• Tutorials
  • Courses
  • Tracks

Cyber Quiz Day 37

Last Updated :
Discuss
Comments

Question 1

You need to accept a number from a web form and print it. Which option best prevents code execution and constrains input?

  • print(eval(request.form["n"]))

  • n = int(request.form["n"]); assert 0 <= n <= 10000; print(n)

  • n = request.form["n"]; print(n)

  • n = float(request.form["n"]); print(eval(str(n)))

Discuss it

Question 2

Pick the safest pattern to load a user by email.

  • cursor.execute("SELECT * FROM users WHERE email = '%s'" % email)

  • session.execute(sa.text("SELECT * FROM users WHERE email=:e"), {"e": email})

  • cursor.execute("SELECT * FROM users WHERE email = " + email)

  • cursor.execute(f"SELECT * FROM users WHERE email = '{email}'")

Discuss it

Question 3

You must convert an image using ImageMagick (convert). Which is safest?

  • os.system(f"convert {user_path} out.png")

  • os.popen("convert " + user_path + " out.png").read()

  • subprocess.run("convert " + user_path + " out.png", shell=True, check=True)


  • subprocess.run(["convert", user_path, "out.png"], check=True)

Discuss it

Question 4

Which template usage is safest for untrusted comments?

  • {{ comment|safe }}

  • {{ mark_safe(comment) }}

  • {{ comment }}

  • {{ comment|raw }}


Discuss it

Question 5

Which combo most directly reduces XSS and clickjacking impact?

  • Content-Security-Policy: script-src 'self', frame-ancestors 'none'

  • X-Frame-Options: SAMEORIGIN, X-Powered-By: Express

  • Referrer-Policy: no-referrer, ETag: W/…

  • Strict-Transport-Security: 31536000, X-Download-Options: noopen

Discuss it

Question 6

A cookie-based web app receives POSTs from another origin. What’s the most appropriate protection?

  • Enable Access-Control-Allow-Origin: *

  • Rely on CORS preflight alone

  • Use framework CSRF tokens (per-form) and validate Origin/Referer

  • Set SameSite=None on cookies to simplify cross-site requests

Discuss it

Question 7

Best practice for session-style JWTs in a browser app?

  • Store in localStorage for easy JS access

  • Long-lived tokens with wide scopes to reduce refreshes

  • Short-lived tokens, HttpOnly cookies, rotation & revocation

  • Put user PII inside JWT to avoid DB lookups

Discuss it

Question 8

Which is safest for untrusted structured input?

  • pickle.loads(body)

  • yaml.load(body)

  • eval(body) after str.strip()

  • json.loads(body) with schema validation (e.g., pydantic/jsonschema)

Discuss it

Question 9

You’re adding request logging for incident response. Which is the right balance?

  • Log minimal metadata + correlation ID; redact secrets/PII

  • Log full request bodies to aid debugging, including passwords/tokens

  • Don’t log anything to avoid leaks

  • Log stack traces to clients and store nothing server-side

Discuss it

Question 10

For pages containing user-specific sensitive data, which header set is most appropriate?

  • Cache-Control: public, max-age=86400

  • Cache-Control: immutable, ETag: ...

  • Cache-Control: s-maxage=600, Surrogate-Control: public

  • Cache-Control: no-store, max-age=0, Pragma: no-cache, Expires: 0, Vary: Authorization

Discuss it

There are 10 questions to complete.

Take a part in the ongoing discussion