• Tutorials
  • Courses
  • Tracks

Cyber Quiz Day 36

Last Updated :
Discuss
Comments

Question 1

During recon, you see GET /api/users/{id}/albums and swagger at /openapi.json. What’s the best first step to test for IDOR?

  • Send requests as admin and compare payloads

  • Replace {id} with a sequential value you don’t own while using a normal user token

  • Remove the token entirely and expect 401

  • Increase limit=10000 to check rate limiting

Discuss it

Question 2

You fuzz GET /api/photos/{id} with ../../etc/passwd. Server returns 200 with JSON error and no leakage. What next?

  • Try URL-encoded traversal like %2e%2e/ and double encode

  • Conclude it’s safe

  • Add X-Forwarded-For: 127.0.0.1 header to always bypass auth

  • Switch to POST only

Discuss it

Question 3

You suspect parameter pollution on GET /api/photos?tag=summer. Which request is most revealing?

  • ?tag=summer,admin

  • ?tag[]=summer&tag[]=admin

  • ?tags=summer&tags=admin

  • ?tag=summer&tag=admin

Discuss it

Question 4

A normal user successfully calls POST /api/admin/reports. Logs show Authorization: Bearer <user_token>. What likely broke?

  • Rate limiting

  • CORS preflight

  • Role/Scope checks in authorization layer

  • Password hashing

Discuss it

Question 5

In OAuth 2.0 Authorization Code flow, where should the client secret be used?

  • In the mobile app binary for /authorize redirect

  • On the backend server when exchanging the code for tokens

  • In the browser when exchanging the code

  • Never used in this flow

Discuss it

Question 6

During OAuth testing, which finding most strongly indicates CSRF risk on the auth redirect?

  • Missing state parameter in the /authorize request

  • Using PKCE with S256

  • Short token expiry (5 minutes)

  • Scopes limited to profile email

Discuss it

Question 7

You review a JWT: header {"alg":"none","typ":"JWT"}; server accepts it. Impact?

  • Low, token still signed by “none”

  • High, signature is effectively bypassed

  • None, because payload still base64url

  • Medium, only valid for admins

Discuss it

Question 8

API uses JWT (HS256 with shared secret). Which test best detects the classic algorithm confusion vuln?

  • Send larger payloads to cause 413

  • Change header to {"alg":"RS256"} and sign with a self-generated RSA key

  • Rotate the secret frequently

  • Add aud claim

Discuss it

Question 9

You see POST /api/auth/login → access token (15m) + refresh token (30d). Which security test is most relevant?

  • Replay the access token after expiry

  • Use refresh token over HTTP (no TLS) to sniff it

  • Attempt refresh token reuse after rotation is expected

  • Flood /login with invalid creds

Discuss it

Question 10

The /api/photos upload accepts multipart/form-data. What’s the best way to test file validation?

  • Upload .jpg with EXIF only

  • Upload a .jpg whose magic bytes start an executable or HTML (MZ/<script>)

  • Upload a huge genuine JPEG

  • Upload .txt and rely on 415 Unsupported Media Type

Discuss it

There are 10 questions to complete.

Take a part in the ongoing discussion