CAP Practice Questions

Which is the most effective way of input validation to prevent Cross-Site Scripting attacks?

In the context of the CORS (Cross-origin resource sharing) misconfiguration, which of the following statements is true?

In the screenshot below, which of the following is incorrect?

Target: https://example.com

HTTP/1.1 404 Not Found

Date: Fri, 09 Dec 2022 18:03:49 GMT

Server: Apache

Vary: Cookie

X-Powered-By: PHP/5.4.5-5

X-Xss-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Content-Length: 0

Content-Type: text/html; charset=UTF-8

Cookie: JSESSIONID=1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789; secure; HttpOnly; SameSite=None

Null Byte Injection is an active exploitation technique used to bypass sanity-checking filters in web applications by adding a URL-encoded null byte character to the user-supplied data. Which of the following is a URL-encoded representation of a null byte?

Which of the following SSL/TLS protocols are considered to be insecure?

GraphQL is an open-source data query and manipulation language for APIs, and a query runtime engine. In this context, what is GraphQL Introspection?

Salt is a cryptographically secure random string that is added to a password before it is hashed. In this context, what is the primary objective of salting?

An application’s forget password functionality is described below:

The user enters their email address and receives a message on the web page:

“If the email exists, we will email you a link to reset the password”

The user also receives an email saying:

“Please use the link below to create a new password:”

(Note that the developer has included a one-time random token with the ‘userId’ parameter in the link). So, the link seems like:

https://example.com/reset_password?userId=5298 &token=70e7803e-bf53-45e1-8a3f-fb15da7de3a0

Will this mechanism prevent an attacker from resetting arbitrary users’ passwords?