• Tutorials
  • Courses
  • Tracks

Cyber Quiz Day 35

Last Updated :
Discuss
Comments

Question 1

A web app allows authenticated users to upload images. The dev added a client-side check that only permits .jpg and .png. Which of the following is the most realistic immediate risk if server-side validation is missing?

  • Browser will block any non-image file automatically.

  • The upload will fail because client-side JavaScript prevents it.

  • The file size will be reduced to an image format automatically.

  • An attacker can upload shell.php renamed to shell.jpg and execute it if the server trusts extension.

Discuss it

Question 2

You must prevent malware hidden in image files. Which server-side check gives the best practical protection

  • Only check file extension.

  • Validate MIME type from client-supplied headers.

  • Rely on antivirus scanning only.

  • Inspect file “magic bytes” / file signature and re-encode images server-side.

Discuss it

Question 3

A JSON API returns user profiles. A developer adds a debug flag that when set returns extra fields: internal_notes, last_ssh_key, error_trace. They forgot to protect the flag. Which control best prevents accidental leakage in production?

  • Remove the flag entirely from codebase.

  • Return the same fields to everyone — transparency is better.

  • Obfuscate values with Base64 so casual users can’t read them.

  • Keep the flag but require that only requests from internal IPs and service accounts can use it.

Discuss it

Question 4

An application logs full request bodies including passwords during authentication failures for troubleshooting. Which mitigation is most appropriate?

  • Mask or redact sensitive fields (passwords, tokens) before logging.

  • Stop logging all requests.

  • Log everything but encrypt log files with a single static key.

  • Only store logs on the same server as the app for speed.

Discuss it

Question 5

A payment system gives a “trial extension” coupon to VIP users. The code trusts the is_vip boolean sent from the client. Which vulnerability is present and what is the impact?

  • Server-side request forgery - attacker can force bank calls.

  • XSS - attacker can inject scripts into coupon value.

  • Broken access control / business logic abuse - attackers can set is_vip=true and extend trials for any account.

  • Rate-limiting bypass - coupons will be ignored.

Discuss it

Question 6

A ticketing app prevents users from booking more than 6 seats per transaction. An attacker opens 6 concurrent transactions in separate tabs and completes them quickly, ending up with 36 seats. What class is this and which mitigation is best?

  • Data exposure - mask results.

  • Race condition / concurrency business logic flaw - enforce atomic reservation via server-side locking or atomic DB transaction.

  • CSRF - add CSRF tokens.

  • SQL injection - use prepared statements.

Discuss it

Question 7

You see a file upload endpoint that sets Content-Disposition: attachment for downloads and stores files in /uploads/. Which residual risk still exists even if uploads are non-executable?

  • Stored sensitive documents might be publicly indexed - Information Disclosure.

  • None - attachment header is safe.

  • Path traversal can never happen if filenames are sanitized.

  • Attachment forces the browser to execute files.

Discuss it

Question 8

During a pentest you find /.git/ publicly accessible, revealing source files and config with DB creds. Which is the correct immediate remediation and long-term fix?

  • Delete .git folder from server and change deploy process.

  • Remove .git only if it contains secrets.

  • Add .git to robots.txt.

  • Ignore — attackers already know.

Discuss it

Question 9

An app accepts ZIP uploads and extracts into a shared directory. Which vector is most likely to cause a severe compromise?

  • Large ZIPs causing disk to fill (DoS).

  • ZIP compressed to tiny size - no issue.

  • ZIP containing only images - safe.

  • ZIP with filenames containing ../ causing path traversal (zip-slip).

Discuss it

Question 10

You are triaging three findings: 1) public /.git/ with DB creds, 2) client-side-only file type checks, 3) an information leak in verbose error pages. Which fix do you apply first and why?

  • Fix client-side checks - prevents uploads.

  • Remove verbose error pages - low effort.

  • Rotate DB creds, remove .git exposure - highest immediate risk (secrets + code).

  • Defer all to next sprint.

Discuss it

There are 10 questions to complete.

Take a part in the ongoing discussion