1. What is an insecure API endpoint?
A) An API that lacks proper security controls and can be exploited
B) An API that provides secure communication between systems
C) An API that only accepts HTTPS requests
D) An API that requires multi-factor authentication
β
Answer: A) An API that lacks proper security controls and can be exploited
π‘ Explanation: Insecure API endpoints lack authentication, authorization, encryption, or input validation, making them vulnerable to attacks.
2. Which is a common vulnerability in API security?
A) Lack of proper authentication
B) Using only HTTPS
C) Implementing OAuth correctly
D) Implementing API rate limiting
β
Answer: A) Lack of proper authentication
π‘ Explanation: If an API endpoint does not enforce authentication, attackers can exploit it to access sensitive data.
3. What is the best way to protect an API against unauthorized access?
A) Using API keys and validating tokens
B) Allowing open access to the API
C) Encrypting API responses only
D) Using HTTP instead of HTTPS
β
Answer: A) Using API keys and validating tokens
π‘ Explanation: API authentication should use API keys, OAuth tokens, or JWTs to prevent unauthorized access.
4. What is an API Rate Limiting attack?
A) An attack that exploits excessive API requests to overwhelm the service
B) A method to protect APIs from abuse
C) A way to enforce user authentication
D) A technique for encrypting API responses
β
Answer: A) An attack that exploits excessive API requests to overwhelm the service
π‘ Explanation: Rate-limiting bypass attacks can cause DoS (Denial-of-Service) and slow down API performance.
5. Which HTTP method is commonly targeted in insecure API attacks?
A) POST
B) DELETE
C) GET
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers exploit all GET, POST, DELETE, and PUT methods if APIs lack proper authentication and validation.
6. What is API enumeration?
A) The process of testing API endpoints for security
B) A technique to guess valid API parameters and responses
C) The method of encrypting API requests
D) The process of debugging an API
β
Answer: B) A technique to guess valid API parameters and responses
π‘ Explanation: Attackers perform API enumeration to guess resource IDs, endpoints, and parameters to access unauthorized data.
7. What security control helps prevent Broken Object Level Authorization (BOLA)?
A) Implementing access control based on user roles
B) Using weak passwords
C) Exposing API keys in client-side code
D) Disabling authentication
β
Answer: A) Implementing access control based on user roles
π‘ Explanation: BOLA (IDOR) occurs when APIs do not properly verify user permissions, allowing attackers to access or modify unauthorized data.
8. Which attack exploits insecure API authentication?
A) Cross-Site Scripting (XSS)
B) Broken Authentication
C) SQL Injection
D) Clickjacking
β
Answer: B) Broken Authentication
π‘ Explanation: If APIs lack strong authentication mechanisms, attackers can bypass login protections and gain unauthorized access.
9. How can API endpoints prevent data exposure?
A) Encrypting sensitive data before returning responses
B) Logging all API requests in plaintext
C) Allowing unrestricted API access
D) Storing credentials in the API response
β
Answer: A) Encrypting sensitive data before returning responses
π‘ Explanation: APIs should encrypt sensitive data (like PII or passwords) to prevent exposure in case of a data breach.
10. What is API endpoint fuzzing?
A) A security practice to test API security by sending unexpected inputs
B) A method of encrypting API requests
C) A technique used to create API documentation
D) A practice of using API rate limiting
β
Answer: A) A security practice to test API security by sending unexpected inputs
π‘ Explanation: Fuzzing helps security researchers find unhandled exceptions, misconfigurations, and vulnerabilities in APIs.
11. Which API authentication method is the most secure?
A) Basic Authentication (username & password)
B) API Key Authentication
C) OAuth 2.0 with JWT
D) No authentication
β
Answer: C) OAuth 2.0 with JWT
π‘ Explanation: OAuth 2.0 with JWT provides secure token-based authentication, preventing unauthorized API access.
12. What does CORS stand for in API security?
A) Cross-Origin Resource Sharing
B) Client-Origin Request Security
C) Common-Origin Response Security
D) Cloud-Origin Resource Security
β
Answer: A) Cross-Origin Resource Sharing
π‘ Explanation: CORS controls which origins can access an API, preventing cross-site API abuse.
13. How can APIs prevent SQL Injection attacks?
A) Using parameterized queries
B) Allowing user inputs in SQL statements
C) Accepting raw SQL queries from clients
D) Ignoring input validation
β
Answer: A) Using parameterized queries
π‘ Explanation: Parameterized queries prevent SQL Injection by separating user input from SQL execution.
14. What is the risk of exposing API keys in client-side code?
A) Attackers can steal API keys and access the API
B) It improves API security
C) It ensures faster API responses
D) API keys are not important
β
Answer: A) Attackers can steal API keys and access the API
π‘ Explanation: API keys should be stored server-side and never exposed in JavaScript or client-side code.
15. Which attack targets GraphQL APIs specifically?
A) Cross-Site Scripting (XSS)
B) DoS via nested queries
C) Remote File Inclusion
D) Email Spoofing
β
Answer: B) DoS via nested queries
π‘ Explanation: Attackers exploit GraphQL APIs using deeply nested queries, causing server overload (DoS attack).
16. How can APIs protect against brute-force authentication attacks?
A) Implementing rate limiting and CAPTCHA
B) Storing credentials in plaintext
C) Allowing unlimited login attempts
D) Using weak passwords
β
Answer: A) Implementing rate limiting and CAPTCHA
π‘ Explanation: Rate limiting & CAPTCHA prevent automated brute-force attacks against API authentication.
17. What is JSON Web Token (JWT) used for?
A) API authentication and session management
B) Encrypting files on disk
C) Storing user passwords
D) Preventing network attacks
β
Answer: A) API authentication and session management
π‘ Explanation: JWT tokens securely transmit user authentication and session details between API clients and servers.
18. How can APIs protect against excessive data exposure?
A) Implementing response filtering and returning only necessary data
B) Sending full database records in responses
C) Allowing unrestricted API queries
D) Ignoring content security policies
β
Answer: A) Implementing response filtering and returning only necessary data
π‘ Explanation: APIs should limit response data to prevent unintentional sensitive data exposure.
19. What is API logging used for?
A) Detecting security incidents and monitoring API activity
B) Encrypting API responses
C) Hiding errors from users
D) Improving API speed
β
Answer: A) Detecting security incidents and monitoring API activity
π‘ Explanation: API logs help detect suspicious activity, failed login attempts, and potential security breaches.
20. What is a Web Application Firewall (WAF) used for in API security?
A) Filtering malicious API requests
B) Storing API credentials
C) Speeding up API responses
D) Encrypting API data
β
Answer: A) Filtering malicious API requests
π‘ Explanation: WAFs block SQL Injection, XSS, and API exploitation attempts.
21. What is an effective method for API key security?
A) Hardcoding API keys in the source code
B) Storing API keys in environment variables
C) Sending API keys in URL parameters
D) Sharing API keys publicly
β
Answer: B) Storing API keys in environment variables
π‘ Explanation: API keys should never be hardcoded or exposed publicly. Storing them in environment variables is a best practice for security.
22. How can an API prevent unauthorized access to sensitive user data?
A) Implementing proper authentication and authorization checks
B) Allowing unrestricted data retrieval
C) Using weak passwords for API keys
D) Avoiding authentication tokens
β
Answer: A) Implementing proper authentication and authorization checks
π‘ Explanation: APIs must enforce authentication and authorization to ensure users only access their permitted data.
23. What is the purpose of API Gateway security?
A) Managing and securing API traffic
B) Disabling authentication mechanisms
C) Exposing API documentation publicly
D) Allowing unlimited API requests
β
Answer: A) Managing and securing API traffic
π‘ Explanation: API Gateways act as reverse proxies, providing authentication, rate limiting, and monitoring for API traffic.
24. Which security flaw allows unauthorized users to access private API endpoints?
A) Broken Access Control
B) Secure Data Encryption
C) OAuth Authentication
D) Enforcing Rate Limits
β
Answer: A) Broken Access Control
π‘ Explanation: Broken Access Control occurs when API endpoints fail to verify a userβs privileges before providing access.
25. What is an Open API security risk?
A) Exposing API endpoints without authentication
B) Using HTTPS for all API communications
C) Implementing multi-factor authentication
D) Limiting API responses
β
Answer: A) Exposing API endpoints without authentication
π‘ Explanation: Public APIs that lack authentication allow unauthorized users to access sensitive data.
26. What is a CSRF attack in API security?
A) An attack where a user is tricked into making an unwanted request
B) An attack that modifies JavaScript in a web page
C) An attack that uses brute-force login attempts
D) An attack that injects SQL queries
β
Answer: A) An attack where a user is tricked into making an unwanted request
π‘ Explanation: Cross-Site Request Forgery (CSRF) forces users to execute malicious actions on a trusted API.
27. How can APIs prevent CSRF attacks?
A) Using CSRF tokens in API requests
B) Allowing unauthenticated requests
C) Storing credentials in the browser
D) Avoiding HTTPS implementation
β
Answer: A) Using CSRF tokens in API requests
π‘ Explanation: CSRF tokens validate that requests originate from legitimate sources, preventing unauthorized actions.
28. What is the main security risk of exposing error messages in API responses?
A) It helps attackers gather information about the APIβs structure
B) It improves API performance
C) It enhances user experience
D) It prevents security vulnerabilities
β
Answer: A) It helps attackers gather information about the APIβs structure
π‘ Explanation: Verbose error messages can leak sensitive implementation details, enabling reconnaissance attacks.
29. Which security control can prevent excessive API requests from a single source?
A) Implementing API Rate Limiting
B) Allowing unlimited API calls
C) Exposing API keys publicly
D) Using insecure authentication
β
Answer: A) Implementing API Rate Limiting
π‘ Explanation: Rate limiting prevents DoS attacks by restricting the number of API requests per user/IP.
30. Why is logging API request data important?
A) To detect unauthorized access attempts
B) To expose API keys in public logs
C) To make API responses slower
D) To provide sensitive data to attackers
β
Answer: A) To detect unauthorized access attempts
π‘ Explanation: API logs help in detecting anomalies, failed authentication attempts, and security incidents.
31. What is JWT token expiration used for in API security?
A) To reduce the risk of token reuse and theft
B) To allow permanent user authentication
C) To make API responses faster
D) To avoid using encryption
β
Answer: A) To reduce the risk of token reuse and theft
π‘ Explanation: Short-lived JWT tokens reduce the risk of stolen tokens being reused in an attack.
32. What is API key leakage?
A) Exposure of API keys due to poor security practices
B) A technique to improve API performance
C) A way to secure API authentication
D) A method to limit API access
β
Answer: A) Exposure of API keys due to poor security practices
π‘ Explanation: API key leakage occurs when keys are exposed in repositories, logs, or client-side code, leading to unauthorized access.
33. How can APIs secure data in transit?
A) Enforcing HTTPS with TLS encryption
B) Using plaintext HTTP communication
C) Storing data in unencrypted format
D) Allowing unsecured connections
β
Answer: A) Enforcing HTTPS with TLS encryption
π‘ Explanation: HTTPS with TLS encryption prevents man-in-the-middle (MITM) attacks by securing API communications.
34. Which security flaw occurs when API requests contain unvalidated inputs?
A) Injection Attacks (SQLi, Command Injection)
B) Secure Authentication
C) Proper Access Control
D) Rate Limiting
β
Answer: A) Injection Attacks (SQLi, Command Injection)
π‘ Explanation: Attackers exploit unvalidated inputs to inject malicious commands into API endpoints.
35. How can APIs prevent unauthorized access to admin endpoints?
A) Implementing strict role-based access control (RBAC)
B) Allowing anonymous access to admin routes
C) Using weak authentication
D) Disabling authorization checks
β
Answer: A) Implementing strict role-based access control (RBAC)
π‘ Explanation: RBAC ensures only authorized users with the correct roles can access sensitive endpoints.
36. What is an OAuth 2.0 refresh token used for?
A) Renewing access tokens without requiring re-authentication
B) Encrypting API responses
C) Increasing the API response time
D) Performing SQL Injection attacks
β
Answer: A) Renewing access tokens without requiring re-authentication
π‘ Explanation: Refresh tokens allow users to request a new access token without needing to log in again.
37. Which header should be used to prevent Clickjacking attacks on API endpoints?
A) X-Frame-Options
B) Content-Encoding
C) Content-Type
D) X-Rate-Limit
β
Answer: A) X-Frame-Options
π‘ Explanation: The X-Frame-Options header prevents API content from being embedded into malicious websites.
38. What is the main advantage of API security testing?
A) Identifying vulnerabilities before attackers do
B) Making the API faster
C) Exposing API keys intentionally
D) Disabling authentication
β
Answer: A) Identifying vulnerabilities before attackers do
π‘ Explanation: Security testing helps detect misconfigurations and security flaws before hackers exploit them.
39. Which HTTP status code indicates unauthorized API access?
A) 401 Unauthorized
B) 200 OK
C) 302 Found
D) 500 Internal Server Error
β
Answer: A) 401 Unauthorized
π‘ Explanation: 401 Unauthorized indicates the client request lacks proper authentication.
40. What is API Whitelisting?
A) Allowing only trusted IP addresses or domains to access the API
B) Allowing unrestricted API access
C) Disabling authentication
D) Storing API keys in public repositories
β
Answer: A) Allowing only trusted IP addresses or domains to access the API
π‘ Explanation: Whitelisting restricts API access only to approved sources, reducing attack risks.
41. What does the HTTP 403 status code indicate in API security?
A) Unauthorized access due to invalid credentials
B) Forbidden access due to lack of required permissions
C) The requested API endpoint does not exist
D) The API server encountered an internal error
β
Answer: B) Forbidden access due to lack of required permissions
π‘ Explanation: 403 Forbidden occurs when an API correctly authenticates a user but denies access due to insufficient permissions.
42. Which API security measure helps prevent credential stuffing attacks?
A) Implementing rate limiting and account lockout mechanisms
B) Storing user credentials in plaintext
C) Disabling authentication on API endpoints
D) Hardcoding API credentials in client-side applications
β
Answer: A) Implementing rate limiting and account lockout mechanisms
π‘ Explanation: Rate limiting and account lockout after repeated failed login attempts help prevent credential stuffing attacks.
43. What is an API gateway’s role in security?
A) Managing and securing API traffic by enforcing authentication, logging, and rate limiting
B) Increasing API response times
C) Encrypting data at rest
D) Blocking all incoming API requests
β
Answer: A) Managing and securing API traffic by enforcing authentication, logging, and rate limiting
π‘ Explanation: An API gateway acts as a security layer that helps manage API traffic, enforce authentication, and apply rate limiting.
44. Which HTTP method is most vulnerable to data modification attacks?
A) GET
B) DELETE
C) PUT
D) POST
β
Answer: C) PUT
π‘ Explanation: PUT is often used to update existing resources, making it a target for unauthorized modifications if proper authentication and validation are not enforced.
45. What is API token revocation?
A) The process of invalidating a previously issued access token
B) The method of generating new API keys
C) A technique used to store credentials securely
D) A way to improve API speed
β
Answer: A) The process of invalidating a previously issued access token
π‘ Explanation: Revoking tokens prevents attackers from using compromised or stolen access tokens.
46. What is the impact of exposing sensitive business logic in API responses?
A) Attackers can exploit internal API workflows and gain unauthorized access
B) API responses become more efficient
C) API security is improved
D) Attackers are prevented from accessing data
β
Answer: A) Attackers can exploit internal API workflows and gain unauthorized access
π‘ Explanation: Exposing internal business logic allows attackers to understand and manipulate API behaviors.
47. Which API vulnerability allows attackers to replay valid API requests?
A) API Replay Attack
B) SQL Injection
C) CSRF (Cross-Site Request Forgery)
D) IDOR (Insecure Direct Object Reference)
β
Answer: A) API Replay Attack
π‘ Explanation: In a Replay Attack, attackers intercept valid API requests and send them again to gain unauthorized access.
48. What is the risk of using long-lived API tokens?
A) If stolen, they can be used indefinitely without expiration
B) They improve API security
C) They allow only one-time access
D) They reduce API response time
β
Answer: A) If stolen, they can be used indefinitely without expiration
π‘ Explanation: Short-lived tokens reduce risk by expiring quickly, limiting the damage if compromised.
49. Which security control can protect APIs against brute-force attacks?
A) Implementing CAPTCHA and multi-factor authentication
B) Using weak passwords
C) Allowing unlimited login attempts
D) Storing credentials in plaintext
β
Answer: A) Implementing CAPTCHA and multi-factor authentication
π‘ Explanation: CAPTCHA & MFA prevent automated brute-force login attacks on APIs.
50. What is an insecure CORS policy in API security?
A) Allowing requests from any origin (Access-Control-Allow-Origin: *)
B) Enforcing strict origin validation
C) Using JWT authentication
D) Enabling CSRF tokens
β
Answer: A) Allowing requests from any origin (Access-Control-Allow-Origin: *)
π‘ Explanation: An insecure CORS (Cross-Origin Resource Sharing) policy allows any website to access sensitive API data.
51. Why is API logging important for security?
A) It helps detect and investigate security incidents
B) It exposes sensitive data to attackers
C) It improves API response time
D) It allows anonymous API access
β
Answer: A) It helps detect and investigate security incidents
π‘ Explanation: API logs provide insights into unauthorized access attempts, failed logins, and suspicious API behavior.
52. Which attack exploits predictable object IDs in APIs?
A) Insecure Direct Object Reference (IDOR)
B) Cross-Site Scripting (XSS)
C) SQL Injection (SQLi)
D) DNS Spoofing
β
Answer: A) Insecure Direct Object Reference (IDOR)
π‘ Explanation: IDOR attacks occur when an API exposes predictable resource IDs without checking user permissions.
53. What should APIs avoid exposing in error messages?
A) Internal server details and stack traces
B) Generic error codes
C) HTTP response codes
D) API response headers
β
Answer: A) Internal server details and stack traces
π‘ Explanation: Verbose error messages reveal sensitive system details that attackers can exploit.
54. What is the best method for securing API secrets and keys?
A) Storing them in a secure vault or environment variables
B) Hardcoding them in source code
C) Embedding them in client-side JavaScript
D) Exposing them in API responses
β
Answer: A) Storing them in a secure vault or environment variables
π‘ Explanation: Environment variables and secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager) prevent API key leaks.
55. What is an API security misconfiguration?
A) Incorrect or missing security settings that expose APIs to attacks
B) Using HTTPS for communication
C) Implementing strong authentication
D) Enforcing strict authorization
β
Answer: A) Incorrect or missing security settings that expose APIs to attacks
π‘ Explanation: API misconfigurations include missing security headers, weak authentication, and improper error handling.
56. How does an attacker exploit excessive data exposure in APIs?
A) By retrieving sensitive information that should not be exposed in API responses
B) By slowing down API requests
C) By modifying HTTP headers
D) By using only GET requests
β
Answer: A) By retrieving sensitive information that should not be exposed in API responses
π‘ Explanation: Excessive data exposure occurs when APIs return more data than necessary, making it easier for attackers to steal information.
57. Why should API keys be rotated periodically?
A) To limit the damage in case of key compromise
B) To make APIs faster
C) To allow unauthorized users access
D) To disable encryption
β
Answer: A) To limit the damage in case of key compromise
π‘ Explanation: Rotating API keys reduces the risk of long-term exposure if a key is leaked.
58. What is an API honeypot?
A) A fake API endpoint designed to attract attackers
B) A tool to improve API speed
C) An encrypted API key storage system
D) A method for generating API logs
β
Answer: A) A fake API endpoint designed to attract attackers
π‘ Explanation: API honeypots are used to track and analyze attacker behavior without exposing real data.
59. Which security risk arises from over-permissioned API tokens?
A) Unauthorized data access and privilege escalation
B) Improved API security
C) Reduced attack surface
D) Better authentication
β
Answer: A) Unauthorized data access and privilege escalation
π‘ Explanation: API tokens should only grant the necessary permissions to limit abuse.
60. How can APIs defend against injection attacks?
A) Using input validation and parameterized queries
B) Accepting raw SQL statements from users
C) Logging API keys in plaintext
D) Disabling authentication
β
Answer: A) Using input validation and parameterized queries
π‘ Explanation: Input validation and parameterized queries prevent SQL, command, and code injection attacks.
61. What is the main risk of allowing CORS with wildcard (Access-Control-Allow-Origin: *)?
A) It allows any domain to make requests to the API, increasing attack risks
B) It improves API security by restricting access
C) It blocks unauthorized API requests
D) It enforces API authentication
β
Answer: A) It allows any domain to make requests to the API, increasing attack risks
π‘ Explanation: Allowing CORS wildcard (*) means any website can make requests, which can lead to cross-origin attacks.
62. What is the best practice for securing an API that returns sensitive information?
A) Encrypting data in transit and at rest
B) Storing credentials in API responses
C) Allowing public access to sensitive endpoints
D) Exposing database errors in API responses
β
Answer: A) Encrypting data in transit and at rest
π‘ Explanation: Encrypting API responses (TLS/SSL) and stored data ensures that even if data is intercepted, it cannot be read.
63. Why should API access logs be regularly monitored?
A) To detect unauthorized API access and suspicious activity
B) To improve API performance
C) To expose sensitive API keys
D) To slow down API responses
β
Answer: A) To detect unauthorized API access and suspicious activity
π‘ Explanation: Log monitoring helps detect brute-force attacks, unauthorized access, and abnormal API usage patterns.
64. What is the recommended practice for API authentication tokens?
A) Using short-lived tokens with refresh mechanisms
B) Storing tokens in local storage without expiration
C) Allowing users to use the same token forever
D) Sending tokens via URL parameters
β
Answer: A) Using short-lived tokens with refresh mechanisms
π‘ Explanation: Short-lived tokens (e.g., OAuth 2.0) with refresh tokens help reduce the risk of stolen token misuse.
65. What is the risk of hardcoding API keys in mobile applications?
A) Attackers can extract keys and use them to access the API
B) It improves security
C) It speeds up API responses
D) It prevents unauthorized access
β
Answer: A) Attackers can extract keys and use them to access the API
π‘ Explanation: Hardcoded API keys in mobile apps can be reverse-engineered, allowing attackers to steal and misuse them.
66. How can an API prevent request tampering?
A) Using signed API requests with HMAC (Hash-based Message Authentication Code)
B) Allowing unverified API requests
C) Using weak encryption methods
D) Disabling input validation
β
Answer: A) Using signed API requests with HMAC (Hash-based Message Authentication Code)
π‘ Explanation: HMAC-signed requests ensure that API requests are not modified in transit.
67. What is an insecure API redirection vulnerability?
A) When an API redirects users to an attacker-controlled site
B) When an API enforces HTTPS for all requests
C) When API requests contain valid authentication headers
D) When an API applies input validation
β
Answer: A) When an API redirects users to an attacker-controlled site
π‘ Explanation: Open redirect vulnerabilities allow attackers to phish users by redirecting them to malicious sites.
68. What is the best way to protect API endpoints against brute-force attacks?
A) Implementing rate limiting and account lockouts
B) Allowing unlimited login attempts
C) Disabling authentication
D) Using HTTP instead of HTTPS
β
Answer: A) Implementing rate limiting and account lockouts
π‘ Explanation: Rate limiting & account lockouts help prevent brute-force attacks on API authentication endpoints.
69. How does an attacker exploit unrestricted API pagination?
A) By iterating through paginated API responses to extract large datasets
B) By speeding up API responses
C) By encrypting API requests
D) By applying secure authentication
β
Answer: A) By iterating through paginated API responses to extract large datasets
π‘ Explanation: Attackers exploit pagination flaws to scrape large amounts of data from APIs.
70. Which attack is prevented by validating the Origin and Referer headers in API requests?
A) Cross-Site Request Forgery (CSRF)
B) SQL Injection
C) Man-in-the-Middle (MITM)
D) XML External Entity (XXE)
β
Answer: A) Cross-Site Request Forgery (CSRF)
π‘ Explanation: Validating Origin and Referer headers helps detect and prevent CSRF attacks.
71. Why should APIs use scopes in OAuth 2.0 authorization?
A) To limit API access based on user permissions
B) To increase API response time
C) To expose all API functionalities to users
D) To disable encryption
β
Answer: A) To limit API access based on user permissions
π‘ Explanation: OAuth scopes restrict access to specific API functionalities, preventing overprivileged access.
72. What is an API honeypot used for?
A) Detecting and analyzing attacker behavior
B) Speeding up API responses
C) Encrypting API data
D) Improving API performance
β
Answer: A) Detecting and analyzing attacker behavior
π‘ Explanation: API honeypots lure attackers into fake API endpoints to track malicious activities.
73. How can APIs protect against IDOR (Insecure Direct Object References)?
A) Enforcing proper authorization checks on user-accessible objects
B) Allowing all users to access object IDs
C) Using weak authentication mechanisms
D) Ignoring access control policies
β
Answer: A) Enforcing proper authorization checks on user-accessible objects
π‘ Explanation: APIs should validate user permissions before allowing access to resources based on object IDs.
74. Why should APIs avoid returning excessive metadata in responses?
A) To prevent attackers from gaining unnecessary information
B) To improve user experience
C) To expose debugging details
D) To increase API speed
β
Answer: A) To prevent attackers from gaining unnecessary information
π‘ Explanation: Excessive metadata in API responses can leak sensitive implementation details.
75. Which API attack relies on deeply nested JSON objects to cause a denial-of-service (DoS)?
A) Recursive JSON Bomb
B) API Enumeration
C) API Key Exposure
D) XML Injection
β
Answer: A) Recursive JSON Bomb
π‘ Explanation: Recursive JSON objects can cause memory exhaustion and DoS attacks on API servers.
76. What is the purpose of API input validation?
A) To prevent malicious data injection and security vulnerabilities
B) To slow down API responses
C) To expose sensitive data
D) To allow unrestricted user input
β
Answer: A) To prevent malicious data injection and security vulnerabilities
π‘ Explanation: Input validation ensures that API requests contain only safe and expected data.
77. Why is API versioning important for security?
A) To maintain backward compatibility while enforcing new security controls
B) To disable old API endpoints permanently
C) To remove authentication mechanisms
D) To prevent encryption
β
Answer: A) To maintain backward compatibility while enforcing new security controls
π‘ Explanation: API versioning helps phase out insecure endpoints while maintaining functionality.
78. How can APIs prevent excessive client-side request retries?
A) Implementing exponential backoff
B) Allowing unlimited retries
C) Disabling authentication
D) Returning full database queries
β
Answer: A) Implementing exponential backoff
π‘ Explanation: Exponential backoff helps limit request retries, preventing DoS attacks.
79. Which API security header prevents content sniffing attacks?
A) X-Content-Type-Options: nosniff
B) X-Frame-Options
C) Content-Encoding
D) X-Rate-Limit
β
Answer: A) X-Content-Type-Options: nosniff
π‘ Explanation: This header prevents browsers from interpreting API responses as executable content.
80. How can APIs prevent GraphQL query abuse?
A) Limiting query depth and complexity
B) Allowing unrestricted GraphQL queries
C) Ignoring API authentication
D) Using insecure API keys
β
Answer: A) Limiting query depth and complexity
π‘ Explanation: Restricting GraphQL query depth helps prevent DoS attacks from deeply nested queries.
81. What is the main risk of exposing API versioning in URLs (e.g., api/v1/users)?
A) Attackers can target outdated or vulnerable API versions
B) It improves API security
C) It speeds up API responses
D) It prevents unauthorized access
β
Answer: A) Attackers can target outdated or vulnerable API versions
π‘ Explanation: Older API versions may have unpatched vulnerabilities that attackers can exploit.
82. Which technique is most effective for securing API secrets in CI/CD pipelines?
A) Using environment variables or secret management tools
B) Hardcoding secrets in source code
C) Storing API keys in public repositories
D) Exposing secrets in API error messages
β
Answer: A) Using environment variables or secret management tools
π‘ Explanation: Secret management tools (e.g., AWS Secrets Manager, HashiCorp Vault) securely store API credentials.
83. What is an API Schema Validation attack?
A) Exploiting APIs by sending malformed or unexpected data types
B) Encrypting API responses
C) Validating API requests correctly
D) Enforcing authentication
β
Answer: A) Exploiting APIs by sending malformed or unexpected data types
π‘ Explanation: Schema validation attacks exploit poorly validated API requests, causing crashes or bypassing security controls.
84. What should an API do when an invalid authentication token is provided?
A) Return a 401 Unauthorized response
B) Allow access with limited privileges
C) Provide the correct token in the response
D) Return a 200 OK status
β
Answer: A) Return a 401 Unauthorized response
π‘ Explanation: APIs should deny access and return a 401 Unauthorized response when authentication fails.
85. What is the best way to prevent API endpoint abuse by bots?
A) Implementing CAPTCHA and behavioral analysis
B) Disabling authentication
C) Allowing unrestricted API access
D) Using long-lived tokens
β
Answer: A) Implementing CAPTCHA and behavioral analysis
π‘ Explanation: CAPTCHA and behavior-based detection help block bot-driven API abuse.
86. What is the primary risk of allowing wildcard characters in API queries?
A) Attackers can perform SQL Injection attacks more easily
B) It speeds up database queries
C) It prevents unauthorized access
D) It ensures complete security
β
Answer: A) Attackers can perform SQL Injection attacks more easily
π‘ Explanation: Wildcards (%) in SQL queries can allow unauthorized access to large datasets.
87. Which security measure helps detect anomalies in API usage patterns?
A) API anomaly detection and behavioral monitoring
B) Allowing unrestricted API requests
C) Using weak authentication mechanisms
D) Disabling logging
β
Answer: A) API anomaly detection and behavioral monitoring
π‘ Explanation: Behavioral monitoring helps detect unusual activity, API scraping, and brute-force attacks.
88. Why should API rate limits be different for authenticated and unauthenticated users?
A) To prevent abuse while allowing normal user activity
B) To disable authentication for certain users
C) To allow unrestricted API access
D) To reduce API logging
β
Answer: A) To prevent abuse while allowing normal user activity
π‘ Explanation: Higher rate limits for authenticated users prevent abuse while ensuring legitimate users are not blocked.
89. What is an API Eavesdropping attack?
A) When an attacker intercepts API requests to steal sensitive data
B) When an API returns encrypted data
C) When API authentication fails
D) When an API blocks unauthorized requests
β
Answer: A) When an attacker intercepts API requests to steal sensitive data
π‘ Explanation: Eavesdropping attacks occur when unencrypted API traffic is intercepted by attackers.
90. How can APIs prevent excessive data exposure when processing user requests?
A) Implementing response filtering and output encoding
B) Allowing unrestricted data retrieval
C) Returning full database query results
D) Storing API responses in plaintext logs
β
Answer: A) Implementing response filtering and output encoding
π‘ Explanation: APIs should limit response data to only the necessary fields, preventing excessive exposure.
91. What is an API Shadow Endpoint?
A) An undocumented or hidden API endpoint that attackers may exploit
B) A well-documented API endpoint
C) An endpoint protected by OAuth
D) An endpoint that uses strong authentication
β
Answer: A) An undocumented or hidden API endpoint that attackers may exploit
π‘ Explanation: Shadow APIs are forgotten, undocumented, or unmonitored endpoints that pose security risks.
92. What is an API Skimming attack?
A) When attackers steal sensitive data from API requests
B) When an API encrypts responses
C) When an API blocks unauthorized requests
D) When an API enforces multi-factor authentication
β
Answer: A) When attackers steal sensitive data from API requests
π‘ Explanation: API skimming occurs when attackers intercept and extract user payment or personal data.
93. How can APIs protect against over-fetching and under-fetching data?
A) Implementing GraphQL or selective field retrieval
B) Allowing unrestricted data access
C) Returning full database dumps in API responses
D) Avoiding authorization checks
β
Answer: A) Implementing GraphQL or selective field retrieval
π‘ Explanation: GraphQL or field-based querying ensures APIs return only the required data, improving performance and security.
94. What is a Reverse API Proxy used for?
A) Protecting APIs by filtering and inspecting requests before reaching the backend
B) Exposing internal API logs
C) Increasing API attack surface
D) Disabling authentication
β
Answer: A) Protecting APIs by filtering and inspecting requests before reaching the backend
π‘ Explanation: Reverse proxies help filter malicious traffic, enforce security policies, and improve API performance.
95. What is the risk of using the eval() function in API code?
A) It allows remote code execution vulnerabilities
B) It improves API security
C) It prevents SQL Injection
D) It ensures strong authentication
β
Answer: A) It allows remote code execution vulnerabilities
π‘ Explanation: The eval() function executes arbitrary code, which can lead to remote code execution (RCE) attacks.
96. What is the primary security risk of an API returning detailed error messages?
A) It provides attackers with useful information for reconnaissance
B) It improves API security
C) It speeds up debugging
D) It prevents brute-force attacks
β
Answer: A) It provides attackers with useful information for reconnaissance
π‘ Explanation: Verbose error messages may reveal database structures, stack traces, or internal API behaviors.
97. What is an API Resource Exhaustion attack?
A) When attackers flood an API with requests to consume system resources
B) When an API encrypts responses
C) When an API implements strict access control
D) When an API applies logging mechanisms
β
Answer: A) When attackers flood an API with requests to consume system resources
π‘ Explanation: Resource exhaustion attacks aim to overload an API, leading to denial-of-service (DoS) conditions.
98. What is the best way to prevent API key misuse?
A) Implementing API key whitelisting and scope-based restrictions
B) Allowing API keys to be used without validation
C) Hardcoding API keys in public repositories
D) Sharing API keys across multiple applications
β
Answer: A) Implementing API key whitelisting and scope-based restrictions
π‘ Explanation: Whitelisting trusted IPs and restricting API key permissions help prevent misuse.
99. How does an attacker exploit a lack of input sanitization in APIs?
A) By injecting malicious code (SQLi, XSS, RCE)
B) By improving API security
C) By reducing API logging
D) By encrypting API traffic
β
Answer: A) By injecting malicious code (SQLi, XSS, RCE)
π‘ Explanation: Input sanitization failures lead to injection attacks that compromise API security.
100. What is the best way to prevent Broken Function Level Authorization (BFLA) in APIs?
A) Enforcing role-based access control (RBAC)
B) Allowing unrestricted API access
C) Using weak authentication
D) Ignoring authorization checks
β
Answer: A) Enforcing role-based access control (RBAC)
π‘ Explanation: RBAC ensures users can only access API functionalities based on their roles.
101. What is the most secure way to store API authentication tokens on a client-side application?
A) Using HTTP-only and Secure cookies
B) Storing tokens in local storage
C) Hardcoding tokens in JavaScript files
D) Sending tokens via URL parameters
β
Answer: A) Using HTTP-only and Secure cookies
π‘ Explanation: HTTP-only and Secure cookies prevent JavaScript access, reducing risks of XSS attacks.
102. What is an API Injection Attack?
A) Sending malicious input to exploit vulnerabilities in API processing
B) Encrypting API traffic
C) Increasing API response speed
D) Implementing strict authentication
β
Answer: A) Sending malicious input to exploit vulnerabilities in API processing
π‘ Explanation: Injection attacks (SQL Injection, Command Injection, XSS) occur when an API does not properly validate input.
103. What is the purpose of an API Security Policy?
A) To define security rules for authentication, authorization, and data protection
B) To allow unrestricted API access
C) To remove access control mechanisms
D) To store API keys in plaintext
β
Answer: A) To define security rules for authentication, authorization, and data protection
π‘ Explanation: API security policies define best practices for access control, data protection, and encryption.
104. Which authentication method should be avoided in API security?
A) Basic Authentication (username & password) over HTTP
B) OAuth 2.0 with JWT
C) Mutual TLS authentication
D) API Key with IP whitelisting
β
Answer: A) Basic Authentication (username & password) over HTTP
π‘ Explanation: Basic Authentication without encryption exposes credentials, making them vulnerable to interception.
105. What is a major security risk of allowing public API documentation?
A) Attackers can discover API endpoints and exploit them
B) It improves API security
C) It speeds up API response times
D) It prevents unauthorized access
β
Answer: A) Attackers can discover API endpoints and exploit them
π‘ Explanation: Public API documentation may reveal sensitive endpoints, parameters, and potential attack surfaces.
106. How can an API prevent Web Scraping attacks?
A) Implementing rate limiting, user-agent filtering, and behavioral analysis
B) Allowing unlimited requests from all sources
C) Disabling authentication
D) Storing API responses in plaintext
β
Answer: A) Implementing rate limiting, user-agent filtering, and behavioral analysis
π‘ Explanation: Blocking bot-like behavior prevents automated tools from scraping sensitive API data.
107. What is API Response Injection?
A) When an attacker modifies API responses to manipulate user data
B) When an API encrypts all responses
C) When API authentication is strengthened
D) When API logs are disabled
β
Answer: A) When an attacker modifies API responses to manipulate user data
π‘ Explanation: Response injection allows attackers to modify API output, leading to data tampering or phishing attacks.
108. How can APIs mitigate JSON Injection attacks?
A) Implementing strict JSON schema validation and escaping user inputs
B) Allowing unrestricted input processing
C) Removing authentication checks
D) Using insecure API key management
β
Answer: A) Implementing strict JSON schema validation and escaping user inputs
π‘ Explanation: Validating and escaping JSON inputs prevents injection attacks that manipulate API behavior.
109. What is the risk of exposing API stack traces in error messages?
A) Attackers can use them to identify vulnerabilities in the API
B) It enhances security
C) It speeds up API responses
D) It prevents API abuse
β
Answer: A) Attackers can use them to identify vulnerabilities in the API
π‘ Explanation: Stack traces reveal internal system details, helping attackers craft targeted exploits.
110. What is an API Client Impersonation attack?
A) When an attacker uses stolen credentials to mimic legitimate API clients
B) When an API enforces authentication
C) When API tokens are securely stored
D) When rate limiting is applied
β
Answer: A) When an attacker uses stolen credentials to mimic legitimate API clients
π‘ Explanation: Client impersonation occurs when attackers steal API keys or tokens to perform unauthorized actions.
111. How can APIs prevent excessive recursion in JSON objects?
A) Limiting object nesting depth in API requests
B) Allowing unrestricted recursive calls
C) Using plaintext authentication tokens
D) Storing user data in logs
β
Answer: A) Limiting object nesting depth in API requests
π‘ Explanation: Restricting recursive nesting prevents denial-of-service (DoS) attacks from deeply nested objects.
112. What is the best practice for handling expired API tokens?
A) Redirecting users to reauthenticate securely
B) Allowing continued access after expiration
C) Exposing token details in API responses
D) Hardcoding token expiration times
β
Answer: A) Redirecting users to reauthenticate securely
π‘ Explanation: Expired tokens should trigger reauthentication to maintain secure API sessions.
113. What is a primary security risk of self-signed SSL certificates in APIs?
A) They are more vulnerable to Man-in-the-Middle (MITM) attacks
B) They enhance security
C) They improve API performance
D) They prevent unauthorized access
β
Answer: A) They are more vulnerable to Man-in-the-Middle (MITM) attacks
π‘ Explanation: Self-signed SSL certificates lack trusted certificate authorities (CA), making APIs vulnerable to MITM attacks.
114. Why should API keys be regenerated periodically?
A) To reduce the impact of compromised keys
B) To improve API response times
C) To allow anonymous API access
D) To disable authentication
β
Answer: A) To reduce the impact of compromised keys
π‘ Explanation: Periodic API key rotation reduces the risk of long-term exposure if a key is leaked.
115. What is the purpose of API Threat Intelligence?
A) To detect, analyze, and respond to emerging API threats
B) To expose API vulnerabilities publicly
C) To allow unauthorized access
D) To disable logging
β
Answer: A) To detect, analyze, and respond to emerging API threats
π‘ Explanation: API Threat Intelligence helps identify attack patterns and mitigate risks in real-time.
116. Why is excessive API logging a security risk?
A) Logs may store sensitive data that attackers can access
B) It enhances security
C) It prevents unauthorized access
D) It improves API speed
β
Answer: A) Logs may store sensitive data that attackers can access
π‘ Explanation: Sensitive API logs can expose tokens, passwords, and user data, leading to data breaches.
117. What is a primary security risk of using long-lived OAuth access tokens?
A) If stolen, they can be used indefinitely without expiration
B) They improve security
C) They reduce attack surfaces
D) They prevent unauthorized access
β
Answer: A) If stolen, they can be used indefinitely without expiration
π‘ Explanation: Short-lived tokens with refresh mechanisms reduce the risk of token misuse.
118. What is an API Masquerading attack?
A) When an attacker creates a fake API endpoint to trick users into interacting with it
B) When an API enforces authentication
C) When API tokens are securely stored
D) When rate limiting is applied
β
Answer: A) When an attacker creates a fake API endpoint to trick users into interacting with it
π‘ Explanation: Masquerading attacks involve fake APIs that steal user credentials or sensitive data.
119. How can APIs prevent race condition vulnerabilities?
A) Implementing optimistic or pessimistic locking mechanisms
B) Allowing concurrent modifications without control
C) Disabling authentication
D) Storing logs in plaintext
β
Answer: A) Implementing optimistic or pessimistic locking mechanisms
π‘ Explanation: Race conditions occur when simultaneous requests modify the same resource, leading to inconsistencies.
120. What is API Rate Throttling used for?
A) Limiting the number of API requests per user/IP to prevent abuse
B) Allowing unlimited requests from all sources
C) Exposing API secrets
D) Storing logs insecurely
β
Answer: A) Limiting the number of API requests per user/IP to prevent abuse
π‘ Explanation: Rate throttling protects APIs from DoS attacks and excessive API usage.
121. What is an API scraping attack?
A) When an attacker systematically extracts data from an API without permission
B) When an API encrypts all responses
C) When an API requires multi-factor authentication
D) When an API improves performance
β
Answer: A) When an attacker systematically extracts data from an API without permission
π‘ Explanation: API scraping allows attackers to harvest large amounts of data for competitive intelligence or cybercrime.
122. Why should APIs reject overly large request bodies?
A) To prevent denial-of-service (DoS) and resource exhaustion attacks
B) To allow unrestricted data uploads
C) To expose more API functionalities
D) To disable authentication
β
Answer: A) To prevent denial-of-service (DoS) and resource exhaustion attacks
π‘ Explanation: Large request payloads can overwhelm APIs, leading to DoS attacks.
123. What is an API Spamming attack?
A) When attackers flood an API with repeated requests to disrupt services
B) When an API encrypts responses
C) When API authentication is enforced
D) When rate limiting is disabled
β
Answer: A) When attackers flood an API with repeated requests to disrupt services
π‘ Explanation: API spamming involves excessive automated requests, which can disrupt API availability.
124. What is the best method to prevent brute-force attacks on API login endpoints?
A) Implementing rate limiting, IP blocking, and CAPTCHA
B) Allowing unlimited login attempts
C) Exposing authentication logs publicly
D) Storing passwords in plaintext
β
Answer: A) Implementing rate limiting, IP blocking, and CAPTCHA
π‘ Explanation: Brute-force attacks can be mitigated by limiting login attempts, blocking abusive IPs, and requiring CAPTCHA.
125. What is the risk of allowing API key authentication without expiration?
A) Stolen keys can be used indefinitely without detection
B) It improves API security
C) It prevents unauthorized access
D) It ensures faster API responses
β
Answer: A) Stolen keys can be used indefinitely without detection
π‘ Explanation: API keys should have expiration policies to limit the impact of key compromise.
126. How can an API defend against excessive API parameter tampering?
A) Implementing strict schema validation for requests
B) Allowing users to modify API query parameters
C) Disabling authentication checks
D) Allowing any input without validation
β
Answer: A) Implementing strict schema validation for requests
π‘ Explanation: API parameter tampering occurs when attackers modify input parameters to manipulate API behavior.
127. What is the risk of allowing unauthenticated file uploads in an API?
A) Attackers can upload malicious files for remote code execution (RCE)
B) It improves API security
C) It prevents unauthorized access
D) It enhances performance
β
Answer: A) Attackers can upload malicious files for remote code execution (RCE)
π‘ Explanation: Insecure file uploads allow attackers to execute arbitrary code or host malware on the server.
128. How does an attacker exploit an API with weak CORS policies?
A) By making unauthorized cross-origin requests to steal sensitive data
B) By enforcing strict access control
C) By requiring multi-factor authentication
D) By encrypting all API traffic
β
Answer: A) By making unauthorized cross-origin requests to steal sensitive data
π‘ Explanation: Weak CORS configurations allow malicious websites to interact with APIs and steal user data.
129. What is an API Side-Channel attack?
A) Extracting sensitive information by analyzing API response times or metadata
B) When an API enforces strong authentication
C) When rate limiting is applied
D) When an API improves security
β
Answer: A) Extracting sensitive information by analyzing API response times or metadata
π‘ Explanation: Side-channel attacks exploit timing differences, error messages, or metadata leaks to infer sensitive information.
130. How can APIs prevent dictionary attacks on login endpoints?
A) Implementing account lockout after multiple failed login attempts
B) Allowing unlimited login retries
C) Removing authentication requirements
D) Logging credentials in plaintext
β
Answer: A) Implementing account lockout after multiple failed login attempts
π‘ Explanation: Account lockout mechanisms prevent attackers from attempting large-scale password guessing.
131. What is a Zero-Day API Vulnerability?
A) A security flaw that has not been patched and is exploited in the wild
B) An API that requires authentication
C) A secure API with no vulnerabilities
D) An API with strong rate limiting
β
Answer: A) A security flaw that has not been patched and is exploited in the wild
π‘ Explanation: Zero-day vulnerabilities are unknown to vendors, making them high-risk attack targets.
132. Why should APIs avoid storing authentication tokens in local storage?
A) Because local storage can be accessed by malicious scripts (XSS attacks)
B) Because it improves authentication security
C) Because it prevents data leakage
D) Because it speeds up API responses
β
Answer: A) Because local storage can be accessed by malicious scripts (XSS attacks)
π‘ Explanation: Local storage is vulnerable to cross-site scripting (XSS) attacks, which can expose authentication tokens.
133. What is an API Cache Poisoning attack?
A) Manipulating cached API responses to serve malicious data
B) Encrypting all API responses
C) Implementing strict authentication policies
D) Applying rate limiting
β
Answer: A) Manipulating cached API responses to serve malicious data
π‘ Explanation: Cache poisoning allows attackers to inject malicious data into API cache mechanisms.
134. How can an API prevent excessive logging of sensitive user data?
A) Masking or redacting sensitive fields in logs
B) Logging all user passwords in plaintext
C) Storing API logs in publicly accessible locations
D) Removing all logging mechanisms
β
Answer: A) Masking or redacting sensitive fields in logs
π‘ Explanation: Sensitive data like passwords and API keys should be masked or excluded from logs.
135. What is a Server-Side Request Forgery (SSRF) attack in APIs?
A) When an attacker forces the API to make unintended requests to internal or external systems
B) When an API enforces strict authentication
C) When API tokens are securely stored
D) When rate limiting is applied
β
Answer: A) When an attacker forces the API to make unintended requests to internal or external systems
π‘ Explanation: SSRF attacks exploit poor input validation to trick APIs into making unauthorized requests.
136. What is an API Throttling attack?
A) When an attacker sends excessive requests to slow down the API
B) When an API implements rate limiting
C) When an API enforces multi-factor authentication
D) When an API uses HTTPS
β
Answer: A) When an attacker sends excessive requests to slow down the API
π‘ Explanation: API throttling attacks attempt to slow down or crash APIs by overloading them with requests.
137. Why is it dangerous to expose debug endpoints in production APIs?
A) Debug endpoints may leak sensitive data and internal system details
B) It improves API security
C) It prevents unauthorized access
D) It enhances performance
β
Answer: A) Debug endpoints may leak sensitive data and internal system details
π‘ Explanation: Exposed debug endpoints may reveal sensitive logs, configuration details, or even credentials.
138. What is an API Supply Chain Attack?
A) When attackers compromise third-party dependencies to inject vulnerabilities
B) When an API enforces strong authentication
C) When an API improves security
D) When rate limiting is applied
β
Answer: A) When attackers compromise third-party dependencies to inject vulnerabilities
π‘ Explanation: Supply chain attacks exploit third-party libraries or dependencies to introduce security flaws.
139. What is the risk of allowing unrestricted HTTP methods in an API?
A) Attackers may use unintended methods to modify or delete data
B) It improves API performance
C) It prevents unauthorized access
D) It ensures faster API responses
β
Answer: A) Attackers may use unintended methods to modify or delete data
π‘ Explanation: Restricting HTTP methods to only those necessary reduces security risks.
140. What is the best practice for securing API health check endpoints?
A) Restricting access to internal users and masking sensitive details
B) Allowing unrestricted public access
C) Logging API credentials in health checks
D) Removing all security headers
β
Answer: A) Restricting access to internal users and masking sensitive details
π‘ Explanation: Health check endpoints should not expose internal system details to unauthorized users.
141. What is an API Token Leakage attack?
A) When API tokens are exposed in logs, URLs, or public repositories
B) When an API requires strong authentication
C) When API tokens expire quickly
D) When an API enforces rate limiting
β
Answer: A) When API tokens are exposed in logs, URLs, or public repositories
π‘ Explanation: Leaked API tokens allow attackers to gain unauthorized access to APIs.
142. What is an API WAF (Web Application Firewall) used for?
A) Filtering and blocking malicious API requests
B) Encrypting API responses
C) Increasing API speed
D) Disabling authentication
β
Answer: A) Filtering and blocking malicious API requests
π‘ Explanation: WAFs help protect APIs from attacks such as SQL Injection, XSS, and DoS.
143. Why should APIs use content-type validation?
A) To prevent API abuse via unexpected input formats
B) To allow unrestricted content processing
C) To expose more data to users
D) To disable authentication
β
Answer: A) To prevent API abuse via unexpected input formats
π‘ Explanation: Validating content types prevents attackers from injecting malicious payloads.
144. How does an API protect against Clickjacking attacks?
A) By setting the X-Frame-Options header
B) By allowing unrestricted iframe embedding
C) By disabling authentication
D) By exposing API secrets
β
Answer: A) By setting the X-Frame-Options header
π‘ Explanation: Clickjacking protection prevents malicious websites from embedding API pages.
145. What is an API Downgrade attack?
A) When an attacker forces an API to use an outdated and insecure version
B) When an API enforces strict security
C) When API responses are encrypted
D) When rate limiting is applied
β
Answer: A) When an attacker forces an API to use an outdated and insecure version
π‘ Explanation: Forcing APIs to downgrade weakens security, making them susceptible to known vulnerabilities.
146. What is an API Query Parameter Pollution attack?
A) When an attacker injects multiple parameters to manipulate API behavior
B) When an API applies strong authentication
C) When an API logs all queries
D) When API access is restricted
β
Answer: A) When an attacker injects multiple parameters to manipulate API behavior
π‘ Explanation: Query parameter pollution exploits APIs that fail to validate and sanitize multiple parameters.
147. Why should APIs avoid storing sensitive user data in GET parameters?
A) GET parameters are visible in URLs and can be logged or cached
B) It improves security
C) It prevents unauthorized access
D) It increases API speed
β
Answer: A) GET parameters are visible in URLs and can be logged or cached
π‘ Explanation: Sensitive data in URLs can be leaked via browser history, logs, and referrer headers.
148. What is API Replay Protection?
A) Preventing attackers from reusing valid API requests to bypass authentication
B) Increasing API response times
C) Disabling authentication
D) Allowing unrestricted API requests
β
Answer: A) Preventing attackers from reusing valid API requests to bypass authentication
π‘ Explanation: Replay attacks occur when attackers capture and resend API requests, bypassing security.
149. Why is it important to use API Schema Validation?
A) To ensure API requests follow expected formats and prevent injection attacks
B) To disable authentication
C) To expose API endpoints to all users
D) To store user credentials in logs
β
Answer: A) To ensure API requests follow expected formats and prevent injection attacks
π‘ Explanation: Schema validation ensures that APIs only accept properly formatted and expected inputs.
150. What is the risk of exposing API error stack traces to users?
A) Attackers can gain insights into API structure and vulnerabilities
B) It improves API security
C) It prevents unauthorized access
D) It increases API performance
β
Answer: A) Attackers can gain insights into API structure and vulnerabilities
π‘ Explanation: Stack traces can expose underlying technology, code paths, and security flaws.
151. What is API Response Smuggling?
A) When an attacker manipulates API responses to inject malicious data
B) When an API enforces strict authentication
C) When API logging is disabled
D) When rate limiting is applied
β
Answer: A) When an attacker manipulates API responses to inject malicious data
π‘ Explanation: Response smuggling attacks occur when malformed API responses are processed incorrectly.
152. What is API Token Impersonation?
A) When an attacker uses stolen API tokens to gain unauthorized access
B) When an API requires multi-factor authentication
C) When API keys are securely stored
D) When rate limiting is applied
β
Answer: A) When an attacker uses stolen API tokens to gain unauthorized access
π‘ Explanation: Impersonation attacks occur when attackers steal and use API tokens.
153. How does an API protect against HTTP Host Header Injection?
A) By validating the Host header against an allowlist
B) By allowing all incoming host headers
C) By exposing sensitive data in headers
D) By disabling authentication
β
Answer: A) By validating the Host header against an allowlist
π‘ Explanation: Host header validation prevents attackers from poisoning API requests.
154. What is an API Rate-Based Attack?
A) When an attacker sends a large volume of requests to overload an API
B) When an API enforces rate limiting
C) When API authentication is applied
D) When API logs are disabled
β
Answer: A) When an attacker sends a large volume of requests to overload an API
π‘ Explanation: Rate-based attacks flood APIs with requests, leading to denial-of-service (DoS) conditions.
155. Why should API tokens be scoped to specific actions?
A) To limit the damage if a token is compromised
B) To allow unrestricted API access
C) To store user credentials in API responses
D) To disable authentication
β
Answer: A) To limit the damage if a token is compromised
π‘ Explanation: Scoped tokens ensure that even if an API token is leaked, it has limited permissions.
156. How can APIs prevent JSON Injection attacks?
A) By validating and escaping JSON inputs
B) By allowing unrestricted JSON input processing
C) By logging JSON data in plaintext
D) By exposing API secrets in JSON responses
β
Answer: A) By validating and escaping JSON inputs
π‘ Explanation: JSON injection attacks occur when malformed or malicious JSON is processed without validation.
157. What is an API Honeypot used for?
A) To attract and analyze potential attackers targeting APIs
B) To increase API response times
C) To disable authentication
D) To store API logs in plaintext
β
Answer: A) To attract and analyze potential attackers targeting APIs
π‘ Explanation: Honeypots help detect and analyze malicious activities against APIs.
158. Why should API tokens be rotated periodically?
A) To minimize risk in case of token compromise
B) To expose API secrets
C) To allow unlimited API access
D) To store sensitive data in logs
β
Answer: A) To minimize risk in case of token compromise
π‘ Explanation: Token rotation ensures that stolen tokens are only valid for a short time.
159. What is an API Reflected Parameter Injection attack?
A) When an attacker injects malicious content into API parameters that get reflected in responses
B) When an API enforces strict authentication
C) When API responses are encrypted
D) When rate limiting is applied
β
Answer: A) When an attacker injects malicious content into API parameters that get reflected in responses
π‘ Explanation: Reflected parameter injection can lead to phishing, XSS, or data manipulation attacks.
160. Why should APIs avoid wildcard permissions in access control policies?
A) Wildcard permissions grant excessive and unintended access
B) They improve API security
C) They enforce strong authentication
D) They increase API performance
β
Answer: A) Wildcard permissions grant excessive and unintended access
π‘ Explanation: Wildcard permissions allow broad and unrestricted access, which can lead to privilege escalation.
161. What is an API Abuse Attack?
A) When attackers misuse API functionalities for unintended purposes
B) When an API enforces strong authentication
C) When API responses are encrypted
D) When API rate limiting is applied
β
Answer: A) When attackers misuse API functionalities for unintended purposes
π‘ Explanation: API abuse occurs when APIs are exploited for data scraping, spam, or privilege escalation.
162. How can APIs prevent excessive token reuse?
A) Implementing token expiration and refresh mechanisms
B) Allowing tokens to be used indefinitely
C) Logging tokens in plaintext
D) Storing authentication data in URLs
β
Answer: A) Implementing token expiration and refresh mechanisms
π‘ Explanation: Token expiration and refresh tokens ensure that stolen tokens cannot be reused indefinitely.
163. What is a primary security risk of exposing verbose API error messages?
A) Attackers can gather sensitive information about API internals
B) It improves API performance
C) It speeds up debugging for developers
D) It prevents unauthorized access
β
Answer: A) Attackers can gather sensitive information about API internals
π‘ Explanation: Verbose error messages may leak stack traces, database details, or authentication mechanisms.
164. How can APIs prevent enumeration attacks on usernames or emails?
A) Returning a generic response like “Invalid credentials” instead of revealing valid users
B) Allowing unrestricted API queries
C) Logging all user credentials
D) Using weak passwords for authentication
β
Answer: A) Returning a generic response like “Invalid credentials” instead of revealing valid users
π‘ Explanation: User enumeration occurs when APIs reveal whether a username/email exists, aiding brute-force attacks.
165. What is an API Cache Invalidation attack?
A) When attackers manipulate API cache to serve outdated or incorrect responses
B) When an API implements caching
C) When API authentication is enforced
D) When API rate limiting is disabled
β
Answer: A) When attackers manipulate API cache to serve outdated or incorrect responses
π‘ Explanation: Cache invalidation attacks trick APIs into serving stale or manipulated responses.
166. Why should APIs enforce input validation on the server side?
A) Client-side validation can be bypassed by attackers
B) It prevents API abuse
C) It improves response speed
D) It reduces authentication complexity
β
Answer: A) Client-side validation can be bypassed by attackers
π‘ Explanation: Server-side validation ensures that data integrity is maintained even if client-side checks are bypassed.
167. What is API Rate Splicing?
A) When attackers manipulate API requests to bypass rate limits
B) When an API enforces authentication
C) When API logs are disabled
D) When API secrets are exposed
β
Answer: A) When attackers manipulate API requests to bypass rate limits
π‘ Explanation: Rate splicing tricks APIs into treating multiple requests as a single session to evade rate limits.
168. How can APIs defend against credential stuffing attacks?
A) Using rate limiting, multi-factor authentication (MFA), and CAPTCHA
B) Allowing unlimited login attempts
C) Exposing authentication logs publicly
D) Disabling authentication
β
Answer: A) Using rate limiting, multi-factor authentication (MFA), and CAPTCHA
π‘ Explanation: Credential stuffing relies on automated login attempts with leaked credentials. MFA and CAPTCHA help block bots.
169. Why should APIs avoid exposing sensitive API keys in HTTP request headers?
A) Headers may be logged or intercepted in transit
B) It improves security
C) It ensures fast authentication
D) It prevents unauthorized access
β
Answer: A) Headers may be logged or intercepted in transit
π‘ Explanation: Exposing sensitive keys in headers increases the risk of them being logged or stolen in man-in-the-middle attacks.
170. What is an API Batching Attack?
A) Sending multiple API requests in a single batch to bypass rate limits
B) When an API enforces strict authentication
C) When API responses are encrypted
D) When rate limiting is applied
β
Answer: A) Sending multiple API requests in a single batch to bypass rate limits
π‘ Explanation: Batching attacks allow attackers to execute multiple requests in one call, bypassing request limits.
171. How can APIs prevent excessive data scraping?
A) Implementing behavioral analysis, IP blocking, and request throttling
B) Allowing unrestricted API access
C) Logging all API queries in plaintext
D) Exposing user data in API responses
β
Answer: A) Implementing behavioral analysis, IP blocking, and request throttling
π‘ Explanation: Scraping defenses detect unusual traffic patterns and restrict automated data extraction.
172. What is an API Subdomain Takeover attack?
A) When attackers take control of an unused subdomain pointing to an API
B) When an API enforces strong authentication
C) When API logging is disabled
D) When rate limiting is applied
β
Answer: A) When attackers take control of an unused subdomain pointing to an API
π‘ Explanation: Orphaned or misconfigured subdomains may allow attackers to hijack API services.
173. Why should API responses not include excessive metadata?
A) It can reveal internal system details to attackers
B) It speeds up API responses
C) It improves logging
D) It ensures faster authentication
β
Answer: A) It can reveal internal system details to attackers
π‘ Explanation: Leaking excessive metadata may expose API versioning, database structure, or internal logic.
174. What is an API Object-Level Authorization attack?
A) When an attacker accesses or modifies unauthorized objects due to weak access controls
B) When an API applies strict authentication
C) When API responses are encrypted
D) When API logs are disabled
β
Answer: A) When an attacker accesses or modifies unauthorized objects due to weak access controls
π‘ Explanation: Poor access control at the object level leads to Insecure Direct Object References (IDOR).
175. How does API request timestamp validation help security?
A) It prevents replay attacks by rejecting old or duplicate requests
B) It improves API speed
C) It allows longer authentication sessions
D) It removes the need for encryption
β
Answer: A) It prevents replay attacks by rejecting old or duplicate requests
π‘ Explanation: Timestamp validation ensures API requests are recent and prevents attackers from replaying captured requests.
176. Why should APIs implement IP allowlists for admin endpoints?
A) To restrict access to trusted users only
B) To improve response speed
C) To allow unrestricted API access
D) To expose admin credentials
β
Answer: A) To restrict access to trusted users only
π‘ Explanation: Allowlisting ensures only authorized IPs can access sensitive API endpoints like admin panels.
177. What is API Impersonation via User-Agent Spoofing?
A) When an attacker fakes the User-Agent to bypass API access restrictions
B) When an API enforces authentication
C) When API logging is disabled
D) When rate limiting is applied
β
Answer: A) When an attacker fakes the User-Agent to bypass API access restrictions
π‘ Explanation: Spoofing the User-Agent string helps attackers disguise their bot traffic as legitimate users.
178. How can APIs prevent Cross-Origin API Abuse?
A) Enforcing strict CORS policies and validating Origin headers
B) Allowing unrestricted CORS settings
C) Logging API credentials in plaintext
D) Removing authentication mechanisms
β
Answer: A) Enforcing strict CORS policies and validating Origin headers
π‘ Explanation: Strict CORS settings prevent unauthorized cross-domain access to APIs.
179. What is an API User Deprovisioning Attack?
A) When an attacker abuses API account deletion mechanisms
B) When an API requires multi-factor authentication
C) When API secrets are stored securely
D) When rate limiting is applied
β
Answer: A) When an attacker abuses API account deletion mechanisms
π‘ Explanation: Attackers may delete or disable accounts using insecure deprovisioning endpoints.
180. How does API Request Normalization improve security?
A) It ensures consistent request formatting to prevent manipulation
B) It disables authentication
C) It speeds up API responses
D) It allows unrestricted API access
β
Answer: A) It ensures consistent request formatting to prevent manipulation
π‘ Explanation: Normalization prevents bypassing security filters by standardizing API inputs.
181. What is an API Token Forgery attack?
A) When an attacker crafts a fake authentication token to gain unauthorized access
B) When an API enforces strict authentication
C) When API secrets are securely stored
D) When rate limiting is applied
β
Answer: A) When an attacker crafts a fake authentication token to gain unauthorized access
π‘ Explanation: Token forgery occurs when attackers manipulate authentication tokens to impersonate users.
182. Why should APIs avoid using predictable session identifiers?
A) Attackers can guess session IDs and hijack active user sessions
B) It improves security
C) It ensures faster authentication
D) It speeds up API responses
β
Answer: A) Attackers can guess session IDs and hijack active user sessions
π‘ Explanation: Weak session identifiers can be brute-forced, allowing attackers to take over sessions.
183. What is API Privilege Escalation?
A) When an attacker gains higher access than intended due to misconfigured permissions
B) When an API enforces authentication
C) When API responses are encrypted
D) When API rate limiting is applied
β
Answer: A) When an attacker gains higher access than intended due to misconfigured permissions
π‘ Explanation: Privilege escalation happens when APIs grant excessive privileges to unauthorized users.
184. How can APIs prevent data tampering in API payloads?
A) Implementing request signing and data integrity checks
B) Allowing users to modify API responses
C) Storing authentication data in URLs
D) Disabling authentication
β
Answer: A) Implementing request signing and data integrity checks
π‘ Explanation: Request signing ensures that API payloads have not been altered in transit.
185. What is an API Reflected Parameter Attack?
A) When user input is reflected in API responses, leading to XSS or phishing
B) When an API enforces strong authentication
C) When API logging is disabled
D) When rate limiting is applied
β
Answer: A) When user input is reflected in API responses, leading to XSS or phishing
π‘ Explanation: Reflected parameter attacks occur when APIs return unvalidated user input in responses.
186. How can APIs mitigate DNS Rebinding attacks?
A) Enforcing strict host validation and using same-origin policies
B) Allowing unrestricted hostnames
C) Storing DNS records in plaintext
D) Disabling authentication
β
Answer: A) Enforcing strict host validation and using same-origin policies
π‘ Explanation: DNS rebinding attacks allow malicious sites to bypass same-origin policies and hijack API requests.
187. Why should APIs avoid returning detailed debug information in production?
A) Debug information may expose internal system details to attackers
B) It improves API performance
C) It speeds up user authentication
D) It prevents unauthorized access
β
Answer: A) Debug information may expose internal system details to attackers
π‘ Explanation: Detailed debugging messages can reveal database structures, error handling mechanisms, and API logic.
188. What is an API Key Rotation Policy?
A) A policy that requires periodic regeneration of API keys to reduce security risks
B) A policy to allow unlimited API key usage
C) A policy to store API keys in logs
D) A policy to expose API keys in responses
β
Answer: A) A policy that requires periodic regeneration of API keys to reduce security risks
π‘ Explanation: Rotating API keys periodically limits the damage in case of compromise.
189. How does API Access Token Scoping improve security?
A) By limiting what actions a token can perform
B) By allowing unrestricted API access
C) By disabling authentication
D) By storing access tokens in client-side storage
β
Answer: A) By limiting what actions a token can perform
π‘ Explanation: Scoped tokens restrict the level of access granted, reducing security risks.
190. What is an API Over-Permissioned Endpoint?
A) An endpoint that grants excessive privileges, allowing unauthorized actions
B) An endpoint that applies strict authentication
C) An endpoint that stores API logs in plaintext
D) An endpoint that requires multi-factor authentication
β
Answer: A) An endpoint that grants excessive privileges, allowing unauthorized actions
π‘ Explanation: Misconfigured APIs may expose administrative or sensitive actions to unauthorized users.
191. What is an API Insecure Direct File Access attack?
A) When an attacker retrieves or modifies files directly through API endpoints
B) When an API requires authentication
C) When API responses are encrypted
D) When API logging is disabled
β
Answer: A) When an attacker retrieves or modifies files directly through API endpoints
π‘ Explanation: Insecure direct file access allows attackers to read or modify sensitive files.
192. Why should API sessions be invalidated upon logout?
A) To prevent session hijacking and reuse of old sessions
B) To allow continued access even after logout
C) To speed up authentication
D) To store sensitive user data
β
Answer: A) To prevent session hijacking and reuse of old sessions
π‘ Explanation: Invalidating sessions on logout ensures that stolen session tokens cannot be reused.
193. What is an API User Enumeration Attack?
A) When attackers determine valid usernames by analyzing API responses
B) When an API enforces strong authentication
C) When API responses are encrypted
D) When API logs are disabled
β
Answer: A) When attackers determine valid usernames by analyzing API responses
π‘ Explanation: APIs that return different responses for valid and invalid usernames allow enumeration attacks.
194. How can APIs prevent data exposure through overly verbose responses?
A) Implementing response filtering and only returning necessary data
B) Exposing full database records in responses
C) Storing user credentials in API responses
D) Allowing unrestricted API queries
β
Answer: A) Implementing response filtering and only returning necessary data
π‘ Explanation: Excessive data exposure can leak sensitive information to unauthorized users.
195. What is an API Shadow IT Risk?
A) When unauthorized APIs are created and used without security oversight
B) When an API enforces strong authentication
C) When API responses are encrypted
D) When API rate limiting is applied
β
Answer: A) When unauthorized APIs are created and used without security oversight
π‘ Explanation: Shadow IT APIs introduce security risks due to lack of governance and monitoring.
196. Why should APIs use OAuth PKCE (Proof Key for Code Exchange)?
A) To prevent authorization code interception attacks
B) To expose API authentication details
C) To allow unrestricted API access
D) To store API keys in logs
β
Answer: A) To prevent authorization code interception attacks
π‘ Explanation: PKCE strengthens OAuth flows by preventing code interception attacks in public clients.
197. What is an API Business Logic Abuse attack?
A) When an attacker exploits API functionality in unintended ways
B) When an API enforces authentication
C) When API logs are disabled
D) When API responses are encrypted
β
Answer: A) When an attacker exploits API functionality in unintended ways
π‘ Explanation: Business logic abuse manipulates workflows, like bypassing payment verification or rate limits.
198. How can APIs prevent Man-in-the-Middle (MITM) attacks?
A) Using HTTPS with TLS encryption for all API communications
B) Allowing unencrypted HTTP connections
C) Storing API secrets in responses
D) Logging user passwords in plaintext
β
Answer: A) Using HTTPS with TLS encryption for all API communications
π‘ Explanation: HTTPS ensures API communications are encrypted, preventing MITM attacks.
199. What is an API Attack Surface?
A) The sum of all API endpoints and components that can be targeted by attackers
B) The encryption mechanism used in API responses
C) The logging system for API requests
D) The API caching strategy
β
Answer: A) The sum of all API endpoints and components that can be targeted by attackers
π‘ Explanation: Reducing API attack surface limits potential security vulnerabilities.
200. Why should APIs avoid using wildcard (*) permissions in OAuth scopes?
A) Wildcards grant excessive access, increasing security risks
B) It improves security
C) It ensures faster authentication
D) It prevents unauthorized access
β
Answer: A) Wildcards grant excessive access, increasing security risks
π‘ Explanation: Restricting OAuth scopes to minimal required permissions reduces attack impact.