is a set of rules set for communication or data transmission. These are for defining the
standards for services.

36) What is CIA in cyber security

It is a triad for ensuring security for a company. CONFIDENTIALITY, INTEGRITY, and AVAILABILITY
are the main attributes of cyber security.

37) What are the essentials of cyber security

Physical, network and administrative controls are the essentials of cyber security. Firewalls, ids,
ips, authentication panels, encryption etc are the essentials.
38) What is difference between hacking and ethical hacking
Altering the application or software’s original purpose of developer for features modifications is
called hacking. A hacker is a person who has knowledge about the computers technology and
altering.

39) Do’s and Don’ts in cyber security

don’t click on suspicious links
don’t download unauthorized files

encrypt the data

maintain authorization

40)What is the risk of application security

Broken Authentication is the major problem and employing known vulnerabilities and
insufficient logging and monitoring. Not performing input validation.

41) What is a proxy server

it is a server which is used for spoofing the network identity of the user.

42) What is VPN

It is a private network which tunnels user traffic over encrypted tunnel.

43) What is cryptography

it is a process of converting plain text data to cypher text and assigning keys to the data for
security. Roughly, converting data into non-human readable format.

44) Difference between hashing and cryptography

Hashing is a key value assigned to the specified text for safe storing in database. Cryptography
deals with data manipulation.

45) What is the difference between vulnerability assessment and penetration testing
VA is the process of identifying, understanding and prioritizing them based on their
effect/impact.
It is the process of penetrating the networks & systems for security testing.

46) What is handshake and what is three-way handshake

Handshake is the process of establishing connection and verification.
3-way handshake is the process used by TCP LAYER for SYN.ACK.SYN/ACK processes.

47) What is response code and what is request code

These are the codes used by server for distinguishing and identifying works.
48) What are request methods
GET, PUT, DELETE, POST

49) What is firewall and why it is used

It is a security feature using for filtering traffic based on pre-defined protocols set by
administrator.

50) What is SSL encryption

it is used for encrypting web traffic/requests/responses.

51) What is data leakage

Exposure of sensitive data.

52) What is IP and what is port

Ip is for identifying device on network.
Port is for distinguishing services.

53) Explain about different layers of OSI model

Application layer: it gives user interaction to application. It deals about API for application aware
to network.
Presentation layer: it encrypts and translates the data in readable format.
Session layer: it is used for creating sessions.
Transport layer: it is used for reliable data transmission. It assigns port numbers for the specific
service.
Network layer: it routes the data over network. It assigns Ip addresses to the requests.
Data link layer: it ensures the data transmission without error. It deals with FRAMES.
Physical layer: data transmitted over cables, radio waves etc. here data is in the form of bits.