1. What is Broken Access Control?
A) A type of social engineering attack
B) A security flaw that allows users to access unauthorized resources
C) A cryptographic vulnerability
D) A firewall misconfiguration
β
Answer: B) A security flaw that allows users to access unauthorized resources
π‘ Explanation: Broken Access Control occurs when users can bypass restrictions and access data or functionality they shouldnβt have access to.
2. Which of the following is NOT an example of Broken Access Control?
A) A regular user accessing an admin-only page
B) A customer viewing another user’s order history
C) A user being logged out after inactivity
D) An attacker modifying a URL to access restricted data
β
Answer: C) A user being logged out after inactivity
π‘ Explanation: Automatic logout due to inactivity is a security feature, not an access control flaw. The other options indicate broken access control vulnerabilities.
3. What is the most common reason for Broken Access Control vulnerabilities?
A) Weak encryption algorithms
B) Improper implementation of authentication mechanisms
C) Lack of proper authorization checks
D) SQL Injection attacks
β
Answer: C) Lack of proper authorization checks
π‘ Explanation: Access control issues arise when applications fail to properly verify whether a user is authorized to perform a specific action.
4. What type of access control model is used when permissions are granted based on user roles?
A) Discretionary Access Control (DAC)
B) Role-Based Access Control (RBAC)
C) Mandatory Access Control (MAC)
D) Attribute-Based Access Control (ABAC)
β
Answer: B) Role-Based Access Control (RBAC)
π‘ Explanation: RBAC assigns permissions based on predefined roles, reducing the risk of broken access control if implemented correctly.
5. An attacker modifies a URL from /user/profile to /admin/dashboard and gains access to an admin panel. What is this attack called?
A) IDOR (Insecure Direct Object Reference)
B) URL Tampering
C) Cross-Site Scripting (XSS)
D) Privilege Escalation
β
Answer: B) URL Tampering
π‘ Explanation: URL tampering occurs when an attacker manually changes parameters in the URL to bypass access restrictions.
6. Which OWASP category does Broken Access Control belong to?
A) OWASP A01:2021 – Broken Access Control
B) OWASP A03:2021 – Injection
C) OWASP A05:2021 – Security Misconfiguration
D) OWASP A07:2021 – Identification & Authentication Failures
β
Answer: A) OWASP A01:2021 – Broken Access Control
π‘ Explanation: Broken Access Control is ranked #1 in OWASP Top 10 (2021) due to its high impact and prevalence.
7. How can an attacker exploit Insecure Direct Object References (IDOR)?
A) By injecting malicious JavaScript into a web page
B) By modifying object identifiers (e.g., user IDs) in API requests
C) By using a weak password
D) By sending phishing emails
β
Answer: B) By modifying object identifiers (e.g., user IDs) in API requests
π‘ Explanation: IDOR allows attackers to manipulate object identifiers (like user_id=123) to gain unauthorized access to data.
8. Which of the following is an effective defense against Broken Access Control?
A) Using CAPTCHA on login pages
B) Implementing server-side authorization checks
C) Encrypting user passwords
D) Enabling JavaScript validation
β
Answer: B) Implementing server-side authorization checks
π‘ Explanation: Proper server-side authorization checks ensure users can only access data and functionality they are authorized for.
9. Which HTTP response code indicates Forbidden Access?
A) 200
B) 302
C) 403
D) 500
β
Answer: C) 403
π‘ Explanation: 403 Forbidden means the server understands the request but refuses to authorize it.
10. What is an example of horizontal privilege escalation?
A) A regular user gaining access to admin controls
B) A hacker using an exploit to gain root access
C) A user accessing another userβs profile by changing the user ID in the URL
D) A system administrator gaining access to a new feature
β
Answer: C) A user accessing another userβs profile by changing the user ID in the URL
π‘ Explanation: Horizontal privilege escalation occurs when a user accesses another userβs data at the same privilege level.
11. What is an example of vertical privilege escalation?
A) A user accessing another user’s shopping cart
B) A hacker escalating from a regular user to an admin
C) A user logging out and logging back in
D) A website using an HTTP request instead of HTTPS
β
Answer: B) A hacker escalating from a regular user to an admin
π‘ Explanation: Vertical privilege escalation occurs when an attacker gains higher-level privileges than their account originally had.
12. How can Broken Access Control impact an organization?
A) Only minor inconvenience to users
B) No security impact
C) Unauthorized data exposure, privilege escalation, and data modification
D) Slower website performance
β
Answer: C) Unauthorized data exposure, privilege escalation, and data modification
π‘ Explanation: Broken Access Control can lead to data breaches, service disruption, and privilege escalation.
13. Which type of access control is the most restrictive?
A) Mandatory Access Control (MAC)
B) Discretionary Access Control (DAC)
C) Role-Based Access Control (RBAC)
D) Attribute-Based Access Control (ABAC)
β
Answer: A) Mandatory Access Control (MAC)
π‘ Explanation: MAC strictly controls access based on predefined policies set by administrators.
14. What tool can be used to detect access control vulnerabilities in a web app?
A) Wireshark
B) Burp Suite
C) Metasploit
D) Nessus
β
Answer: B) Burp Suite
π‘ Explanation: Burp Suite is commonly used to test authorization flaws, privilege escalation, and IDOR vulnerabilities.
15. Which of the following is an access control best practice?
A) Implementing user roles and permissions
B) Using JavaScript to handle authorization
C) Granting admin access to all employees
D) Storing passwords in plain text
β
Answer: A) Implementing user roles and permissions
π‘ Explanation: Defining least privilege access control helps prevent unauthorized access.
16. What is an Access Control List (ACL)?
A) A list of open ports in a firewall
B) A method for defining permissions on files and resources
C) A database of user passwords
D) A command for blocking IP addresses
β
Answer: B) A method for defining permissions on files and resources
π‘ Explanation: ACLs define who can access what resources and what actions they can perform.
17. What is a common sign of Broken Access Control in a web application?
A) CAPTCHA appearing on login
B) Unauthorized access to sensitive data
C) HTTPS encryption in the browser
D) A 404 error page
β
Answer: B) Unauthorized access to sensitive data
π‘ Explanation: If users can access data they shouldn’t, broken access control exists.
18. Which of the following is NOT an example of Broken Access Control?
A) A user viewing their own account details
B) An attacker modifying an API request to access another userβs data
C) A guest user performing administrative actions
D) A normal user deleting records from a database without permission
β
Answer: A) A user viewing their own account details
π‘ Explanation: Viewing your own data is normal behavior, whereas the other examples involve unauthorized access.
19. Which of the following is an example of a missing access control check?
A) A user needing to log in before accessing a webpage
B) A URL that allows users to change account settings without verifying ownership
C) A CAPTCHA being required for login attempts
D) A user logging out successfully
β
Answer: B) A URL that allows users to change account settings without verifying ownership
π‘ Explanation: If an application does not verify a userβs identity before allowing actions, it results in Broken Access Control.
20. What is the principle of Least Privilege (PoLP)?
A) Giving users more access than required
B) Allowing only administrators to access data
C) Granting users only the permissions necessary for their job functions
D) Blocking all user access
β
Answer: C) Granting users only the permissions necessary for their job functions
π‘ Explanation: The principle of Least Privilege (PoLP) minimizes security risks by restricting users to only the access they require.
21. Why is client-side access control insufficient for security?
A) Client-side controls improve security and prevent all attacks
B) Attackers can modify client-side code to bypass access controls
C) Client-side security policies are more secure than server-side
D) It prevents brute-force attacks effectively
β
Answer: B) Attackers can modify client-side code to bypass access controls
π‘ Explanation: Access control must always be enforced on the server-side, as client-side controls (JavaScript, hidden fields, etc.) can be bypassed.
22. What is a “forced browsing” attack?
A) Forcing users to visit malicious websites
B) Guessing URLs to access unauthorized resources
C) Using brute force to crack login credentials
D) Stealing browser cookies
β
Answer: B) Guessing URLs to access unauthorized resources
π‘ Explanation: Forced browsing involves manually altering URLs (e.g., /admin/dashboard instead of /user/dashboard) to access restricted content.
23. What role does session management play in preventing Broken Access Control?
A) It ensures that a user stays logged in indefinitely
B) It prevents users from logging in on multiple devices
C) It helps enforce user permissions and prevents session hijacking
D) It allows users to share accounts
β
Answer: C) It helps enforce user permissions and prevents session hijacking
π‘ Explanation: Proper session management ensures that users maintain their correct roles and permissions across sessions.
24. Which of the following is an access control bypass method?
A) Implementing multi-factor authentication
B) Using HTTP parameter pollution
C) Encrypting user passwords
D) Logging out after a session
β
Answer: B) Using HTTP parameter pollution
π‘ Explanation: HTTP Parameter Pollution involves manipulating parameters in requests to bypass security controls.
25. How can security teams test for Broken Access Control vulnerabilities?
A) By running SQL Injection scripts
B) By attempting unauthorized actions as different user roles
C) By enabling verbose error messages
D) By allowing unauthenticated API calls
β
Answer: B) By attempting unauthorized actions as different user roles
π‘ Explanation: Penetration testers simulate attackers by attempting to escalate privileges or access restricted data.
26. What is a token-based authentication system used for preventing Broken Access Control?
A) CAPTCHA
B) JWT (JSON Web Token)
C) IP Blocking
D) SQL Queries
β
Answer: B) JWT (JSON Web Token)
π‘ Explanation: JWT tokens provide session authentication, ensuring access control mechanisms are enforced properly.
27. Which HTTP response code indicates an unauthorized access attempt due to authentication failure?
A) 200
B) 302
C) 401
D) 500
β
Answer: C) 401
π‘ Explanation: 401 Unauthorized means authentication is required but not provided or failed.
28. Which of the following best prevents Broken Access Control attacks?
A) Storing passwords in plain text
B) Hiding the admin panel with JavaScript
C) Implementing server-side access control checks
D) Using a single authentication token for all users
β
Answer: C) Implementing server-side access control checks
π‘ Explanation: Server-side access control ensures that permissions cannot be bypassed by modifying client-side data.
29. What is an effective way to prevent privilege escalation attacks?
A) Implementing logging and monitoring of access control failures
B) Allowing all users to modify their role
C) Using the same session token across different users
D) Disabling authentication
β
Answer: A) Implementing logging and monitoring of access control failures
π‘ Explanation: Logging and monitoring help detect unauthorized access attempts and privilege escalation attacks.
30. Which access control mechanism dynamically grants or restricts access based on user attributes?
A) Discretionary Access Control (DAC)
B) Role-Based Access Control (RBAC)
C) Attribute-Based Access Control (ABAC)
D) Identity-Based Control
β
Answer: C) Attribute-Based Access Control (ABAC)
π‘ Explanation: ABAC evaluates user attributes (e.g., job role, device, location) to dynamically allow or deny access.
31. What is an API access control vulnerability?
A) Restricting API keys for security
B) Allowing users to retrieve sensitive data by modifying API parameters
C) Enforcing least privilege access control
D) Validating API tokens before access
β
Answer: B) Allowing users to retrieve sensitive data by modifying API parameters
π‘ Explanation: API access control failures occur when unauthorized users can manipulate API calls to access restricted data.
32. Why should privilege levels be reviewed regularly in an organization?
A) To ensure all users have the same permissions
B) To increase permissions for all employees
C) To detect excessive permissions that could be exploited
D) To enforce mandatory password resets
β
Answer: C) To detect excessive permissions that could be exploited
π‘ Explanation: Regular privilege reviews help ensure that users do not retain unnecessary or excessive access rights.
33. Which tool is commonly used to automate Broken Access Control testing?
A) Burp Suite
B) Wireshark
C) Metasploit
D) Splunk
β
Answer: A) Burp Suite
π‘ Explanation: Burp Suite allows penetration testers to manipulate requests and test authorization flaws.
34. What is the main security risk in relying solely on JavaScript for access control?
A) JavaScript cannot handle authentication
B) Attackers can easily bypass JavaScript-based security checks
C) JavaScript runs on the server, making it secure
D) JavaScript requires a user to be logged in
β
Answer: B) Attackers can easily bypass JavaScript-based security checks
π‘ Explanation: JavaScript runs on the client-side and can be easily modified by attackers, making it unreliable for enforcing access control.
35. Why should error messages be generic when access is denied?
A) To confuse users
B) To avoid revealing security details
C) To increase website performance
D) To encourage users to log in multiple times
β
Answer: B) To avoid revealing security details
π‘ Explanation: Detailed error messages can expose internal system details, helping attackers exploit vulnerabilities.
36. Why should session tokens be invalidated after logout?
A) To make users log in again unnecessarily
B) To prevent unauthorized access if a session is hijacked
C) To increase website performance
D) To allow users to reuse their old session
β
Answer: B) To prevent unauthorized access if a session is hijacked
π‘ Explanation: If session tokens are not invalidated upon logout, an attacker with access to a session token can continue accessing the account.
37. What is a security risk of allowing unrestricted file uploads?
A) Increased website speed
B) Users getting too much storage
C) Attackers uploading malicious files to gain access to restricted areas
D) Users being able to store personal documents
β
Answer: C) Attackers uploading malicious files to gain access to restricted areas
π‘ Explanation: Unrestricted file uploads can lead to remote code execution (RCE), privilege escalation, or data breaches.
38. Which of the following is a real-world consequence of Broken Access Control?
A) Increased website traffic
B) Unauthorized access to sensitive data
C) Faster API response times
D) Improved user experience
β
Answer: B) Unauthorized access to sensitive data
π‘ Explanation: Broken Access Control can lead to data breaches, privilege escalation, and financial loss.
39. What should an application do when a user requests a resource they are not authorized for?
A) Display a detailed error message explaining why access is denied
B) Log the attempt and return a generic error message
C) Redirect the user to the home page without logging the attempt
D) Provide a CAPTCHA challenge
β
Answer: B) Log the attempt and return a generic error message
π‘ Explanation: Logging unauthorized access attempts helps in detecting malicious activity without exposing sensitive system details.
40. What type of Broken Access Control attack occurs when an attacker changes a user’s session token to gain unauthorized access?
A) Cross-Site Scripting (XSS)
B) Session Fixation
C) SQL Injection
D) Buffer Overflow
β
Answer: B) Session Fixation
π‘ Explanation: Session Fixation occurs when an attacker sets a victimβs session token to a known value and hijacks the session.
41. Which of the following helps detect Broken Access Control vulnerabilities in APIs?
A) Checking DNS records
B) Running automated API security tests
C) Using CAPTCHA on login pages
D) Implementing HTTPS
β
Answer: B) Running automated API security tests
π‘ Explanation: Automated API security testing tools, such as Postman, Burp Suite, and OWASP ZAP, help identify Broken Access Control vulnerabilities.
42. What should be the default access level for users in a secure system?
A) Administrator
B) Least Privilege
C) Superuser
D) Guest with full privileges
β
Answer: B) Least Privilege
π‘ Explanation: The principle of Least Privilege ensures users are given only the minimum access necessary for their roles.
43. What security risk arises if an application uses predictable session IDs?
A) Users will have difficulty logging in
B) Attackers can brute-force or guess session IDs to hijack user sessions
C) The application will slow down
D) Cookies will expire faster
β
Answer: B) Attackers can brute-force or guess session IDs to hijack user sessions
π‘ Explanation: Weak or predictable session IDs allow attackers to impersonate users by guessing valid session tokens.
44. Why should user input never be trusted in access control decisions?
A) Users may accidentally delete important data
B) Attackers can manipulate requests to bypass access control
C) It increases website speed
D) It makes user experience better
β
Answer: B) Attackers can manipulate requests to bypass access control
π‘ Explanation: User-controlled input should never determine access levels as it can be manipulated for privilege escalation.
45. How does Cross-Origin Resource Sharing (CORS) impact access control security?
A) It strengthens access control
B) It prevents brute force attacks
C) It can allow unauthorized cross-domain access if misconfigured
D) It improves website performance
β
Answer: C) It can allow unauthorized cross-domain access if misconfigured
π‘ Explanation: Poorly configured CORS policies can allow attackers to access sensitive data from unauthorized origins.
46. Which technique helps prevent forced browsing attacks?
A) Hiding sensitive files with JavaScript
B) Using strong passwords
C) Implementing proper server-side authorization checks
D) Relying only on client-side validation
β
Answer: C) Implementing proper server-side authorization checks
π‘ Explanation: Server-side checks ensure that only authorized users can access certain URLs, preventing forced browsing.
47. What is an Access Control Matrix?
A) A list of open ports on a server
B) A framework defining who can access what resources and how
C) A type of encryption
D) A tool for brute-force attacks
β
Answer: B) A framework defining who can access what resources and how
π‘ Explanation: An Access Control Matrix defines user roles, resources, and allowed actions to prevent unauthorized access.
48. Which of the following best protects against Broken Access Control in APIs?
A) Allowing users to modify API request parameters
B) Implementing role-based access control (RBAC)
C) Using HTTP instead of HTTPS
D) Allowing unrestricted API key usage
β
Answer: B) Implementing role-based access control (RBAC)
π‘ Explanation: RBAC ensures users are assigned the correct permissions based on their roles.
49. Why should old access control rules be removed when no longer needed?
A) To reduce system complexity
B) To prevent attackers from exploiting outdated permissions
C) To increase website performance
D) To allow users to have unrestricted access
β
Answer: B) To prevent attackers from exploiting outdated permissions
π‘ Explanation: Unused or outdated permissions can be exploited if they are not properly removed.
50. What is an effective way to enforce access control at the database level?
A) Encrypting all user data
B) Using SQL queries for authentication
C) Implementing database access control lists (ACLs)
D) Disabling database logging
β
Answer: C) Implementing database access control lists (ACLs)
π‘ Explanation: Database ACLs help restrict which users and applications can access or modify sensitive data.
51. What should an application do when an unauthorized action is attempted?
A) Send a detailed error message explaining why access is denied
B) Log the attempt and respond with a generic error message
C) Redirect the user to the homepage
D) Disable the userβs account immediately
β
Answer: B) Log the attempt and respond with a generic error message
π‘ Explanation: Logging unauthorized attempts helps detect attacks while preventing attackers from gathering information.
52. What is a major risk of using default admin credentials?
A) Users can easily log in
B) Attackers can guess credentials and gain full access
C) It improves security
D) It helps in user authentication
β
Answer: B) Attackers can guess credentials and gain full access
π‘ Explanation: Default credentials are a common attack vector, as attackers often test them first.
53. Why should access control rules be tested regularly?
A) To ensure employees have access to all resources
B) To detect misconfigurations and unauthorized access
C) To allow attackers to exploit vulnerabilities
D) To reduce website traffic
β
Answer: B) To detect misconfigurations and unauthorized access
π‘ Explanation: Regular security testing ensures access control mechanisms work as expected.
54. Why is logging access control failures important?
A) It helps attackers find vulnerabilities
B) It allows administrators to detect unauthorized access attempts
C) It slows down the server
D) It makes error messages more detailed
β
Answer: B) It allows administrators to detect unauthorized access attempts
π‘ Explanation: Logging access control violations helps identify potential security incidents and intrusion attempts.
55. What is an OAuth access token used for?
A) Encrypting passwords
B) Controlling user permissions in API authentication
C) Storing database queries
D) Running brute-force attacks
β
Answer: B) Controlling user permissions in API authentication
π‘ Explanation: OAuth access tokens are used to grant limited access to APIs without exposing user credentials.
56. What is an example of a security misconfiguration leading to Broken Access Control?
A) Implementing Multi-Factor Authentication (MFA)
B) Leaving API endpoints open without authentication
C) Using a firewall to filter traffic
D) Using HTTPS for encryption
β
Answer: B) Leaving API endpoints open without authentication
π‘ Explanation: Misconfigured API endpoints without authentication can allow attackers to access sensitive data without credentials.
57. What does it mean when a system follows a “deny by default” access control model?
A) All users start with full access
B) Access is granted unless explicitly denied
C) Users are given access only when explicitly permitted
D) It allows guest users to access admin functions
β
Answer: C) Users are given access only when explicitly permitted
π‘ Explanation: The “deny by default” approach ensures that users only receive access to resources they are explicitly authorized for.
58. Why is Role-Based Access Control (RBAC) widely used in enterprise security?
A) It allows every user to have administrator privileges
B) It simplifies permission management by grouping users into roles
C) It removes authentication requirements
D) It disables user authentication for internal networks
β
Answer: B) It simplifies permission management by grouping users into roles
π‘ Explanation: RBAC assigns permissions based on roles, making it easier to enforce security policies.
59. What is an example of excessive permissions that can lead to security risks?
A) A customer being able to view their own purchase history
B) A regular user being able to modify administrator settings
C) A user needing a strong password to log in
D) Using a CAPTCHA to prevent bots
β
Answer: B) A regular user being able to modify administrator settings
π‘ Explanation: Granting excessive permissions increases the risk of privilege escalation and unauthorized data modification.
60. What is the main security concern when using hardcoded API keys?
A) API keys improve security
B) Attackers can extract API keys from application code and gain unauthorized access
C) API keys reduce latency in network requests
D) It makes user authentication faster
β
Answer: B) Attackers can extract API keys from application code and gain unauthorized access
π‘ Explanation: Hardcoded API keys can be leaked if stored in public repositories or reverse-engineered from applications.
61. Which security measure helps prevent session fixation attacks?
A) Assigning a new session ID upon login
B) Allowing session IDs to be stored indefinitely
C) Using weak passwords
D) Implementing only client-side access controls
β
Answer: A) Assigning a new session ID upon login
π‘ Explanation: Session fixation occurs when an attacker forces a user to use a known session IDβassigning a new session ID upon login mitigates this risk.
62. What is the risk of exposing directory listings on a web server?
A) Users can see available files and potentially access restricted content
B) It improves website performance
C) It allows users to navigate more easily
D) It prevents brute-force attacks
β
Answer: A) Users can see available files and potentially access restricted content
π‘ Explanation: Exposing directory listings can lead to leakage of sensitive files that should not be publicly accessible.
63. What type of attack exploits broken access control in multi-tenant applications?
A) Password spraying
B) Cross-Tenant Data Leakage
C) Clickjacking
D) SSL Downgrade Attack
β
Answer: B) Cross-Tenant Data Leakage
π‘ Explanation: In multi-tenant applications, improper access control can lead to one tenant accessing another tenantβs data.
64. What is a security risk of using “security through obscurity” as the only access control measure?
A) Attackers cannot bypass the security
B) Once attackers discover the obscured element, they can bypass access control
C) It strengthens access control
D) It is a reliable long-term security strategy
β
Answer: B) Once attackers discover the obscured element, they can bypass access control
π‘ Explanation: Security through obscurity is not a substitute for strong access controlsβattackers can easily uncover hidden URLs or elements.
65. What should be done when a user no longer needs access to a system?
A) Keep their account active but limit permissions
B) Immediately revoke access and disable the account if necessary
C) Assign them a different role
D) Allow them to keep access in case they return
β
Answer: B) Immediately revoke access and disable the account if necessary
π‘ Explanation: Inactive or unnecessary accounts can become an attack vector if not properly disabled.
66. What is an example of a business logic access control flaw?
A) A CAPTCHA preventing bot attacks
B) A user placing negative values in a payment field to receive money
C) A password policy enforcing complexity rules
D) A session automatically timing out after inactivity
β
Answer: B) A user placing negative values in a payment field to receive money
π‘ Explanation: Business logic vulnerabilities arise when attackers exploit intended functionality in ways not foreseen by developers.
67. What access control vulnerability occurs when access permissions are not revalidated on the server side?
A) Time-of-Check to Time-of-Use (TOCTOU) Attack
B) Session Timeout
C) Buffer Overflow
D) XSS Injection
β
Answer: A) Time-of-Check to Time-of-Use (TOCTOU) Attack
π‘ Explanation: TOCTOU attacks occur when there is a gap between checking user permissions and executing an action, allowing attackers to change permissions in between.
68. How can browser developer tools be abused to bypass Broken Access Control?
A) They cannot be used to bypass security
B) Attackers can modify client-side code and bypass access restrictions
C) They improve website security
D) They automatically protect sensitive resources
β
Answer: B) Attackers can modify client-side code and bypass access restrictions
π‘ Explanation: Attackers can modify JavaScript or alter requests using browser developer tools to bypass weak access controls.
69. What is an effective way to enforce strict API access control?
A) Implementing rate limiting only
B) Using API gateways with authentication and role-based access controls
C) Disabling authentication for internal APIs
D) Allowing unrestricted access to APIs
β
Answer: B) Using API gateways with authentication and role-based access controls
π‘ Explanation: API gateways help enforce authentication, authorization, and rate limiting to prevent unauthorized access.
70. Why should access control policies be updated regularly?
A) To ensure users always have admin privileges
B) To reflect organizational changes and reduce security risks
C) To increase performance
D) To allow unrestricted user access
β
Answer: B) To reflect organizational changes and reduce security risks
π‘ Explanation: Regularly reviewing access control policies ensures that users only have access to what they need, reducing security risks.
71. Why should role-based access control (RBAC) policies be regularly reviewed?
A) To ensure users have the highest permissions possible
B) To remove unnecessary privileges and prevent privilege creep
C) To allow all employees to access admin features
D) To increase system performance
β
Answer: B) To remove unnecessary privileges and prevent privilege creep
π‘ Explanation: Privilege creep occurs when users accumulate more permissions than necessary over time, increasing security risks.
72. Which access control flaw allows users to bypass security mechanisms by tampering with client-side input?
A) SQL Injection
B) Client-Side Access Control Bypass
C) Cross-Site Request Forgery (CSRF)
D) DNS Spoofing
β
Answer: B) Client-Side Access Control Bypass
π‘ Explanation: Client-side access control is weak because attackers can modify JavaScript, HTML, or API requests to bypass restrictions.
73. What is an effective way to prevent insecure direct object references (IDOR)?
A) Relying on client-side validation
B) Using random or hashed object identifiers instead of sequential IDs
C) Removing authentication entirely
D) Allowing all users to access all objects
β
Answer: B) Using random or hashed object identifiers instead of sequential IDs
π‘ Explanation: Using non-sequential IDs (such as UUIDs) prevents attackers from guessing and accessing unauthorized objects.
74. Which attack involves an adversary manipulating the order of execution in a multi-step access control process?
A) Time-of-Check to Time-of-Use (TOCTOU) Attack
B) Man-in-the-Middle (MITM) Attack
C) Command Injection
D) Clickjacking
β
Answer: A) Time-of-Check to Time-of-Use (TOCTOU) Attack
π‘ Explanation: TOCTOU attacks occur when a userβs access is checked at one point in time but altered before execution.
75. Which security measure can prevent privilege escalation attacks?
A) Allowing users to change their access level at will
B) Implementing strict role-based access controls (RBAC)
C) Disabling logging for failed access attempts
D) Storing passwords in plain text
β
Answer: B) Implementing strict role-based access controls (RBAC)
π‘ Explanation: RBAC ensures users are assigned only the permissions necessary for their role, reducing privilege escalation risks.
76. Why is it dangerous to use predictable session identifiers?
A) Attackers can guess or brute-force session IDs to hijack user sessions
B) It improves system performance
C) It makes login processes faster
D) It simplifies password resets
β
Answer: A) Attackers can guess or brute-force session IDs to hijack user sessions
π‘ Explanation: Weak or predictable session IDs allow attackers to impersonate other users.
77. What is a key security flaw when access control is implemented only at the frontend?
A) Users cannot see their own data
B) Attackers can bypass security by modifying client-side code
C) It increases security strength
D) It prevents unauthorized access
β
Answer: B) Attackers can bypass security by modifying client-side code
π‘ Explanation: Access control should always be enforced on the server-side, as client-side controls can be easily bypassed.
78. Which attack takes advantage of an overly permissive Cross-Origin Resource Sharing (CORS) policy?
A) SQL Injection
B) Cross-Origin Data Theft
C) Password Spraying
D) XML External Entity (XXE) Injection
β
Answer: B) Cross-Origin Data Theft
π‘ Explanation: If CORS is misconfigured, malicious websites can make unauthorized requests and steal sensitive data from a victimβs browser.
79. Which type of account is most commonly targeted for privilege escalation attacks?
A) Guest account
B) Administrator account
C) Standard user account
D) Banned user account
β
Answer: B) Administrator account
π‘ Explanation: Attackers often target administrator accounts because they have the highest level of access and control over systems.
80. Why is logging and monitoring important for access control?
A) It prevents all hacking attempts
B) It allows organizations to detect unauthorized access and take action
C) It makes the system run faster
D) It replaces the need for authentication
β
Answer: B) It allows organizations to detect unauthorized access and take action
π‘ Explanation: Logging failed access attempts helps security teams identify and respond to potential breaches.
81. What is an access control risk associated with single sign-on (SSO)?
A) Users must remember multiple passwords
B) If an SSO account is compromised, all linked services are exposed
C) It slows down login time
D) It prevents users from logging in
β
Answer: B) If an SSO account is compromised, all linked services are exposed
π‘ Explanation: SSO improves convenience, but if an attacker gains access to an SSO account, they can compromise all connected services.
82. Which of the following access control models applies the strictest security controls?
A) Role-Based Access Control (RBAC)
B) Discretionary Access Control (DAC)
C) Mandatory Access Control (MAC)
D) Attribute-Based Access Control (ABAC)
β
Answer: C) Mandatory Access Control (MAC)
π‘ Explanation: MAC is the most restrictive model, where the operating system strictly enforces security policies.
83. What is a key indicator of broken access control in an API?
A) API responses contain excessive or unauthorized data
B) API requests always return “403 Forbidden”
C) Users must log in twice
D) The API is using HTTPS
β
Answer: A) API responses contain excessive or unauthorized data
π‘ Explanation: APIs should return only the data users are authorized to access to prevent data leaks and privilege escalation.
84. Why is it important to use multi-factor authentication (MFA) for privileged accounts?
A) It improves user experience
B) It reduces the risk of unauthorized access, even if a password is compromised
C) It replaces the need for access control lists
D) It disables account security
β
Answer: B) It reduces the risk of unauthorized access, even if a password is compromised
π‘ Explanation: MFA adds an extra security layer, ensuring that even if credentials are stolen, attackers cannot easily gain access.
85. What is a common consequence of an access control misconfiguration?
A) Faster system performance
B) Users gaining unauthorized access to sensitive data
C) Stronger password encryption
D) Increased uptime
β
Answer: B) Users gaining unauthorized access to sensitive data
π‘ Explanation: Poor access control configurations can expose sensitive user data to unauthorized individuals.
86. What is the purpose of an access control policy?
A) To grant all users full access
B) To define who is authorized to access specific resources and actions
C) To slow down login times
D) To remove authentication requirements
β
Answer: B) To define who is authorized to access specific resources and actions
π‘ Explanation: Access control policies define user permissions, ensuring security and compliance.
87. What attack exploits excessive permissions granted to a cloud service role?
A) Cloud Privilege Escalation
B) Password Spraying
C) SQL Injection
D) Man-in-the-Middle (MITM)
β
Answer: A) Cloud Privilege Escalation
π‘ Explanation: Cloud services with excessive permissions can be exploited for privilege escalation and lateral movement.
88. What happens if an application does not enforce access control consistently across all endpoints?
A) Users will always need to log in again
B) Attackers may find unprotected endpoints and access restricted data
C) It improves system speed
D) It prevents unauthorized access
β
Answer: B) Attackers may find unprotected endpoints and access restricted data
π‘ Explanation: If access control is not enforced on all endpoints, attackers can bypass security checks and exploit vulnerable endpoints.
89. What is the primary reason for implementing role-based access control (RBAC)?
A) To provide full admin access to all users
B) To simplify user authentication
C) To ensure users have only the necessary permissions based on their role
D) To store user passwords securely
β
Answer: C) To ensure users have only the necessary permissions based on their role
π‘ Explanation: RBAC restricts user access based on predefined roles, reducing the risk of unauthorized actions.
90. Which of the following is a sign of horizontal privilege escalation?
A) A user accessing another user’s records without proper authorization
B) A user logging out automatically after inactivity
C) A user receiving a “403 Forbidden” error when trying to access a restricted page
D) A user creating a strong password
β
Answer: A) A user accessing another user’s records without proper authorization
π‘ Explanation: Horizontal privilege escalation occurs when a user accesses another user’s data at the same privilege level.
91. What access control model is commonly used in military and government systems?
A) Discretionary Access Control (DAC)
B) Mandatory Access Control (MAC)
C) Role-Based Access Control (RBAC)
D) Attribute-Based Access Control (ABAC)
β
Answer: B) Mandatory Access Control (MAC)
π‘ Explanation: MAC is the most restrictive model, used in highly sensitive environments where access is controlled by strict policies.
92. Why should access tokens have an expiration time?
A) To force users to log in frequently
B) To reduce the risk of stolen tokens being reused indefinitely
C) To make password resets unnecessary
D) To prevent API rate limiting
β
Answer: B) To reduce the risk of stolen tokens being reused indefinitely
π‘ Explanation: Access tokens should expire to minimize the impact of token theft or session hijacking.
93. Which of the following is a key advantage of Attribute-Based Access Control (ABAC)?
A) It grants access based on user attributes like location, device, and job function
B) It allows all users to have admin privileges
C) It ignores authentication requirements
D) It removes all access restrictions
β
Answer: A) It grants access based on user attributes like location, device, and job function
π‘ Explanation: ABAC dynamically adjusts access permissions based on user attributes and contextual data.
94. What is an access control flaw that allows an attacker to take over a high-privilege account?
A) IDOR (Insecure Direct Object Reference)
B) Privilege Escalation
C) Clickjacking
D) DNS Spoofing
β
Answer: B) Privilege Escalation
π‘ Explanation: Privilege escalation occurs when an attacker gains higher-level permissions than they are authorized to have.
95. What is an effective defense against access control bypass attacks?
A) Enforcing access control only at the client-side
B) Implementing server-side authorization checks for every request
C) Using CAPTCHA for login pages
D) Encrypting passwords in transit
β
Answer: B) Implementing server-side authorization checks for every request
π‘ Explanation: Server-side enforcement ensures that access rules cannot be bypassed by modifying client-side data.
96. Why is it important to use a secure session management system?
A) To allow users to share session tokens
B) To prevent session hijacking and fixation attacks
C) To make authentication optional
D) To enable unlimited session reuse
β
Answer: B) To prevent session hijacking and fixation attacks
π‘ Explanation: Secure session management protects against session-based attacks, such as session hijacking and session fixation.
97. What risk arises from allowing excessive API permissions?
A) APIs perform faster
B) Attackers can exploit overprivileged API endpoints
C) Users can access features more easily
D) API keys are easier to manage
β
Answer: B) Attackers can exploit overprivileged API endpoints
π‘ Explanation: Overprivileged APIs expose unnecessary functionalities, increasing the attack surface.
98. What is an example of improper access control in cloud environments?
A) Applying least privilege access
B) Making cloud storage buckets publicly accessible
C) Enforcing multi-factor authentication (MFA)
D) Using encryption for sensitive data
β
Answer: B) Making cloud storage buckets publicly accessible
π‘ Explanation: Exposed cloud storage (e.g., public AWS S3 buckets) can lead to data leaks and security breaches.
99. What attack occurs when an attacker manipulates an authorization token to escalate privileges?
A) Token Tampering
B) SQL Injection
C) Denial of Service (DoS)
D) Cross-Site Scripting (XSS)
β
Answer: A) Token Tampering
π‘ Explanation: Token tampering involves modifying an access token (e.g., JWT) to gain unauthorized privileges.
100. What is a best practice when configuring API access control?
A) Allow unauthenticated users to access all endpoints
B) Implement role-based access control (RBAC) for API permissions
C) Disable API logging
D) Allow unrestricted API keys
β
Answer: B) Implement role-based access control (RBAC) for API permissions
π‘ Explanation: RBAC ensures users and applications only access API endpoints necessary for their role.
101. What type of attack exploits a weak or missing logout function?
A) Session Hijacking
B) Credential Stuffing
C) SQL Injection
D) Brute Force Attack
β
Answer: A) Session Hijacking
π‘ Explanation: If sessions are not properly invalidated upon logout, attackers can reuse session tokens to hijack accounts.
102. What is a security risk of using predictable usernames for admin accounts?
A) It simplifies user authentication
B) Attackers can perform brute-force login attempts more easily
C) It enhances security by providing consistency
D) It reduces system downtime
β
Answer: B) Attackers can perform brute-force login attempts more easily
π‘ Explanation: Predictable admin usernames make it easier for attackers to target privileged accounts in brute-force attacks.
103. What should be enforced for user password policies?
A) Allow passwords like “123456”
B) Require strong, unique passwords with multi-factor authentication (MFA)
C) Allow users to store passwords in plain text
D) Disable password expiration
β
Answer: B) Require strong, unique passwords with multi-factor authentication (MFA)
π‘ Explanation: Enforcing strong passwords and MFA helps prevent account takeover and unauthorized access.
104. Why should security teams monitor failed login attempts?
A) To reduce database size
B) To detect potential brute-force or credential-stuffing attacks
C) To allow attackers to test their scripts
D) To improve website performance
β
Answer: B) To detect potential brute-force or credential-stuffing attacks
π‘ Explanation: Monitoring failed logins helps identify and mitigate attacks before they succeed.
105. What is a common issue with default credentials?
A) They are secure and should never be changed
B) Attackers commonly exploit them to gain unauthorized access
C) They improve login speed
D) They encrypt user data
β
Answer: B) Attackers commonly exploit them to gain unauthorized access
π‘ Explanation: Default credentials are well-known and should always be changed to prevent unauthorized access.
106. Why is it dangerous to expose administrative functions in public web applications?
A) It increases website performance
B) Attackers can exploit them to escalate privileges or gain full control
C) It allows users to customize settings easily
D) It prevents unauthorized access
β
Answer: B) Attackers can exploit them to escalate privileges or gain full control
π‘ Explanation: Exposing admin panels or functions to unauthorized users increases the risk of privilege escalation and data breaches.
107. What is a key risk of granting broad wildcard permissions in IAM (Identity and Access Management) policies?
A) It simplifies user management
B) Attackers can abuse excessive permissions to access unauthorized resources
C) It prevents security misconfigurations
D) It enforces the principle of least privilege
β
Answer: B) Attackers can abuse excessive permissions to access unauthorized resources
π‘ Explanation: Wildcard permissions (* access in IAM roles) often grant more privileges than necessary, leading to potential privilege escalation.
108. What is the primary goal of enforcing least privilege access?
A) To give users full control over the system
B) To reduce the risk of unauthorized access and privilege escalation
C) To slow down system performance
D) To remove all authentication requirements
β
Answer: B) To reduce the risk of unauthorized access and privilege escalation
π‘ Explanation: Least privilege ensures that users have only the permissions they need, reducing the attack surface.
109. What is the purpose of Just-In-Time (JIT) access control?
A) To grant users temporary access only when needed
B) To allow all users to have permanent admin access
C) To replace authentication with CAPTCHA
D) To store user passwords securely
β
Answer: A) To grant users temporary access only when needed
π‘ Explanation: JIT access minimizes the risk of privilege escalation by granting permissions only when required and revoking them afterward.
110. Which of the following is an API security risk related to Broken Access Control?
A) Restricting API access to only authorized users
B) Allowing unauthenticated users to modify API data
C) Enforcing strong API authentication
D) Implementing access control checks for every API request
β
Answer: B) Allowing unauthenticated users to modify API data
π‘ Explanation: If API endpoints do not enforce authentication and authorization, attackers can modify or access sensitive data.
111. What is the risk of allowing users to modify their own access levels in an application?
A) Users can escalate privileges and gain unauthorized access
B) It improves security by providing flexibility
C) It prevents account takeovers
D) It reduces system downtime
β
Answer: A) Users can escalate privileges and gain unauthorized access
π‘ Explanation: Allowing users to modify their access levels leads to privilege escalation, where attackers can grant themselves admin rights.
112. What type of attack occurs when an application does not properly verify if a user is authorized to access certain data?
A) SQL Injection
B) Insecure Direct Object Reference (IDOR)
C) Cross-Site Scripting (XSS)
D) Denial-of-Service (DoS)
β
Answer: B) Insecure Direct Object Reference (IDOR)
π‘ Explanation: IDOR occurs when attackers manipulate request parameters (e.g., changing user_id=123 to user_id=124) to access unauthorized data.
113. How can organizations prevent session hijacking related to access control?
A) Implementing session expiration and token rotation
B) Allowing unlimited session reuse
C) Using only client-side validation
D) Disabling password complexity rules
β
Answer: A) Implementing session expiration and token rotation
π‘ Explanation: Regularly rotating session tokens and expiring inactive sessions reduces the risk of session hijacking.
114. Why is it important to log access control failures?
A) To provide real-time alerts on potential unauthorized access attempts
B) To slow down attackers
C) To disable all security policies
D) To allow users to bypass authentication
β
Answer: A) To provide real-time alerts on potential unauthorized access attempts
π‘ Explanation: Logging failed access attempts helps security teams detect and respond to potential attacks.
115. What is an example of a business logic vulnerability related to access control?
A) A user submitting a form without a CAPTCHA
B) A user applying a discount multiple times by modifying request parameters
C) A website using strong authentication
D) A user logging out properly
β
Answer: B) A user applying a discount multiple times by modifying request parameters
π‘ Explanation: Business logic flaws occur when attackers manipulate workflows (e.g., applying unauthorized discounts or making free purchases).
116. What access control measure should be enforced for sensitive API endpoints?
A) Allowing only logged-in users to access them
B) Restricting access to authorized roles using role-based access control (RBAC)
C) Allowing unrestricted access for better performance
D) Using weak API keys for authentication
β
Answer: B) Restricting access to authorized roles using role-based access control (RBAC)
π‘ Explanation: RBAC ensures that only authorized users and roles can access sensitive API endpoints.
117. How can an attacker exploit session fixation vulnerabilities?
A) By forcing a victim to use a predetermined session ID
B) By creating a strong password
C) By enabling two-factor authentication
D) By using only HTTPS for authentication
β
Answer: A) By forcing a victim to use a predetermined session ID
π‘ Explanation: In session fixation attacks, an attacker assigns a known session ID to a victim, then hijacks the session after authentication.
118. Which of the following access control models is the most flexible for dynamic environments?
A) Discretionary Access Control (DAC)
B) Mandatory Access Control (MAC)
C) Role-Based Access Control (RBAC)
D) Attribute-Based Access Control (ABAC)
β
Answer: D) Attribute-Based Access Control (ABAC)
π‘ Explanation: ABAC dynamically adjusts access permissions based on user attributes, making it more flexible for cloud and modern applications.
119. What is a key risk of exposing debugging or verbose error messages in a web application?
A) It helps attackers learn about system internals and security weaknesses
B) It improves website performance
C) It reduces application security risks
D) It prevents brute-force attacks
β
Answer: A) It helps attackers learn about system internals and security weaknesses
π‘ Explanation: Detailed error messages may reveal sensitive information about access control mechanisms, allowing attackers to exploit them.
120. What is the primary advantage of implementing multi-factor authentication (MFA) for access control?
A) It prevents all types of attacks
B) It ensures that even if a password is compromised, attackers cannot access accounts without a second factor
C) It makes login slower
D) It eliminates the need for encryption
β
Answer: B) It ensures that even if a password is compromised, attackers cannot access accounts without a second factor
π‘ Explanation: MFA adds an extra security layer by requiring an additional authentication factor, reducing the risk of account compromise.
121. What is an example of a broken access control vulnerability in a multi-user system?
A) Users can only access their own data
B) A user can modify another userβs profile by changing the user_id in the URL
C) The system requires multi-factor authentication (MFA)
D) The application logs all access attempts
β
Answer: B) A user can modify another userβs profile by changing the user_id in the URL
π‘ Explanation: Insecure Direct Object Reference (IDOR) allows attackers to modify user data by manipulating request parameters.
122. Which of the following is a key security risk when using wildcard permissions (*) in cloud IAM policies?
A) It improves security
B) It grants excessive permissions, leading to privilege escalation risks
C) It reduces attack surface
D) It prevents unauthorized access
β
Answer: B) It grants excessive permissions, leading to privilege escalation risks
π‘ Explanation: Overly permissive IAM policies (e.g., * access) can give users more privileges than necessary, leading to security risks.
123. What is a key security risk of exposing administrative API endpoints without proper authentication?
A) Attackers can execute privileged actions remotely
B) It improves user experience
C) It reduces attack surface
D) It prevents unauthorized access
β
Answer: A) Attackers can execute privileged actions remotely
π‘ Explanation: If administrative API endpoints lack authentication, attackers can access sensitive administrative functions and modify system settings.
124. How can organizations prevent brute-force attacks on login endpoints?
A) Implementing rate limiting and account lockouts
B) Allowing unlimited login attempts
C) Disabling logging for failed login attempts
D) Using only client-side authentication
β
Answer: A) Implementing rate limiting and account lockouts
π‘ Explanation: Rate limiting and account lockouts prevent attackers from guessing passwords through brute-force attacks.
125. What is a common mistake when implementing role-based access control (RBAC)?
A) Granting least privilege to users
B) Assigning all users to an administrator role
C) Using strong authentication methods
D) Regularly reviewing access permissions
β
Answer: B) Assigning all users to an administrator role
π‘ Explanation: Assigning all users administrative privileges negates the benefits of RBAC and increases the risk of privilege escalation.
126. What type of attack targets misconfigured CORS (Cross-Origin Resource Sharing) policies?
A) Cross-Origin Data Theft
B) SQL Injection
C) XML External Entity (XXE) Injection
D) Cross-Site Request Forgery (CSRF)
β
Answer: A) Cross-Origin Data Theft
π‘ Explanation: Weak CORS policies can allow attackers to read sensitive data from another origin, leading to data exposure.
127. How can organizations enforce access control in cloud environments?
A) By using IAM policies with the least privilege principle
B) By allowing all users to have full admin access
C) By disabling multi-factor authentication (MFA)
D) By using weak passwords for IAM roles
β
Answer: A) By using IAM policies with the least privilege principle
π‘ Explanation: Applying the principle of least privilege (PoLP) in cloud IAM ensures users only have the permissions they need.
128. What is the primary risk of allowing users to reset passwords via security questions?
A) Security questions can often be guessed or found through social engineering
B) It prevents brute-force attacks
C) It enforces multi-factor authentication (MFA)
D) It eliminates phishing risks
β
Answer: A) Security questions can often be guessed or found through social engineering
π‘ Explanation: Attackers can often find answers to security questions (e.g., “What is your petβs name?”) through social media and other sources.
129. What is an effective method to protect against unauthorized access to web applications?
A) Enforcing strong session management policies
B) Allowing session IDs to persist indefinitely
C) Using weak authentication mechanisms
D) Granting all users administrator privileges
β
Answer: A) Enforcing strong session management policies
π‘ Explanation: Strong session management prevents session hijacking, session fixation, and other session-based attacks.
130. Why should access control mechanisms be implemented on the server side?
A) Client-side access control is easy to bypass
B) It reduces latency in web applications
C) It makes authentication unnecessary
D) It prevents brute-force attacks
β
Answer: A) Client-side access control is easy to bypass
π‘ Explanation: Client-side access control can be modified or disabled by attackers, making server-side enforcement essential.
131. Which type of access control model grants access based on security labels and classifications?
A) Discretionary Access Control (DAC)
B) Mandatory Access Control (MAC)
C) Role-Based Access Control (RBAC)
D) Attribute-Based Access Control (ABAC)
β
Answer: B) Mandatory Access Control (MAC)
π‘ Explanation: MAC enforces strict access rules based on security classifications, commonly used in military and government environments.
132. What is an effective way to prevent IDOR (Insecure Direct Object References) vulnerabilities?
A) Using server-side authorization checks before returning sensitive data
B) Using JavaScript validation only
C) Allowing users to access all database records
D) Granting all users administrative privileges
β
Answer: A) Using server-side authorization checks before returning sensitive data
π‘ Explanation: Server-side authorization ensures users can only access their own data, preventing unauthorized access through IDOR.
133. Why should authentication tokens be stored securely in web applications?
A) To prevent token theft and replay attacks
B) To improve website performance
C) To allow users to log in automatically without authentication
D) To replace the need for strong passwords
β
Answer: A) To prevent token theft and replay attacks
π‘ Explanation: Storing tokens securely prevents attackers from stealing and using them to impersonate users.
134. What is the security risk of exposing verbose error messages?
A) Attackers can gather information about system internals
B) It enhances application security
C) It prevents SQL injection attacks
D) It makes brute-force attacks harder
β
Answer: A) Attackers can gather information about system internals
π‘ Explanation: Verbose error messages can reveal details about database structures, authentication mechanisms, and more.
135. Why should admin pages be restricted to authorized users only?
A) To prevent unauthorized users from modifying system settings
B) To improve website loading speed
C) To allow users to customize their profiles
D) To enforce password complexity rules
β
Answer: A) To prevent unauthorized users from modifying system settings
π‘ Explanation: Restricting admin pages prevents unauthorized changes to system configurations and sensitive data.
136. Which of the following is an access control best practice?
A) Implementing multi-factor authentication (MFA)
B) Allowing all users to access admin functions
C) Using weak passwords for authentication
D) Disabling user authentication
β
Answer: A) Implementing multi-factor authentication (MFA)
π‘ Explanation: MFA adds an extra security layer, making unauthorized access more difficult.
137. Why should organizations regularly audit access control configurations?
A) To detect excessive permissions and remove unnecessary access
B) To slow down user authentication
C) To prevent strong encryption
D) To make role-based access control ineffective
β
Answer: A) To detect excessive permissions and remove unnecessary access
π‘ Explanation: Regular audits ensure that users only have the access they need, reducing security risks.
138. What is a common access control misconfiguration in cloud environments?
A) Storing sensitive data in private cloud storage
B) Allowing public access to cloud storage buckets
C) Using least privilege IAM policies
D) Enforcing multi-factor authentication (MFA)
β
Answer: B) Allowing public access to cloud storage buckets
π‘ Explanation: Publicly accessible cloud storage can expose sensitive data, making it an easy target for attackers.
139. What security risk arises if an application fails to check permissions before displaying content?
A) Increased performance
B) Unauthorized data exposure
C) Users needing to log in frequently
D) Improved user experience
β
Answer: B) Unauthorized data exposure
π‘ Explanation: Applications must verify user permissions before displaying content to prevent unauthorized access.
140. How does enforcing multi-factor authentication (MFA) improve access control security?
A) It eliminates the need for strong passwords
B) It adds an extra layer of security, reducing the risk of unauthorized access
C) It replaces the need for role-based access control (RBAC)
D) It allows users to bypass authentication
β
Answer: B) It adds an extra layer of security, reducing the risk of unauthorized access
π‘ Explanation: MFA requires additional authentication factors, making it harder for attackers to compromise accounts.
141. What is a major risk of using predictable session IDs?
A) Attackers can guess session IDs and hijack user sessions
B) It improves user experience
C) It prevents unauthorized access
D) It strengthens authentication
β
Answer: A) Attackers can guess session IDs and hijack user sessions
π‘ Explanation: Weak or predictable session IDs allow attackers to impersonate users by guessing valid session tokens.
142. Which access control model dynamically adjusts permissions based on attributes like device type, location, and risk level?
A) Role-Based Access Control (RBAC)
B) Discretionary Access Control (DAC)
C) Attribute-Based Access Control (ABAC)
D) Mandatory Access Control (MAC)
β
Answer: C) Attribute-Based Access Control (ABAC)
π‘ Explanation: ABAC grants or restricts access based on multiple contextual attributes, making it more flexible than RBAC.
143. Why is implementing rate limiting on authentication endpoints important?
A) It prevents users from logging in too frequently
B) It stops brute-force attacks and credential stuffing
C) It weakens security by limiting requests
D) It forces users to change passwords more often
β
Answer: B) It stops brute-force attacks and credential stuffing
π‘ Explanation: Rate limiting restricts login attempts, making it harder for attackers to guess passwords.
144. What is an effective way to prevent API key leakage?
A) Hardcoding API keys in the source code
B) Storing API keys in environment variables or secret management tools
C) Allowing unrestricted access to API endpoints
D) Sharing API keys with all employees
β
Answer: B) Storing API keys in environment variables or secret management tools
π‘ Explanation: Secure storage of API keys prevents unauthorized access and reduces exposure risks.
145. Which attack involves an attacker manipulating an existing session to gain unauthorized access?
A) Session Hijacking
B) SQL Injection
C) Denial-of-Service (DoS)
D) Cross-Site Scripting (XSS)
β
Answer: A) Session Hijacking
π‘ Explanation: Session hijacking occurs when an attacker steals a valid session ID to impersonate a user.
146. How can organizations protect against unauthorized access to administrative dashboards?
A) Implementing strong authentication and IP allowlisting
B) Making the admin panel publicly accessible
C) Using weak passwords for admin accounts
D) Removing logging for admin activity
β
Answer: A) Implementing strong authentication and IP allowlisting
π‘ Explanation: Restricting access to admin dashboards prevents unauthorized users from gaining control.
147. Why should organizations enforce session expiration policies?
A) To log users out immediately after login
B) To reduce the risk of session hijacking and unauthorized access
C) To improve performance
D) To allow unlimited session reuse
β
Answer: B) To reduce the risk of session hijacking and unauthorized access
π‘ Explanation: Session expiration limits the time an attacker can use a stolen session token.
148. What is the primary risk of exposing API documentation without authentication?
A) Attackers can analyze API endpoints and find vulnerabilities
B) It improves security
C) It prevents unauthorized access
D) It makes authentication stronger
β
Answer: A) Attackers can analyze API endpoints and find vulnerabilities
π‘ Explanation: Publicly accessible API documentation helps attackers identify endpoints that can be exploited.
149. What is a common cause of privilege escalation in web applications?
A) Implementing strong password policies
B) Improper enforcement of access control checks
C) Disabling multi-factor authentication (MFA)
D) Requiring CAPTCHA on login pages
β
Answer: B) Improper enforcement of access control checks
π‘ Explanation: Weak access control mechanisms allow users to gain higher privileges than intended.
150. What is a key security best practice for managing access to cloud-based applications?
A) Using multi-factor authentication (MFA) and enforcing the least privilege principle
B) Allowing unrestricted admin access to all users
C) Hardcoding credentials in application source code
D) Disabling logging of access events
β
Answer: A) Using multi-factor authentication (MFA) and enforcing the least privilege principle
π‘ Explanation: MFA and least privilege help minimize the impact of security breaches.
151. Why should organizations regularly review and audit user access logs?
A) To detect suspicious activities and unauthorized access attempts
B) To slow down the authentication process
C) To prevent users from changing passwords
D) To disable logging features
β
Answer: A) To detect suspicious activities and unauthorized access attempts
π‘ Explanation: Access log reviews help identify security incidents before they escalate.
152. What is a key risk of using default credentials in enterprise applications?
A) Default credentials are widely known and can be exploited by attackers
B) It improves security
C) It simplifies user management
D) It prevents unauthorized access
β
Answer: A) Default credentials are widely known and can be exploited by attackers
π‘ Explanation: Leaving default credentials unchanged makes systems vulnerable to brute-force attacks.
153. What is an effective way to prevent users from sharing login credentials?
A) Implementing multi-factor authentication (MFA) and device-based authentication
B) Allowing unlimited login sessions
C) Disabling password complexity requirements
D) Using hardcoded passwords
β
Answer: A) Implementing multi-factor authentication (MFA) and device-based authentication
π‘ Explanation: MFA and device authentication prevent credential sharing by verifying user identity across different factors.
154. Why is it important to enforce access control for sensitive API endpoints?
A) To improve performance
B) To prevent unauthorized users from modifying or accessing sensitive data
C) To allow unrestricted access for faster API calls
D) To simplify API documentation
β
Answer: B) To prevent unauthorized users from modifying or accessing sensitive data
π‘ Explanation: APIs must enforce strict access controls to ensure that only authorized users can access or modify sensitive data.
155. What is the security risk of allowing unrestricted CORS (Cross-Origin Resource Sharing) policies?
A) Attackers can make unauthorized cross-origin requests to steal sensitive data
B) It enhances API security
C) It speeds up authentication
D) It prevents access control bypass attacks
β
Answer: A) Attackers can make unauthorized cross-origin requests to steal sensitive data
π‘ Explanation: Misconfigured CORS settings can allow malicious websites to access restricted resources on behalf of an authenticated user.
156. What is an example of broken access control in cloud IAM (Identity and Access Management)?
A) Assigning least privilege to all IAM users
B) Granting public access to cloud resources like storage buckets
C) Enforcing multi-factor authentication (MFA) for all users
D) Logging all IAM permission changes
β
Answer: B) Granting public access to cloud resources like storage buckets
π‘ Explanation: Misconfigured IAM policies allowing public access can lead to unauthorized data exposure or cloud resource abuse.
157. How can session fixation be mitigated?
A) By issuing a new session ID upon successful authentication
B) By allowing users to reuse session IDs indefinitely
C) By storing session data only in local storage
D) By disabling authentication tokens
β
Answer: A) By issuing a new session ID upon successful authentication
π‘ Explanation: Session fixation occurs when an attacker forces a user to use a known session ID, allowing them to hijack the session. Rotating session IDs prevents this attack.
158. What is the risk of granting administrative access to too many users?
A) Increased risk of privilege escalation and insider threats
B) Improved security
C) Faster authentication
D) Lower risk of unauthorized access
β
Answer: A) Increased risk of privilege escalation and insider threats
π‘ Explanation: Granting excessive administrative access increases the likelihood of accidental or malicious changes that can compromise security.
159. Why should session tokens be stored securely in web applications?
A) To prevent attackers from stealing and replaying them for unauthorized access
B) To allow users to share session IDs
C) To speed up authentication
D) To remove the need for authentication
β
Answer: A) To prevent attackers from stealing and replaying them for unauthorized access
π‘ Explanation: Secure storage of session tokens prevents unauthorized access through session hijacking or replay attacks.
160. What is a major risk of allowing users to access files via unrestricted file paths?
A) Users can perform directory traversal attacks to access sensitive files
B) It improves performance
C) It speeds up authentication
D) It strengthens access control
β
Answer: A) Users can perform directory traversal attacks to access sensitive files
π‘ Explanation: Improperly secured file access can allow attackers to exploit directory traversal (../) to access files they shouldn’t be able to view.
161. What is an effective way to mitigate horizontal privilege escalation?
A) Implementing strict authorization checks based on user identity
B) Allowing users to modify their own access roles
C) Storing authentication tokens in local storage
D) Using only client-side access control
β
Answer: A) Implementing strict authorization checks based on user identity
π‘ Explanation: Authorization checks ensure users can only access their own data and prevent unauthorized access to other users’ information.
162. What should an application do when an unauthorized user attempts to access restricted data?
A) Return a 403 Forbidden response and log the access attempt
B) Provide a detailed error message explaining the failure
C) Redirect the user to an admin dashboard
D) Allow access for better user experience
β
Answer: A) Return a 403 Forbidden response and log the access attempt
π‘ Explanation: A 403 Forbidden response prevents unauthorized access while logging helps detect potential attacks.
163. Why is logging and monitoring access control violations critical?
A) It allows security teams to detect and respond to unauthorized access attempts
B) It slows down authentication
C) It improves system speed
D) It removes the need for multi-factor authentication
β
Answer: A) It allows security teams to detect and respond to unauthorized access attempts
π‘ Explanation: Monitoring access logs helps identify security threats and take preventive actions against potential breaches.
164. What is a common access control vulnerability in API endpoints?
A) APIs failing to enforce authorization checks for all users
B) APIs using rate limiting
C) APIs requiring authentication before access
D) APIs using encrypted tokens
β
Answer: A) APIs failing to enforce authorization checks for all users
π‘ Explanation: APIs must verify user authorization before processing requests to prevent unauthorized data access or modifications.
165. How does an attacker exploit a Cross-Site Request Forgery (CSRF) vulnerability?
A) By tricking a user into making an unauthorized request on a trusted site
B) By guessing a userβs password
C) By injecting SQL commands into an input field
D) By using brute-force attacks on login pages
β
Answer: A) By tricking a user into making an unauthorized request on a trusted site
π‘ Explanation: CSRF attacks exploit the trust a site has in a userβs browser by forcing it to perform unwanted actions.
166. What is the risk of exposing a serverβs admin panel to the public internet?
A) Attackers can brute-force credentials or exploit known vulnerabilities to gain control
B) It enhances security
C) It prevents unauthorized access
D) It improves website performance
β
Answer: A) Attackers can brute-force credentials or exploit known vulnerabilities to gain control
π‘ Explanation: Publicly accessible admin panels are prime targets for attacks, including brute-force login attempts and exploit-based takeovers.
167. How can organizations prevent users from abusing API rate limits?
A) By implementing API throttling and rate limiting
B) By removing authentication requirements
C) By allowing unlimited API requests
D) By disabling API logging
β
Answer: A) By implementing API throttling and rate limiting
π‘ Explanation: Rate limiting prevents abuse by restricting the number of requests an API can process per user or timeframe.
168. What is a risk of allowing weak password policies?
A) Increased likelihood of brute-force or credential stuffing attacks
B) Stronger authentication security
C) Faster login times
D) Improved password recovery
β
Answer: A) Increased likelihood of brute-force or credential stuffing attacks
π‘ Explanation: Weak passwords are easier to guess, making accounts more vulnerable to unauthorized access.
169. How does implementing least privilege reduce access control risks?
A) It ensures users have only the minimum necessary permissions for their role
B) It grants all users admin privileges
C) It disables authentication requirements
D) It allows unrestricted file access
β
Answer: A) It ensures users have only the minimum necessary permissions for their role
π‘ Explanation: The least privilege principle minimizes security risks by restricting users to only the access they need.
170. Why should security teams conduct regular penetration tests on access control mechanisms?
A) To identify and fix vulnerabilities before attackers exploit them
B) To slow down authentication
C) To increase system load
D) To allow unrestricted user access
β
Answer: A) To identify and fix vulnerabilities before attackers exploit them
π‘ Explanation: Penetration testing helps organizations detect and remediate access control weaknesses before they become security threats.
171. What is the risk of using “security through obscurity” as the only access control measure?
A) It prevents brute-force attacks
B) If an attacker discovers the hidden resource, they can bypass security
C) It strengthens authentication
D) It replaces the need for multi-factor authentication
β
Answer: B) If an attacker discovers the hidden resource, they can bypass security
π‘ Explanation: Security through obscurity (e.g., hiding admin URLs) is not a substitute for proper authentication and authorization controls.
172. What is an effective way to prevent unauthorized access to API endpoints?
A) Using strong authentication and role-based access control (RBAC)
B) Allowing public access to all API endpoints
C) Hardcoding API keys in the frontend
D) Disabling authorization for performance reasons
β
Answer: A) Using strong authentication and role-based access control (RBAC)
π‘ Explanation: RBAC ensures that only authenticated and authorized users can access sensitive API functions.
173. What is a common way attackers escalate privileges in cloud environments?
A) Exploiting misconfigured IAM roles
B) Using multi-factor authentication (MFA)
C) Implementing least privilege access control
D) Enforcing strong API authentication
β
Answer: A) Exploiting misconfigured IAM roles
π‘ Explanation: Overly permissive IAM roles allow attackers to gain higher privileges than intended.
174. Why is it important to restrict access to database management interfaces (e.g., phpMyAdmin)?
A) To prevent unauthorized users from executing database queries
B) To allow all users to modify database records
C) To improve query execution speed
D) To reduce application load
β
Answer: A) To prevent unauthorized users from executing database queries
π‘ Explanation: Exposing database management interfaces publicly increases the risk of unauthorized data access and modification.
175. What is an effective mitigation against session hijacking?
A) Implementing secure cookies with the HttpOnly and Secure flags
B) Allowing session IDs in URL parameters
C) Storing session tokens in local storage
D) Using weak encryption for session tokens
β
Answer: A) Implementing secure cookies with the HttpOnly and Secure flags
π‘ Explanation: Secure and HttpOnly flags prevent attackers from stealing session cookies via client-side attacks.
176. How can an attacker exploit an unprotected API with weak authentication?
A) By sending unauthorized requests and accessing sensitive data
B) By improving API response time
C) By reducing API costs
D) By strengthening authentication
β
Answer: A) By sending unauthorized requests and accessing sensitive data
π‘ Explanation: If an API does not properly enforce authentication, attackers can interact with it freely.
177. What is the impact of failing to enforce authorization checks on file uploads?
A) Attackers can upload malicious files and execute remote code
B) Users get faster upload speeds
C) Users can access all files without restriction
D) It prevents denial-of-service (DoS) attacks
β
Answer: A) Attackers can upload malicious files and execute remote code
π‘ Explanation: Weak file upload restrictions can lead to remote code execution (RCE) and server compromise.
178. What happens if an application does not properly revoke session tokens after logout?
A) Users must log in again
B) Attackers can reuse stolen session tokens to access accounts
C) It improves authentication security
D) It prevents unauthorized access
β
Answer: B) Attackers can reuse stolen session tokens to access accounts
π‘ Explanation: Session tokens must be invalidated on logout to prevent unauthorized reuse.
179. Why should privileged accounts have additional security controls?
A) They are prime targets for attackers due to their high-level access
B) They should have weaker authentication
C) They should be publicly accessible
D) They should use default passwords
β
Answer: A) They are prime targets for attackers due to their high-level access
π‘ Explanation: Privileged accounts, such as admin accounts, require extra security measures to prevent unauthorized access.
180. How can organizations protect against brute-force attacks on authentication endpoints?
A) Implementing CAPTCHA, rate limiting, and account lockouts
B) Allowing unlimited login attempts
C) Disabling logging of failed login attempts
D) Using weak passwords
β
Answer: A) Implementing CAPTCHA, rate limiting, and account lockouts
π‘ Explanation: These mechanisms prevent attackers from repeatedly guessing passwords.
181. What is the risk of using default credentials in enterprise applications?
A) Default credentials are publicly known and easily exploited by attackers
B) They improve authentication security
C) They simplify login processes
D) They prevent unauthorized access
β
Answer: A) Default credentials are publicly known and easily exploited by attackers
π‘ Explanation: Many default credentials are available online, making them an easy entry point for attackers.
182. What should be enforced to prevent unauthorized access to cloud storage buckets?
A) Restricting access to authenticated and authorized users only
B) Making all storage buckets public for easy access
C) Allowing users to set their own permissions
D) Using unencrypted storage
β
Answer: A) Restricting access to authenticated and authorized users only
π‘ Explanation: Publicly exposed storage buckets have led to major data breaches in the past.
183. Why should security teams audit IAM permissions regularly?
A) To detect excessive permissions and remove unnecessary access
B) To allow all users to access admin functions
C) To disable user authentication
D) To increase attack surface
β
Answer: A) To detect excessive permissions and remove unnecessary access
π‘ Explanation: Regular audits help ensure users only have the permissions they need, reducing security risks.
184. What is the risk of allowing user-controlled input to determine access permissions?
A) Attackers can manipulate input to escalate privileges
B) It improves authentication
C) It speeds up access control enforcement
D) It prevents brute-force attacks
β
Answer: A) Attackers can manipulate input to escalate privileges
π‘ Explanation: Access control decisions should never be based on user-supplied input, as it can be tampered with.
185. Why should admin interfaces be restricted to specific IP ranges?
A) To limit exposure to potential attackers
B) To allow attackers to access the system
C) To improve UI performance
D) To disable user authentication
β
Answer: A) To limit exposure to potential attackers
π‘ Explanation: Restricting access to trusted IP addresses reduces the attack surface for admin panels.
186. What is a common attack vector for privilege escalation?
A) Exploiting misconfigured access controls
B) Using strong passwords
C) Implementing multi-factor authentication (MFA)
D) Restricting admin privileges
β
Answer: A) Exploiting misconfigured access controls
π‘ Explanation: Attackers look for weak permissions to escalate privileges and gain unauthorized access.
187. How can organizations prevent Cross-Site Request Forgery (CSRF) attacks?
A) Implementing anti-CSRF tokens and requiring user interaction for sensitive actions
B) Disabling authentication
C) Allowing cross-origin requests
D) Using only client-side validation
β
Answer: A) Implementing anti-CSRF tokens and requiring user interaction for sensitive actions
π‘ Explanation: CSRF protection ensures that requests made on behalf of a user are legitimate.
188. Why should organizations enforce password complexity rules?
A) To reduce the risk of password guessing and brute-force attacks
B) To make passwords easier to remember
C) To prevent user authentication
D) To weaken encryption
β
Answer: A) To reduce the risk of password guessing and brute-force attacks
π‘ Explanation: Strong passwords make it harder for attackers to guess credentials.
189. Why is it dangerous to allow users to access administrative functions without proper role verification?
A) It improves system performance
B) Attackers or low-privileged users can escalate their privileges
C) It simplifies authentication
D) It enhances user experience
β
Answer: B) Attackers or low-privileged users can escalate their privileges
π‘ Explanation: If role verification is not enforced, attackers can access privileged actions they should not have access to.
190. What is a major risk of exposing cloud management interfaces without proper access controls?
A) Unauthorized users can modify cloud resources, leading to data breaches or service disruptions
B) It improves cloud performance
C) It makes cloud management easier
D) It prevents API abuse
β
Answer: A) Unauthorized users can modify cloud resources, leading to data breaches or service disruptions
π‘ Explanation: Exposing cloud management interfaces without security controls allows attackers to modify or delete cloud resources.
191. How can an attacker exploit a misconfigured multi-tenant web application?
A) By accessing another tenantβs data due to weak access control policies
B) By using a strong password
C) By enabling two-factor authentication (2FA)
D) By limiting the number of login attempts
β
Answer: A) By accessing another tenantβs data due to weak access control policies
π‘ Explanation: If tenant isolation is not enforced, an attacker from one tenant can view or modify data from another tenant.
192. Why should authentication tokens have an expiration time?
A) To prevent token reuse and minimize the impact of token theft
B) To make authentication slower
C) To require users to log in every few seconds
D) To remove the need for multi-factor authentication
β
Answer: A) To prevent token reuse and minimize the impact of token theft
π‘ Explanation: Tokens with an expiration time limit how long a stolen token can be used, reducing the risk of unauthorized access.
193. What security measure can prevent unauthorized API key usage?
A) Enforcing IP allowlisting and setting API key expiration
B) Sharing API keys publicly
C) Hardcoding API keys in frontend applications
D) Allowing unrestricted API key access
β
Answer: A) Enforcing IP allowlisting and setting API key expiration
π‘ Explanation: Restricting API key usage to specific IPs and setting expiration dates helps prevent abuse and unauthorized access.
194. How can security teams detect privilege escalation attempts?
A) By monitoring logs for suspicious permission changes and unauthorized access attempts
B) By allowing all users to have administrative access
C) By disabling security logging
D) By enabling weak authentication mechanisms
β
Answer: A) By monitoring logs for suspicious permission changes and unauthorized access attempts
π‘ Explanation: Regular log analysis helps detect abnormal user activities and privilege escalation attempts.
195. What is an effective way to prevent unauthorized access to cloud APIs?
A) Implementing strong authentication (OAuth, JWT, or API gateways)
B) Allowing public access to all APIs
C) Storing API credentials in client-side JavaScript
D) Using weak passwords for API authentication
β
Answer: A) Implementing strong authentication (OAuth, JWT, or API gateways)
π‘ Explanation: Strong API authentication prevents unauthorized users from making API requests.
196. How can an attacker bypass weak access control in a web application?
A) By modifying HTTP request parameters and attempting privilege escalation
B) By using a strong password
C) By enabling two-factor authentication
D) By following proper authentication protocols
β
Answer: A) By modifying HTTP request parameters and attempting privilege escalation
π‘ Explanation: If access control is not enforced on the server-side, attackers can manipulate requests to gain unauthorized access.
197. Why should access control policies be updated regularly?
A) To reflect organizational changes and prevent excessive user permissions
B) To allow all users full system access
C) To make authentication slower
D) To remove access restrictions altogether
β
Answer: A) To reflect organizational changes and prevent excessive user permissions
π‘ Explanation: Regular updates ensure that only necessary permissions are assigned, reducing the risk of privilege escalation.
198. What is the security risk of using predictable usernames for administrator accounts?
A) Attackers can easily target admin accounts in brute-force attacks
B) It improves security
C) It simplifies password management
D) It prevents unauthorized access
β
Answer: A) Attackers can easily target admin accounts in brute-force attacks
π‘ Explanation: Using common admin usernames (e.g., “admin”) makes accounts easier targets for brute-force and credential stuffing attacks.
199. How can organizations prevent lateral movement attacks due to weak access control?
A) By enforcing least privilege access and network segmentation
B) By allowing all users access to all resources
C) By disabling logging
D) By allowing weak password policies
β
Answer: A) By enforcing least privilege access and network segmentation
π‘ Explanation: Least privilege access and network segmentation limit the ability of attackers to move laterally within a system.
200. Why is it important to disable inactive user accounts?
A) To reduce the risk of account takeover and privilege escalation
B) To allow attackers to use them for lateral movement
C) To increase login speed
D) To prevent users from accessing their data
β
Answer: A) To reduce the risk of account takeover and privilege escalation
π‘ Explanation: Inactive accounts are often targeted by attackers, as they may not be actively monitored.