WGU D 385 So ftware Security and Testing Exam 2024 New Latest Updated Version w ith All Questions and 100% C orrect Answers What is CORS? --------- Correct Answer ---------- CORS (cross origin resource sharing) is a way to relax the browsers SOP (same origin policy - ensures certain resources are accessible only to documents with the same origin) What is the difference between the intentions of CORS and CSRF resistance? --------- Correct Answer ---------- The purpose of CSRF (cross site request forgery) resistance is to reject unintentional malicious requests for the sake of safety. The purpose of CORS is accept intentional requests for feature functionality.. relaxes the SOP. Which security vulnerability is shown? A. Man -in-the-middle B. Cross -site scripting C. Denial of service D. Code injection --------- Correct Answer --------- A. Man -in-the-middle Consider the following assertion statement: def authorizeAdmin(usr): assert isinstance(usr, list) and usr != [], "No user found" assert 'admin' in usr, "No admin found." print("You are granted full access to the application.") If __name__ == '__main__': authorizeAdmin(['user']) What should be the response after running the code? A. AssertionError: No admin found B. AssertionError: No user found C. Authorized User D. You are granted full access to the application --------- Correct Answer --------- A. AssertionError: No admin found A security analyst has noticed a vulnerability in which an attacker took over multiple users' accounts. Which vulnerability did the security analyst encounter? A. Broken access control B. Broken function level authorization C. API mass assignment D. Privilege escalation --------- Correct Answer --------- A. Broken access control Which method is used for a SQL injection attack? ---------- Correct Answer ---------- - exploiting query parameters What does cross -origin resource sharing (CORS) allow users to do? ---------- Correct Answer ---------- - Override same starting policy for specific resources Which protocol caches a token after it has been acquired? ---------- Correct Answer ------
---- - MSAL When creating a new user, an administrator must submit the following fields to an API endpoint: Name Email Address Password IsAdmin What is the best way to ensure the API is protected against privilege escalation? A. Implement resource and field -level access control B. Ensure incoming requests are rate limited C. Remove IsAdmin from the endpoint D. Encrypt the incoming request --------- Correct Answer --------- A. Implement resource and field -level access control Which method is used for a SQL injection attack? A. Exploiting query parameters B. Passing safe query parameters C. Using SQL composition D. Utilizing literal parameters --------- Correct Answer --------- A. Exploiting query parameters What does cross -origin resource sharing (CORS) allow users to do? A. Override same starting policy for specific resources B. Connect web security models C. Prevent the passing of credentials D. Protect the client header from exposure --------- Correct Answer --------- A. Override same starting policy for specific resources Which protocol caches a token after it has been acquired? A. MSAL B. Auth0 C. LDAP D. ACL --------- Correct Answer --------- A. MSAL Consider the following API code snippet: import requests url = 'https://website.com/' # Get request result = requests.get(url) # Print request print(result.content.decode()) Which status code will the server return? A. 403 B. 200 C. 401 D. 400 --------- Correct Answer --------- A. 403 The user submits the following request to an API endpoint that requires a header: import requests url = 'https://api.github.com/invalid' try: request_response = requests.get(url) # If the response was successful, no Exception will be raised request_response.raise_for_status() except Exception as err: print(f'Other error occurred: {err}') else: print('Success!') Which response code will the user most likely be presented with? A. 404—"Not found" B. 200—"OK" C. 400—"Bad request" D. 401—"Unauthorized" --------- Correct Answer --------- A. 404—"Not found" What is the primary defense against log injection attacks? A. Sanitize outbound log messages B. Do not use parameterized stored procedures in the database C. Allow all users to write to these logs D. Use API calls to log actions --------- Correct Answer --------- A. Sanitize outbound log messages An attacker exploits a cross -site scripting vulnerability. What is the attacker able to do? A. Access the user's data B. Execute a shell command or script C. Discover other users' credentials D. Gain access to sensitive files on the server --------- Correct Answer --------- A. Access the user's data Which Python function is prone to a potential code injection attack? A. eval() B. type() C. print() D. append() --------- Correct Answer --------- A. eval() What are two common defensive coding techniques? A. Check functional preconditions and postconditions B. Encrypt passwords and email submissions C. Adjust length and encoding of messages D. Develop code with exceptions to find errors --------- Correct Answer --------- A. Check functional preconditions and postconditions Which package is meant for internal use by Python for regression testing? A. test B. regress test C. doctest D. assert --------- Correct Answer --------- A. test A security analyst is reviewing code for improper input validation. Which type of input validation does this code show? isValidNumber = False while not isValidNumber: try: pickedNumber = int(input('Pick a number from 1 to 10')) if pickedNumber >= 1 and pickedNumber <= 10: isValidNumber = True except: print('You must enter a valid number from 1 to 10') print('You picked the number ' + str(pickedNumber))
---- - MSAL When creating a new user, an administrator must submit the following fields to an API endpoint: Name Email Address Password IsAdmin What is the best way to ensure the API is protected against privilege escalation? A. Implement resource and field -level access control B. Ensure incoming requests are rate limited C. Remove IsAdmin from the endpoint D. Encrypt the incoming request --------- Correct Answer --------- A. Implement resource and field -level access control Which method is used for a SQL injection attack? A. Exploiting query parameters B. Passing safe query parameters C. Using SQL composition D. Utilizing literal parameters --------- Correct Answer --------- A. Exploiting query parameters What does cross -origin resource sharing (CORS) allow users to do? A. Override same starting policy for specific resources B. Connect web security models C. Prevent the passing of credentials D. Protect the client header from exposure --------- Correct Answer --------- A. Override same starting policy for specific resources Which protocol caches a token after it has been acquired? A. MSAL B. Auth0 C. LDAP D. ACL --------- Correct Answer --------- A. MSAL Consider the following API code snippet: import requests url = 'https://website.com/' # Get request result = requests.get(url) # Print request print(result.content.decode()) Which status code will the server return? A. 403 B. 200 C. 401 D. 400 --------- Correct Answer --------- A. 403 The user submits the following request to an API endpoint that requires a header: import requests url = 'https://api.github.com/invalid' try: request_response = requests.get(url) # If the response was successful, no Exception will be raised request_response.raise_for_status() except Exception as err: print(f'Other error occurred: {err}') else: print('Success!') Which response code will the user most likely be presented with? A. 404—"Not found" B. 200—"OK" C. 400—"Bad request" D. 401—"Unauthorized" --------- Correct Answer --------- A. 404—"Not found" What is the primary defense against log injection attacks? A. Sanitize outbound log messages B. Do not use parameterized stored procedures in the database C. Allow all users to write to these logs D. Use API calls to log actions --------- Correct Answer --------- A. Sanitize outbound log messages An attacker exploits a cross -site scripting vulnerability. What is the attacker able to do? A. Access the user's data B. Execute a shell command or script C. Discover other users' credentials D. Gain access to sensitive files on the server --------- Correct Answer --------- A. Access the user's data Which Python function is prone to a potential code injection attack? A. eval() B. type() C. print() D. append() --------- Correct Answer --------- A. eval() What are two common defensive coding techniques? A. Check functional preconditions and postconditions B. Encrypt passwords and email submissions C. Adjust length and encoding of messages D. Develop code with exceptions to find errors --------- Correct Answer --------- A. Check functional preconditions and postconditions Which package is meant for internal use by Python for regression testing? A. test B. regress test C. doctest D. assert --------- Correct Answer --------- A. test A security analyst is reviewing code for improper input validation. Which type of input validation does this code show? isValidNumber = False while not isValidNumber: try: pickedNumber = int(input('Pick a number from 1 to 10')) if pickedNumber >= 1 and pickedNumber <= 10: isValidNumber = True except: print('You must enter a valid number from 1 to 10') print('You picked the number ' + str(pickedNumber))
