GWAPT Web Application Security Testing & Vulnerabilities

Question 1

What is SQL injection?

Accepted Answer

A vulnerability that allows database manipulation

Answer

SQL injection is a common web security vulnerability that allows an attacker to interfere with the queries an application makes to its database. By injecting malicious SQL code into input fields, an attacker can trick the database into executing unintended commands. This can lead to unauthorized access to sensitive data, data modification, or even complete control over the database server.

Question 2

Which of the following is a common vulnerability in web applications?

Accepted Answer

Cross-Site Scripting (XSS) and SQL injection

Answer

Cross-Site Scripting (XSS) and SQL injection are consistently ranked among the most prevalent and dangerous web application vulnerabilities. XSS allows attackers to inject client-side scripts into web pages viewed by other users, while SQL injection enables malicious database manipulation. Both exploit improper input validation and can lead to severe data breaches, session hijacking, or website defacement.

Question 3

What does Cross-Site Scripting (XSS) allow an attacker to do?

Accepted Answer

Inject malicious scripts into a webpage

Answer

Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications that enables attackers to inject client-side scripts into web pages viewed by other users. This allows the attacker to bypass access controls, steal session cookies, deface websites, or redirect users to malicious sites. The injected script executes in the victim's browser, appearing to come from the legitimate website.

Question 4

What is the primary purpose of web application penetration testing?

Accepted Answer

To find and fix security vulnerabilities

Answer

The primary purpose of web application penetration testing is to proactively identify security weaknesses and vulnerabilities within a web application before malicious attackers can exploit them. Testers simulate real-world attacks to uncover flaws in code, configuration, or business logic. This process helps organizations strengthen their security posture and protect sensitive data.

Question 5

Which of the following is a technique used to prevent SQL injection?

Accepted Answer

Using prepared statements and parameterized queries

Answer

Prepared statements and parameterized queries are highly effective techniques to prevent SQL injection by separating the SQL code from user-supplied data. Instead of directly concatenating user input into the query string, parameters are used as placeholders for data. The database then treats the input as literal values, not executable code, neutralizing any malicious SQL commands.

(GWAPT) Giac Web Application Penetration Tester Practice Test

(GWAPT) Giac Web Application Penetration Tester Practice Test

GWAPT Web Application Security Testing & Vulnerabilities