1. What is the most effective way to prevent API key leakage?
A) Hardcoding API keys in the frontend
B) Storing API keys in environment variables
C) Including API keys in client-side JavaScript files
D) Printing API keys in error logs
β
Answer: B) Storing API keys in environment variables
π Explanation: Hardcoding API keys in frontend code makes them accessible to attackers. Storing them in environment variables keeps them safe and prevents exposure in the source code.
2. Which HTTP method is typically used for retrieving data from an API?
A) POST
B) GET
C) DELETE
D) PUT
β
Answer: B) GET
π Explanation: The GET method is used for fetching data from a server without making changes. Unlike POST, PUT, or DELETE, GET requests should not modify resources.
3. Why is rate limiting essential for API security?
A) It helps in logging API requests
B) It prevents API versioning issues
C) It protects against DDoS and brute force attacks
D) It improves API documentation
β
Answer: C) It protects against DDoS and brute force attacks
π Explanation: Rate limiting restricts the number of requests a client can send in a given time, helping prevent DDoS attacks, API abuse, and credential stuffing attempts.
4. Which authentication method is most recommended for securing APIs?
A) Basic Authentication
B) API Key Authentication
C) OAuth 2.0
D) Passing credentials in URL parameters
β
Answer: C) OAuth 2.0
π Explanation: OAuth 2.0 is a secure, token-based authentication protocol widely used for API security. Basic auth and API key authentication are less secure since they lack proper token expiry and rotation mechanisms.
5. What is the primary purpose of JSON Web Tokens (JWT) in API security?
A) Encrypt API traffic
B) Authenticate and authorize users
C) Hide API endpoints
D) Prevent API rate limiting
β
Answer: B) Authenticate and authorize users
π Explanation: JWTs are used to authenticate users and verify permissions. They allow stateless authentication, meaning the server does not need to store session data.
6. Which security measure helps prevent Cross-Site Request Forgery (CSRF) attacks on APIs?
A) Using same-origin policy
B) Implementing CORS without restrictions
C) Using CSRF tokens and SameSite cookies
D) Allowing wildcard (*) origins in CORS
β
Answer: C) Using CSRF tokens and SameSite cookies
π Explanation: CSRF tokens ensure that a request originates from a legitimate user, and SameSite cookies prevent browsers from sending cookies with cross-site requests.
7. What does the “Least Privilege Principle” mean in API security?
A) Allowing all users full access to the API
B) Granting users the minimum permissions required
C) Disabling authentication for internal APIs
D) Using wildcard (*) permissions in API access control
β
Answer: B) Granting users the minimum permissions required
π Explanation: The principle of least privilege (PoLP) ensures that users and applications have only the permissions they absolutely need, reducing attack surface.
8. How does API versioning help in security?
A) It prevents SQL Injection attacks
B) It restricts access to deprecated APIs
C) It allows API keys to be stored in URLs
D) It increases the number of API requests
β
Answer: B) It restricts access to deprecated APIs
π Explanation: Versioning allows older, potentially insecure APIs to be retired, forcing clients to use updated and secure endpoints.
9. What is the risk of using wildcard (*) in CORS settings?
A) It prevents API caching
B) It allows any origin to access the API
C) It improves API speed
D) It enables automatic rate limiting
β
Answer: B) It allows any origin to access the API
π Explanation: A *wildcard CORS policy (Access-Control-Allow-Origin: ) allows any domain to interact with your API, potentially exposing it to cross-origin attacks.
10. Which technique prevents sensitive data exposure in API responses?
A) Using HTTPS
B) Logging API responses
C) Implementing data minimization
D) Increasing API rate limits
β
Answer: C) Implementing data minimization
π Explanation: Data minimization ensures that APIs return only necessary data, reducing the risk of leaking sensitive information (e.g., user passwords or tokens).
11. What is the best way to protect against SQL Injection in APIs?
A) Using input validation and parameterized queries
B) Logging all user input
C) Allowing direct database queries
D) Using client-side validation only
β
Answer: A) Using input validation and parameterized queries
π Explanation: Parameterized queries prevent SQL injection by safely handling user input instead of concatenating it into SQL queries.
12. What role does an API Gateway play in security?
A) It provides logging and monitoring
B) It acts as a reverse proxy to manage API traffic
C) It enforces rate limiting and authentication
D) All of the above
β
Answer: D) All of the above
π Explanation: API Gateways handle authentication, rate limiting, traffic control, and monitoring, improving overall API security.
13. Why should sensitive API endpoints be restricted to internal use?
A) To improve performance
B) To prevent unauthorized external access
C) To avoid unnecessary rate limiting
D) To allow CORS requests
β
Answer: B) To prevent unauthorized external access
π Explanation: Internal-only APIs should not be exposed publicly to reduce attack risks and prevent data breaches.
14. What is the recommended approach to logging API activity?
A) Logging full request payloads, including passwords
B) Logging only necessary metadata while avoiding sensitive data
C) Not logging API requests to save storage
D) Storing logs on the client side
β
Answer: B) Logging only necessary metadata while avoiding sensitive data
π Explanation: Logging should avoid storing sensitive data (e.g., passwords, tokens) but capture useful metadata for security monitoring.
15. How can API security be tested effectively?
A) Using automated vulnerability scanners
B) Conducting penetration testing
C) Performing security audits
D) All of the above
β
Answer: D) All of the above
π Explanation: A combination of automated scans, manual penetration testing, and security audits helps identify API vulnerabilities.
16. Which attack exploits improperly implemented JWT validation?
A) CSRF
B) JWT Signature Stripping Attack
C) Clickjacking
D) SQL Injection
β
Answer: B) JWT Signature Stripping Attack
π Explanation: Attackers strip or modify JWT signatures if validation is improperly implemented, leading to unauthorized access.
17. What does HSTS do for API security?
A) Forces HTTPS and prevents downgrade attacks
B) Enables CORS policy
C) Encrypts API responses
D) Blocks all HTTP requests
β
Answer: A) Forces HTTPS and prevents downgrade attacks
π Explanation: HSTS (HTTP Strict Transport Security) ensures APIs are only accessed over HTTPS, preventing MITM (Man-in-the-Middle) attacks.
18. Which HTTP header is essential for preventing Clickjacking attacks on API-based web applications?
A) X-Content-Type-Options
B) Content-Security-Policy: frame-ancestors
C) Access-Control-Allow-Origin
D) X-Frame-Options: ALLOWALL
β
Answer: B) Content-Security-Policy: frame-ancestors
π Explanation: The CSP “frame-ancestors” directive prevents clickjacking by controlling which domains can embed the API-based application in an iframe.
19. What is a common mistake when implementing OAuth 2.0 in APIs?
A) Using HTTPS for all API endpoints
B) Storing OAuth tokens in secure HTTP-only cookies
C) Using implicit flow for web applications instead of authorization code flow
D) Rotating OAuth refresh tokens periodically
β
Answer: C) Using implicit flow for web applications instead of authorization code flow
π Explanation: Implicit flow is insecure for web apps because tokens are exposed in the URL. Instead, use Authorization Code Flow with PKCE for better security.
20. Why should API responses avoid exposing stack traces?
A) To speed up API responses
B) To prevent information leakage about the backend
C) To improve API logging
D) To enhance API rate limiting
β
Answer: B) To prevent information leakage about the backend
π Explanation: Stack traces can reveal sensitive information about the backend structure, including file paths and technology stack, which attackers can exploit.
21. Which security measure prevents replay attacks on APIs?
A) Encrypting API requests
B) Using Nonce and Timestamp in API requests
C) Allowing anonymous API access
D) Increasing API timeout
β
Answer: B) Using Nonce and Timestamp in API requests
π Explanation: Nonce (unique request identifier) and Timestamp prevent replay attacks by ensuring each request is unique and within a valid timeframe.
22. What is a common vulnerability when allowing file uploads in APIs?
A) Slow API performance
B) Unrestricted file types leading to Remote Code Execution (RCE)
C) Larger database storage
D) Increased bandwidth consumption
β
Answer: B) Unrestricted file types leading to Remote Code Execution (RCE)
π Explanation: APIs should validate file types, use allowlists, and scan files to prevent malicious file uploads that can lead to RCE attacks.
23. What is the safest way to handle API authentication tokens in a frontend application?
A) Store tokens in localStorage
B) Store tokens in sessionStorage
C) Store tokens in secure, HTTP-only, same-site cookies
D) Append tokens to URLs
β
Answer: C) Store tokens in secure, HTTP-only, same-site cookies
π Explanation: HTTP-only cookies prevent JavaScript access to tokens, reducing the risk of XSS attacks and token theft.
24. How can APIs prevent excessive data scraping?
A) Using bot detection techniques and CAPTCHAs
B) Logging API responses
C) Encrypting all API responses
D) Allowing unrestricted access to data
β
Answer: A) Using bot detection techniques and CAPTCHAs
π Explanation: Bots can scrape sensitive data, so APIs should use rate limiting, bot detection mechanisms, and CAPTCHAs to prevent abuse.
25. What is an effective way to protect sensitive API endpoints from unauthorized access?
A) Using static API keys
B) Implementing role-based access control (RBAC)
C) Allowing wildcard (*) CORS policies
D) Keeping API documentation private
β
Answer: B) Implementing role-based access control (RBAC)
π Explanation: RBAC ensures users only access what they are authorized for, preventing unauthorized actions on sensitive API endpoints.
26. Which API authentication method is the most secure?
A) API Key
B) JWT
C) OAuth 2.0 with PKCE
D) Basic Authentication
β
Answer: C) OAuth 2.0 with PKCE
π Explanation: OAuth 2.0 with PKCE provides enhanced security by preventing token interception, making it ideal for public clients like mobile and SPAs.
27. What is API throttling used for?
A) Encrypting API traffic
B) Limiting the number of API requests per user
C) Enforcing strong authentication
D) Improving API documentation
β
Answer: B) Limiting the number of API requests per user
π Explanation: Throttling prevents abuse, DoS attacks, and API overuse by enforcing request limits.
28. What is an API Security Testing tool?
A) Postman
B) Burp Suite
C) Google Analytics
D) Webpack
β
Answer: B) Burp Suite
π Explanation: Burp Suite is widely used for API penetration testing to identify security vulnerabilities.
29. What is the best way to secure WebSockets in APIs?
A) Use HTTP instead of WebSockets
B) Implement authentication and secure token validation
C) Open WebSockets to all domains
D) Avoid using WebSockets for authentication
β
Answer: B) Implement authentication and secure token validation
π Explanation: WebSockets should have strong authentication mechanisms (e.g., JWT) to prevent unauthorized access.
30. What is an API fuzzing attack?
A) An attack that manipulates API input to discover vulnerabilities
B) A method of encrypting API responses
C) A way to optimize API performance
D) A secure API authentication mechanism
β
Answer: A) An attack that manipulates API input to discover vulnerabilities
π Explanation: Fuzzing attacks send unexpected or malformed data to APIs, uncovering hidden security flaws.
31. What should APIs use to encrypt data at rest?
A) SSL/TLS
B) AES encryption
C) Base64 encoding
D) ROT13
β
Answer: B) AES encryption
π Explanation: AES encryption secures stored (at-rest) data, ensuring it cannot be accessed without proper decryption keys.
32. What is GraphQL-specific security risk in APIs?
A) SQL Injection
B) Mass Assignment
C) GraphQL Batching Attacks
D) Phishing
β
Answer: C) GraphQL Batching Attacks
π Explanation: Batching attacks exploit GraphQLβs ability to process multiple queries in a single request, leading to DoS risks.
33. Why should API secrets never be stored in Git repositories?
A) They can be indexed by search engines
B) They can be exposed through accidental commits
C) They slow down API performance
D) They increase API response time
β
Answer: B) They can be exposed through accidental commits
π Explanation: API secrets stored in Git can be leaked and exploited by attackers. Use environment variables instead.
34. What is a Broken Object Level Authorization (BOLA) attack?
A) An attack that exploits improper object access control in APIs
B) A phishing attack against API users
C) An attack on API authentication mechanisms
D) An attack using brute-force techniques
β
Answer: A) An attack that exploits improper object access control in APIs
π Explanation: BOLA vulnerabilities occur when APIs allow unauthorized access to sensitive objects via ID manipulation.
35. What is the primary purpose of an API Web Application Firewall (WAF)?
A) Improving API response speed
B) Blocking malicious API traffic and attacks
C) Increasing API request limits
D) Encrypting API responses
β
Answer: B) Blocking malicious API traffic and attacks
π Explanation: A Web Application Firewall (WAF) helps protect APIs by filtering malicious requests and preventing attacks like SQL Injection, XSS, and DDoS.
36. What is an API shadow endpoint?
A) A deprecated but still active API endpoint
B) An endpoint used only for debugging
C) A fake API endpoint to mislead attackers
D) A highly secure API endpoint
β
Answer: A) A deprecated but still active API endpoint
π Explanation: Shadow APIs are outdated endpoints that are not officially maintained but still functional, making them vulnerable to attacks.
37. What is the best way to revoke an API key if it’s compromised?
A) Deleting all user data
B) Changing the API endpoint
C) Revoking the key and generating a new one
D) Encrypting the API key
β
Answer: C) Revoking the key and generating a new one
π Explanation: If an API key is leaked, it should be immediately revoked and replaced with a new one to prevent unauthorized access.
38. What is a security risk of using API Gateway with overly permissive settings?
A) Increased API response time
B) Unauthorized access to backend services
C) Reduced network traffic
D) Better API performance
β
Answer: B) Unauthorized access to backend services
π Explanation: API Gateways should have strict access controls to prevent attackers from reaching internal services.
39. Which security risk arises when API responses contain unnecessary details?
A) Increased API performance
B) Sensitive Data Exposure
C) Faster API debugging
D) Better API documentation
β
Answer: B) Sensitive Data Exposure
π Explanation: APIs should return only essential data to avoid exposing PII (Personally Identifiable Information) or system details.
40. How can APIs prevent JSON Injection attacks?
A) Validating and sanitizing input data
B) Using Basic Authentication
C) Implementing wildcard CORS
D) Disabling HTTPS
β
Answer: A) Validating and sanitizing input data
π Explanation: JSON Injection attacks manipulate API inputs, so strict validation and escaping user input can prevent exploitation.
41. What is the purpose of API response caching?
A) To store sensitive user data for faster access
B) To reduce API load and improve performance
C) To allow multiple users to access an API simultaneously
D) To prevent API security vulnerabilities
β
Answer: B) To reduce API load and improve performance
π Explanation: Caching stores frequent API responses, reducing server load and improving performance, but it should be done securely.
42. Which security vulnerability can occur if API logs are publicly accessible?
A) API rate limiting bypass
B) Unauthorized access to sensitive information
C) Faster API debugging
D) Improved API response time
β
Answer: B) Unauthorized access to sensitive information
π Explanation: Publicly exposed API logs can contain sensitive data, making them a high-risk target for attackers.
43. What is an effective way to secure API-based authentication tokens?
A) Storing tokens in localStorage
B) Using secure, short-lived access tokens with refresh tokens
C) Hardcoding tokens in frontend code
D) Logging all API tokens for debugging
β
Answer: B) Using secure, short-lived access tokens with refresh tokens
π Explanation: Short-lived access tokens reduce exposure risk, and refresh tokens provide longer-term security without constant re-authentication.
44. What does API Token Rotation help prevent?
A) Brute-force attacks
B) Stale token reuse and replay attacks
C) Faster API execution
D) Unauthorized CORS requests
β
Answer: B) Stale token reuse and replay attacks
π Explanation: Regular token rotation ensures old tokens cannot be reused, preventing stolen token abuse.
45. Why should API keys never be included in URL parameters?
A) URLs are logged in browser history and server logs
B) API requests are slower
C) It increases the API response size
D) It requires more storage
β
Answer: A) URLs are logged in browser history and server logs
π Explanation: API keys in URLs are easily exposed in logs, referrer headers, and browser history, making them a security risk.
46. What is the purpose of Mutual TLS (mTLS) in API security?
A) To encrypt all API traffic
B) To verify both the client and server identities
C) To improve API caching
D) To allow wildcard CORS
β
Answer: B) To verify both the client and server identities
π Explanation: Mutual TLS (mTLS) ensures that both API clients and servers authenticate each other, adding an extra security layer.
47. How can APIs defend against Man-in-the-Middle (MITM) attacks?
A) Using HTTP instead of HTTPS
B) Implementing SSL/TLS encryption
C) Hardcoding API keys
D) Disabling authentication
β
Answer: B) Implementing SSL/TLS encryption
π Explanation: SSL/TLS encrypts API traffic, preventing attackers from intercepting sensitive data.
48. What security measure helps prevent brute-force attacks on API authentication?
A) Storing passwords in plaintext
B) Implementing account lockout and CAPTCHA
C) Allowing unlimited authentication attempts
D) Using GET requests for authentication
β
Answer: B) Implementing account lockout and CAPTCHA
π Explanation: Brute-force prevention techniques, such as account lockout, rate limiting, and CAPTCHAs, help block automated attacks.
49. Why should APIs use Role-Based Access Control (RBAC)?
A) To allow all users the same level of access
B) To restrict API access based on user roles
C) To improve API performance
D) To store API responses securely
β
Answer: B) To restrict API access based on user roles
π Explanation: RBAC ensures that only authorized users have access to specific API endpoints, reducing security risks.
50. What is an API injection attack?
A) A security vulnerability where malicious input is executed on the API
B) An attack that encrypts API responses
C) A way to increase API performance
D) A secure API authentication mechanism
β
Answer: A) A security vulnerability where malicious input is executed on the API
π Explanation: API injection attacks (e.g., SQL Injection, XML Injection, and JSON Injection) occur when unvalidated user input is processed directly, leading to unauthorized code execution.
51. What is an API security risk associated with overexposed debug endpoints?
A) Debugging logs improve API security
B) They reveal sensitive system details and configurations
C) They help in rate limiting
D) Debug endpoints enhance API performance
β
Answer: B) They reveal sensitive system details and configurations
π Explanation: Debug endpoints often expose sensitive information like stack traces, database queries, and internal configurations, which attackers can exploit.
52. How can APIs prevent unauthorized access due to credential stuffing attacks?
A) Using CAPTCHA and multi-factor authentication (MFA)
B) Allowing users to log in with any credentials
C) Disabling authentication for public APIs
D) Logging all failed authentication attempts
β
Answer: A) Using CAPTCHA and multi-factor authentication (MFA)
π Explanation: Credential stuffing attacks use leaked passwords, so implementing MFA and CAPTCHA helps prevent unauthorized access.
53. What is the primary risk of long-lived API access tokens?
A) Increased API response time
B) Higher risk of token theft and misuse
C) Reduced API scalability
D) Better API performance
β
Answer: B) Higher risk of token theft and misuse
π Explanation: Long-lived tokens can be stolen and used indefinitely. Short-lived tokens with refresh mechanisms improve security.
54. Which HTTP response status code indicates an API authentication failure?
A) 200 OK
B) 403 Forbidden
C) 401 Unauthorized
D) 500 Internal Server Error
β
Answer: C) 401 Unauthorized
π Explanation: 401 Unauthorized indicates a failed authentication attempt due to missing or invalid credentials.
55. How can APIs prevent excessive data exposure through verbose error messages?
A) Disabling error handling
B) Logging detailed API errors publicly
C) Providing generic error responses
D) Returning full stack traces to users
β
Answer: C) Providing generic error responses
π Explanation: Overly detailed error messages can expose sensitive information. Generic error responses (e.g., βInvalid requestβ) prevent attackers from gaining insights.
56. What is API endpoint enumeration?
A) An attack that tests for hidden API endpoints
B) A method to increase API security
C) A process of limiting API access
D) A feature for API performance improvement
β
Answer: A) An attack that tests for hidden API endpoints
π Explanation: Attackers enumerate API endpoints by guessing URLs (e.g., /admin, /v2/api) to discover unprotected functionality.
57. Why should APIs avoid using sequential user IDs in URLs?
A) It improves API logging
B) It enables automated IDOR attacks (Insecure Direct Object Reference)
C) It enhances API performance
D) It prevents API caching
β
Answer: B) It enables automated IDOR attacks (Insecure Direct Object Reference)
π Explanation: Predictable user IDs (e.g., /user/1001) make IDOR attacks easier, allowing attackers to access unauthorized accounts.
58. What is the purpose of an API schema validation?
A) To increase API speed
B) To enforce structured and secure request formats
C) To expose API endpoints
D) To improve API caching
β
Answer: B) To enforce structured and secure request formats
π Explanation: Schema validation ensures incoming API requests follow strict formatting, reducing the risk of injection attacks.
59. How can an API prevent directory traversal attacks?
A) Restricting access to static files
B) Using parameterized queries
C) Implementing input validation and restricting special characters (../)
D) Allowing all file paths in API requests
β
Answer: C) Implementing input validation and restricting special characters (../)
π Explanation: Attackers use directory traversal (../../) to access restricted files, so APIs must enforce input validation.
60. What is an API security risk of allowing unlimited concurrent requests?
A) API responses become faster
B) It increases the risk of DoS (Denial of Service) attacks
C) It improves API availability
D) It enhances authentication security
β
Answer: B) It increases the risk of DoS (Denial of Service) attacks
π Explanation: Unrestricted concurrent requests can overwhelm the server, leading to API downtime (DoS attacks).
61. How can APIs ensure secure API key storage on client devices?
A) Storing API keys in environment variables
B) Hardcoding API keys in mobile applications
C) Embedding API keys in HTML pages
D) Allowing API keys to be shared via URLs
β
Answer: A) Storing API keys in environment variables
π Explanation: API keys should be stored securely, never hardcoded in frontend code, and should be retrieved securely at runtime.
62. What is a broken function-level authorization vulnerability in APIs?
A) Allowing unauthorized access to API endpoints due to missing role checks
B) An attack on API authentication mechanisms
C) An issue related to API caching
D) A bug that slows API responses
β
Answer: A) Allowing unauthorized access to API endpoints due to missing role checks
π Explanation: Broken function-level authorization occurs when APIs fail to enforce role-based access, allowing unauthorized actions.
63. What is an API Security Posture Assessment?
A) A process to improve API performance
B) A comprehensive review of API security measures
C) A tool to reduce API response time
D) A method to store API logs
β
Answer: B) A comprehensive review of API security measures
π Explanation: API Security Posture Assessments evaluate API security practices, identifying vulnerabilities and misconfigurations.
64. Why should APIs restrict HTTP methods for each endpoint?
A) To prevent unnecessary network traffic
B) To reduce brute force attacks
C) To minimize the attack surface and prevent misuse of HTTP methods
D) To optimize API response time
β
Answer: C) To minimize the attack surface and prevent misuse of HTTP methods
π Explanation: Restricting HTTP methods (e.g., disabling DELETE for public users) prevents unauthorized API actions.
65. Which attack exploits improper GraphQL query validation?
A) SQL Injection
B) GraphQL Deep Query Attack
C) Clickjacking
D) Open Redirect
β
Answer: B) GraphQL Deep Query Attack
π Explanation: Deep Query Attacks exploit GraphQL APIs by sending deeply nested queries, causing excessive resource consumption.
66. What is an API rate limiting policy?
A) A feature to slow down all API responses
B) A mechanism to control API request frequency per user
C) A tool for API authentication
D) A method to encrypt API responses
β
Answer: B) A mechanism to control API request frequency per user
π Explanation: Rate limiting helps prevent abuse, bot attacks, and DDoS attempts by restricting request rates.
67. Why should APIs avoid using wildcard (*) CORS policies?
A) It allows unrestricted cross-origin requests, increasing security risks
B) It speeds up API responses
C) It enhances API scalability
D) It prevents XSS attacks
β
Answer: A) It allows unrestricted cross-origin requests, increasing security risks
π Explanation: Wildcard CORS policies (Access-Control-Allow-Origin: *) can expose APIs to cross-origin attacks.
68. What is a JWT replay attack?
A) An attack where an attacker reuses a stolen JWT to authenticate
B) A security feature of OAuth 2.0
C) A method to increase API performance
D) An encryption mechanism for API requests
β
Answer: A) An attack where an attacker reuses a stolen JWT to authenticate
π Explanation: JWT replay attacks occur when an attacker steals a valid JWT and reuses it for unauthorized access.
69. How should APIs protect against JWT replay attacks?
A) Implementing token expiration and refresh tokens
B) Storing JWTs in localStorage
C) Hardcoding JWTs in frontend applications
D) Using wildcard CORS policies
β
Answer: A) Implementing token expiration and refresh tokens
π Explanation: Short-lived tokens with refresh mechanisms prevent attackers from reusing stolen JWTs.
70. What is an OpenAPI (Swagger) security risk?
A) Exposing API documentation publicly without authentication
B) Improving API response times
C) Storing API keys securely
D) Using HTTPS for API communication
β
Answer: A) Exposing API documentation publicly without authentication
π Explanation: Public Swagger (OpenAPI) documentation can expose sensitive API endpoints, making them easy targets for attackers.
71. Which security mechanism helps detect and prevent automated API abuse?
A) CAPTCHA and bot detection
B) Increasing API response time
C) Disabling authentication
D) Allowing unrestricted API access
β
Answer: A) CAPTCHA and bot detection
π Explanation: CAPTCHA and bot detection prevent automated scripts and bots from abusing API endpoints.
72. What is the best way to protect against Broken Object Property Level Authorization (BOPLA) vulnerabilities?
A) Enforcing strict schema validation and authorization at the object level
B) Using wildcard CORS policies
C) Allowing clients to set object permissions dynamically
D) Encrypting API responses
β
Answer: A) Enforcing strict schema validation and authorization at the object level
π Explanation: BOPLA vulnerabilities occur when APIs expose unauthorized object properties, so object-level access control must be enforced.
73. How can APIs prevent excessive data scraping by web crawlers?
A) Implementing User-Agent-based blocking and rate limiting
B) Disabling all API requests
C) Allowing all API requests from bots
D) Storing API logs publicly
β
Answer: A) Implementing User-Agent-based blocking and rate limiting
π Explanation: Restricting known bot User-Agents and applying rate limiting helps prevent data scraping by crawlers.
74. Why should APIs log failed authentication attempts?
A) To detect and prevent brute force attacks
B) To allow easier debugging of API errors
C) To enable API response caching
D) To store user passwords for future logins
β
Answer: A) To detect and prevent brute force attacks
π Explanation: Logging failed authentication attempts helps detect brute force attacks and alert security teams.
75. What is an effective way to secure API responses containing sensitive data?
A) Encrypting responses using TLS and minimizing data exposure
B) Sending all data in plaintext
C) Logging API responses publicly
D) Removing authentication from sensitive endpoints
β
Answer: A) Encrypting responses using TLS and minimizing data exposure
π Explanation: TLS encryption secures API responses, and data minimization prevents unnecessary exposure.
76. What type of attack can occur if an API incorrectly handles JSON parsing?
A) JSON Injection
B) JWT Hijacking
C) DNS Poisoning
D) OAuth Phishing
β
Answer: A) JSON Injection
π Explanation: JSON Injection attacks exploit improperly parsed JSON payloads, leading to injection vulnerabilities.
77. Why should APIs validate JSON Web Token (JWT) signatures?
A) To prevent unauthorized JWT tampering
B) To reduce API response time
C) To avoid excessive logging
D) To allow all users to authenticate without verification
β
Answer: A) To prevent unauthorized JWT tampering
π Explanation: Validating JWT signatures ensures the token has not been modified, preventing authentication bypass.
78. What is an API security risk when using wildcards (*) in database queries?
A) Increases response time
B) Can lead to SQL Injection attacks
C) Helps API performance
D) Allows faster debugging
β
Answer: B) Can lead to SQL Injection attacks
π Explanation: Using wildcards in SQL queries without proper sanitization increases the risk of SQL Injection.
79. How can APIs mitigate the risks of exposed error messages?
A) Using generic error messages without exposing system details
B) Logging detailed error messages publicly
C) Allowing users to view full server logs
D) Increasing API response delay
β
Answer: A) Using generic error messages without exposing system details
π Explanation: Error messages should not reveal stack traces, database queries, or internal details, as attackers can exploit them.
80. What is an effective way to prevent API token leakage in public repositories?
A) Using environment variables and secret management tools
B) Hardcoding tokens in GitHub repositories
C) Storing tokens in API request headers permanently
D) Embedding API tokens in frontend JavaScript files
β
Answer: A) Using environment variables and secret management tools
π Explanation: Secret management tools and environment variables help prevent accidental token exposure in public repositories.
81. What is a common security risk of allowing unrestricted file uploads via APIs?
A) Remote Code Execution (RCE)
B) Faster API performance
C) Reduced API logging
D) Improved user experience
β
Answer: A) Remote Code Execution (RCE)
π Explanation: Allowing unrestricted file uploads can lead to malware execution and server compromise.
82. What is an effective way to prevent API privilege escalation attacks?
A) Implementing role-based and attribute-based access controls
B) Using weak authentication mechanisms
C) Allowing users to modify their own permissions freely
D) Logging API responses publicly
β
Answer: A) Implementing role-based and attribute-based access controls
π Explanation: Proper access control mechanisms prevent users from gaining unauthorized API privileges.
83. What should APIs avoid when generating cryptographic keys for authentication?
A) Using strong, randomly generated keys
B) Using hardcoded or predictable keys
C) Implementing key rotation policies
D) Storing keys in secure vaults
β
Answer: B) Using hardcoded or predictable keys
π Explanation: Predictable or hardcoded cryptographic keys can be easily guessed and exploited.
84. How can APIs protect sensitive query parameters in GET requests?
A) Using POST requests instead of GET for sensitive data
B) Including sensitive data in the URL
C) Storing all query parameters in localStorage
D) Allowing all users to view API query logs
β
Answer: A) Using POST requests instead of GET for sensitive data
π Explanation: Sensitive data should not be exposed in URLs, as they can be logged or leaked.
85. What is the best method to securely revoke compromised API tokens?
A) Using a token revocation list and forcing reauthentication
B) Allowing compromised tokens to remain active
C) Changing API response formats
D) Storing tokens in plaintext
β
Answer: A) Using a token revocation list and forcing reauthentication
π Explanation: Revoking compromised tokens immediately prevents unauthorized access.
86. What is the purpose of an API security audit?
A) To identify and mitigate API vulnerabilities
B) To slow down API requests
C) To store API responses in a database
D) To increase response times
β
Answer: A) To identify and mitigate API vulnerabilities
π Explanation: Regular API security audits help detect misconfigurations, weaknesses, and attack vectors.
87. How can APIs prevent brute-force attacks on authentication endpoints?
A) Implementing exponential backoff and account lockout
B) Allowing unlimited login attempts
C) Disabling authentication logs
D) Using weak password policies
β
Answer: A) Implementing exponential backoff and account lockout
π Explanation: Brute-force prevention measures (e.g., rate limiting and account lockout) stop repeated unauthorized login attempts.
88. Why should APIs enforce API schema validation?
A) To prevent injection attacks and ensure proper request formats
B) To increase API latency
C) To slow down API queries
D) To allow all types of input without validation
β
Answer: A) To prevent injection attacks and ensure proper request formats
π Explanation: API schema validation ensures input data is correctly formatted and prevents malicious payloads.
89. What is a common risk when exposing API documentation publicly?
A) Attackers can discover sensitive API endpoints
B) API documentation improves performance
C) It prevents API injection attacks
D) It secures API keys
β
Answer: A) Attackers can discover sensitive API endpoints
π Explanation: Public API documentation can expose unprotected or sensitive endpoints, increasing attack risk.
90. What is the benefit of using an API Gateway?
A) Centralized security controls for authentication, rate limiting, and logging
B) Slower API responses
C) Allowing unrestricted API traffic
D) Disabling encryption
β
Answer: A) Centralized security controls for authentication, rate limiting, and logging
π Explanation: API Gateways improve security by managing authentication, rate limiting, logging, and monitoring.
91. What is the main purpose of an API reverse proxy?
A) To hide backend services and provide security controls
B) To slow down API responses
C) To expose API logs publicly
D) To disable authentication
β
Answer: A) To hide backend services and provide security controls
π Explanation: Reverse proxies protect APIs by hiding backend details, filtering traffic, and enforcing security measures.
92. Why should APIs implement input length validation?
A) To prevent buffer overflow and DoS attacks
B) To reduce API logging
C) To allow unrestricted data input
D) To increase API response time
β
Answer: A) To prevent buffer overflow and DoS attacks
π Explanation: Input length validation prevents buffer overflows, denial-of-service (DoS) attacks, and unexpected data manipulation.
93. What is an API key-pinning attack?
A) An attack where an attacker forces an API to trust an unauthorized certificate
B) A method to secure API keys
C) A way to increase API response speed
D) A technique to prevent brute-force attacks
β
Answer: A) An attack where an attacker forces an API to trust an unauthorized certificate
π Explanation: Key-pinning attacks occur when attackers manipulate certificate pinning, forcing an API to trust malicious certificates.
94. How can APIs prevent broken authentication vulnerabilities?
A) Using strong password policies and multi-factor authentication (MFA)
B) Storing user passwords in plaintext
C) Allowing password reuse across different accounts
D) Using static authentication tokens
β
Answer: A) Using strong password policies and multi-factor authentication (MFA)
π Explanation: Strong password policies and MFA prevent attackers from exploiting weak or stolen credentials.
95. Why should APIs enforce SameSite cookie attributes?
A) To prevent Cross-Site Request Forgery (CSRF) attacks
B) To speed up API requests
C) To log API responses
D) To allow all third-party scripts to access cookies
β
Answer: A) To prevent Cross-Site Request Forgery (CSRF) attacks
π Explanation: SameSite cookie attributes prevent CSRF attacks by restricting cross-site cookie usage.
96. What is the risk of excessive data exposure in API responses?
A) Attackers can gather sensitive user information
B) It reduces API performance
C) It prevents injection attacks
D) It improves API security
β
Answer: A) Attackers can gather sensitive user information
π Explanation: Exposing too much data in API responses can leak sensitive information, leading to data breaches.
97. How can APIs prevent SSRF (Server-Side Request Forgery) attacks?
A) Enforcing allowlists for outbound requests
B) Disabling authentication
C) Logging API requests publicly
D) Allowing unrestricted access to internal resources
β
Answer: A) Enforcing allowlists for outbound requests
π Explanation: SSRF attacks occur when APIs fetch data from untrusted sources. Using allowlists ensures only safe destinations are accessed.
98. What is an API eavesdropping attack?
A) An attack where an attacker intercepts and reads API traffic
B) A way to improve API security
C) A method for optimizing API responses
D) A legitimate API logging technique
β
Answer: A) An attack where an attacker intercepts and reads API traffic
π Explanation: Eavesdropping attacks occur when API traffic is intercepted, especially when unencrypted communication (HTTP) is used.
99. What is an effective way to prevent eavesdropping attacks on APIs?
A) Using TLS encryption (HTTPS) for all API traffic
B) Disabling encryption for performance reasons
C) Allowing API credentials in URL parameters
D) Removing authentication from internal APIs
β
Answer: A) Using TLS encryption (HTTPS) for all API traffic
π Explanation: TLS encryption (HTTPS) prevents MITM (Man-in-the-Middle) and eavesdropping attacks.
100. What is an API Rate-Limiting Bypass attack?
A) When attackers manipulate API requests to bypass rate limits
B) A technique to improve API performance
C) A method to increase API security
D) A feature to log API responses
β
Answer: A) When attackers manipulate API requests to bypass rate limits
π Explanation: Rate-limiting bypass occurs when attackers use multiple IPs, user-agents, or headers to evade rate limits.
101. What is API Spamming?
A) A type of API abuse where attackers send automated spam messages
B) A feature of secure API logging
C) A security mechanism for preventing brute-force attacks
D) A way to improve API caching
β
Answer: A) A type of API abuse where attackers send automated spam messages
π Explanation: API spamming involves automated requests to send junk messages, often used in abusive bot activities.
102. How can APIs defend against API Spamming?
A) Implementing rate limiting, CAPTCHA, and bot detection
B) Logging API responses publicly
C) Allowing unlimited API requests from all users
D) Storing API credentials in frontend code
β
Answer: A) Implementing rate limiting, CAPTCHA, and bot detection
π Explanation: Spam prevention techniques such as rate limiting, CAPTCHA, and bot detection help block automated abuse.
103. What is API Key Leakage?
A) When API keys are accidentally exposed in public repositories
B) A feature that speeds up API requests
C) A technique for API encryption
D) A security mechanism for API authentication
β
Answer: A) When API keys are accidentally exposed in public repositories
π Explanation: API key leakage occurs when developers accidentally commit API keys to public Git repositories.
104. What is an API key brute-force attack?
A) When attackers attempt multiple API keys to gain unauthorized access
B) A legitimate API debugging technique
C) A feature that speeds up API responses
D) A method to improve API performance
β
Answer: A) When attackers attempt multiple API keys to gain unauthorized access
π Explanation: Attackers use automated scripts to guess valid API keys, attempting unauthorized access.
105. How can APIs prevent API key brute-force attacks?
A) Implementing rate limiting, monitoring, and IP blocking
B) Allowing unrestricted access to all API keys
C) Storing API keys in localStorage
D) Logging API keys in responses
β
Answer: A) Implementing rate limiting, monitoring, and IP blocking
π Explanation: Rate limiting, IP blocking, and monitoring help detect and prevent API key brute-force attacks.
106. What is an API replay attack?
A) An attack where an attacker reuses intercepted API requests to gain unauthorized access
B) A technique for optimizing API responses
C) A method to improve API caching
D) A security mechanism for API authentication
β
Answer: A) An attack where an attacker reuses intercepted API requests to gain unauthorized access
π Explanation: Replay attacks occur when previously captured API requests are resent to the API to duplicate actions.
107. How can APIs prevent replay attacks?
A) Using Nonces and Timestamps in API requests
B) Disabling authentication
C) Allowing expired tokens
D) Removing authorization checks
β
Answer: A) Using Nonces and Timestamps in API requests
π Explanation: Nonces and Timestamps ensure that each API request is unique, preventing replay attacks.
108. Why should APIs log security-related events?
A) To detect potential security threats and attacks
B) To store API keys for easy access
C) To slow down API requests
D) To reduce API performance
β
Answer: A) To detect potential security threats and attacks
π Explanation: Logging security events helps in incident detection, response, and forensic analysis.
109. What is the primary risk of using deprecated API endpoints?
A) They may have unresolved security vulnerabilities
B) They improve API response time
C) They increase API performance
D) They provide better API logging
β
Answer: A) They may have unresolved security vulnerabilities
π Explanation: Deprecated APIs often lack security patches, making them prime targets for attackers.
110. How should APIs handle security patches?
A) Regularly update and apply patches for all API dependencies
B) Disable security updates
C) Remove authentication
D) Allow all API requests without verification
β
Answer: A) Regularly update and apply patches for all API dependencies
π Explanation: Keeping APIs updated ensures that known security vulnerabilities are patched.
111. What is an API Token Poisoning attack?
A) An attack where an attacker manipulates a tokenβs claims to gain unauthorized access
B) A technique for encrypting API tokens
C) A method to speed up API responses
D) A legitimate API debugging process
β
Answer: A) An attack where an attacker manipulates a tokenβs claims to gain unauthorized access
π Explanation: Token poisoning involves modifying JWT or API tokens to escalate privileges or bypass authentication.
112. How can APIs prevent API Token Poisoning attacks?
A) Using strong JWT signature validation and expiration policies
B) Allowing unsigned JWTs
C) Storing tokens in localStorage
D) Removing token validation
β
Answer: A) Using strong JWT signature validation and expiration policies
π Explanation: Validating JWT signatures, enforcing expiration, and using secure cryptographic algorithms prevent token poisoning.
113. Why should APIs avoid exposing private IP addresses in error messages?
A) To prevent network reconnaissance by attackers
B) To increase API logging
C) To improve API response speed
D) To allow easier debugging
β
Answer: A) To prevent network reconnaissance by attackers
π Explanation: Exposing private IPs can help attackers map the internal network, leading to further exploitation.
114. What is an API-side Business Logic Vulnerability?
A) A flaw in how the API enforces business rules, leading to security risks
B) An issue with API caching
C) A method to optimize API response time
D) A legitimate API performance technique
β
Answer: A) A flaw in how the API enforces business rules, leading to security risks
π Explanation: Business logic flaws occur when APIs fail to enforce critical workflows properly, allowing attackers to exploit logic errors.
115. How can APIs defend against business logic attacks?
A) Conducting security testing and enforcing strict business rule validation
B) Allowing unrestricted API access
C) Removing authentication for internal APIs
D) Logging all API request payloads publicly
β
Answer: A) Conducting security testing and enforcing strict business rule validation
π Explanation: Testing business logic workflows and ensuring strict validation prevents abuse of business logic.
116. What is an API Object Property Injection attack?
A) An attack where an attacker injects unexpected properties in API request objects
B) A method for API optimization
C) A security feature of OAuth 2.0
D) A way to speed up API responses
β
Answer: A) An attack where an attacker injects unexpected properties in API request objects
π Explanation: Object property injection occurs when unvalidated user input modifies API objects, leading to unintended behavior.
117. How can APIs prevent Object Property Injection attacks?
A) Enforcing strict schema validation and sanitizing user input
B) Allowing dynamic object properties in API requests
C) Disabling authentication
D) Exposing all API object properties to users
β
Answer: A) Enforcing strict schema validation and sanitizing user input
π Explanation: Strict schema validation ensures that only allowed properties are processed, preventing injection attacks.
118. Why should APIs not rely on client-side security mechanisms alone?
A) Attackers can bypass client-side security by manipulating API requests directly
B) It improves API performance
C) It allows better frontend API caching
D) It prevents server logging
β
Answer: A) Attackers can bypass client-side security by manipulating API requests directly
π Explanation: Client-side security (e.g., JavaScript validation) can be bypassed, so APIs must validate requests on the server.
119. What is an API Fingerprinting attack?
A) An attack where an attacker gathers metadata to profile an APIβs structure
B) A secure way to authenticate API users
C) A legitimate API optimization process
D) A method to improve API documentation
β
Answer: A) An attack where an attacker gathers metadata to profile an APIβs structure
π Explanation: API fingerprinting involves analyzing API responses, headers, and behaviors to map out vulnerabilities.
120. How can APIs prevent fingerprinting attacks?
A) Minimizing HTTP headers and standardizing error messages
B) Logging all API request payloads publicly
C) Exposing full stack traces in API responses
D) Allowing wildcard CORS
β
Answer: A) Minimizing HTTP headers and standardizing error messages
π Explanation: Standardizing API responses and reducing unnecessary headers prevent attackers from fingerprinting APIs.
121. Why should APIs not include sensitive data in logs?
A) Logs can be accessed by attackers if misconfigured
B) It slows down API response times
C) It improves API debugging
D) It allows faster authentication
β
Answer: A) Logs can be accessed by attackers if misconfigured
π Explanation: Sensitive data in logs (e.g., passwords, API keys) can be exposed if logging is not properly secured.
122. What is an API Fuzzing attack?
A) An attack that involves sending malformed inputs to discover vulnerabilities
B) A technique to improve API response time
C) A secure authentication process
D) A legitimate API debugging process
β
Answer: A) An attack that involves sending malformed inputs to discover vulnerabilities
π Explanation: API fuzzing automates the process of sending random or unexpected input to find security flaws.
123. How can APIs defend against fuzzing attacks?
A) Implementing strict input validation and rate limiting
B) Allowing unrestricted API input
C) Disabling logging for API responses
D) Storing API logs in publicly accessible servers
β
Answer: A) Implementing strict input validation and rate limiting
π Explanation: Fuzzing prevention involves input validation, enforcing schemas, and limiting excessive API requests.
124. Why should API keys be rotated periodically?
A) To reduce the risk of key compromise
B) To speed up API responses
C) To prevent API token caching
D) To allow easier authentication bypass
β
Answer: A) To reduce the risk of key compromise
π Explanation: Regular API key rotation ensures that stolen or leaked keys become invalid over time.
125. How can APIs prevent unauthorized access to sensitive endpoints?
A) Enforcing Role-Based Access Control (RBAC)
B) Allowing unrestricted public API access
C) Using hardcoded API credentials
D) Exposing all API logs publicly
β
Answer: A) Enforcing Role-Based Access Control (RBAC)
π Explanation: RBAC ensures users can only access authorized endpoints, preventing unauthorized actions.
126. What is API Key Entropy?
A) The randomness of API keys to prevent guessing attacks
B) The rate of API response time
C) The number of API requests per second
D) The size of API logs
β
Answer: A) The randomness of API keys to prevent guessing attacks
π Explanation: High entropy in API keys makes them harder to guess or brute-force.
127. What is an API Endpoint Enumeration attack?
A) An attack that involves discovering hidden API endpoints
B) A method to secure API responses
C) A way to optimize API response time
D) A technique for improving API documentation
β
Answer: A) An attack that involves discovering hidden API endpoints
π Explanation: Attackers attempt different API endpoints to find undocumented, hidden, or unprotected functionality.
128. What is API Session Hijacking?
A) An attack where an attacker steals a userβs session token to gain unauthorized access
B) A method to log API requests
C) A legitimate API debugging process
D) A technique for API performance improvement
β
Answer: A) An attack where an attacker steals a userβs session token to gain unauthorized access
π Explanation: Session hijacking occurs when attackers steal API session tokens, allowing them to impersonate users.
129. How can APIs prevent session hijacking?
A) Using secure, HTTP-only, and same-site cookies for session tokens
B) Allowing token storage in localStorage
C) Removing token expiration
D) Using plaintext authentication
β
Answer: A) Using secure, HTTP-only, and same-site cookies for session tokens
π Explanation: Secure cookies prevent unauthorized JavaScript access to session tokens.
130. Why should APIs enforce a Content Security Policy (CSP)?
A) To prevent cross-site scripting (XSS) attacks
B) To improve API response time
C) To store user passwords in plaintext
D) To allow unrestricted API calls
β
Answer: A) To prevent cross-site scripting (XSS) attacks
π Explanation: CSP prevents unauthorized script execution, reducing XSS vulnerabilities.
131. What is API Credential Stuffing?
A) An attack where attackers use stolen username-password pairs to access APIs
B) A secure way to store API credentials
C) A method to optimize API response time
D) A legitimate API testing technique
β
Answer: A) An attack where attackers use stolen username-password pairs to access APIs
π Explanation: Credential stuffing involves automated login attempts using previously leaked credentials, often against APIs that lack MFA.
132. How can APIs defend against credential stuffing attacks?
A) Implementing multi-factor authentication (MFA) and rate limiting
B) Allowing unlimited login attempts
C) Storing passwords in plaintext
D) Disabling API authentication
β
Answer: A) Implementing multi-factor authentication (MFA) and rate limiting
π Explanation: MFA and rate limiting prevent attackers from brute-forcing stolen credentials.
133. What is an API NoSQL Injection attack?
A) An injection attack targeting NoSQL databases through unvalidated API inputs
B) A method to increase API performance
C) A legitimate way to query NoSQL databases
D) A security feature of NoSQL databases
β
Answer: A) An injection attack targeting NoSQL databases through unvalidated API inputs
π Explanation: NoSQL injections exploit APIs that fail to sanitize user inputs in NoSQL queries, leading to unauthorized data access.
134. How can APIs prevent NoSQL Injection attacks?
A) Using input validation and query parameterization
B) Allowing dynamic queries from users
C) Removing authentication from NoSQL APIs
D) Using wildcard queries in NoSQL databases
β
Answer: A) Using input validation and query parameterization
π Explanation: Parameterizing NoSQL queries and validating inputs prevent injection-based exploits.
135. What is an API Account Takeover attack?
A) An attack where an attacker gains control of a userβs account via API vulnerabilities
B) A way to optimize API session handling
C) A legitimate API authentication method
D) A technique for API response caching
β
Answer: A) An attack where an attacker gains control of a userβs account via API vulnerabilities
π Explanation: Account takeovers (ATO) exploit weak authentication to steal and hijack user accounts via APIs.
136. How can APIs prevent account takeover attacks?
A) Implementing MFA, device-based authentication, and IP monitoring
B) Removing authentication
C) Storing passwords in session storage
D) Logging API credentials in plaintext
β
Answer: A) Implementing MFA, device-based authentication, and IP monitoring
π Explanation: MFA, device validation, and IP tracking make it harder for attackers to compromise user accounts.
137. What is an API Subdomain Takeover?
A) An attack where an attacker gains control of an unused API subdomain
B) A technique for API load balancing
C) A method to reduce API latency
D) A secure API hosting practice
β
Answer: A) An attack where an attacker gains control of an unused API subdomain
π Explanation: Subdomain takeovers occur when an old or misconfigured API subdomain is hijacked by an attacker.
138. How can APIs prevent subdomain takeovers?
A) Regularly auditing DNS records and removing unused subdomains
B) Allowing wildcard DNS records
C) Storing API tokens in localStorage
D) Removing API logging
β
Answer: A) Regularly auditing DNS records and removing unused subdomains
π Explanation: Regular DNS audits ensure that unused subdomains are not left vulnerable to takeovers.
139. What is API Response Smuggling?
A) An attack that manipulates API responses to bypass security controls
B) A technique to speed up API responses
C) A legitimate API debugging process
D) A method for improving API authentication
β
Answer: A) An attack that manipulates API responses to bypass security controls
π Explanation: Response smuggling occurs when attackers manipulate HTTP responses to bypass security policies.
140. How can APIs prevent response smuggling attacks?
A) Enforcing strict HTTP response parsing rules
B) Allowing flexible response handling
C) Removing security headers
D) Using plaintext authentication
β
Answer: A) Enforcing strict HTTP response parsing rules
π Explanation: Standardized HTTP parsing prevents response splitting and smuggling attacks.
141. What is an API HTTP Host Header Attack?
A) An attack that manipulates the HTTP Host header to bypass security controls
B) A method to improve API performance
C) A legitimate way to modify API headers
D) A security feature in API gateways
β
Answer: A) An attack that manipulates the HTTP Host header to bypass security controls
π Explanation: Host header attacks can be used to redirect API requests to malicious endpoints.
142. How can APIs prevent Host Header Injection attacks?
A) Validating and restricting Host headers in API requests
B) Allowing dynamic Host headers
C) Removing authentication checks
D) Storing API logs in public repositories
β
Answer: A) Validating and restricting Host headers in API requests
π Explanation: Restricting Host headers prevents host header injection attacks.
143. What is an API Leaky Bucket Rate Limiting attack?
A) An attack where an attacker evades API rate limiting using timed requests
B) A legitimate API caching method
C) A technique to store API logs
D) A method for improving API response times
β
Answer: A) An attack where an attacker evades API rate limiting using timed requests
π Explanation: Leaky bucket attacks gradually send requests to bypass rate-limiting controls.
144. What is an API Open Redirect Vulnerability?
A) A flaw that allows attackers to redirect API users to malicious sites
B) A method to speed up API responses
C) A secure authentication feature
D) A legitimate API testing technique
β
Answer: A) A flaw that allows attackers to redirect API users to malicious sites
π Explanation: Open redirects let attackers phish users by redirecting API traffic to malicious domains.
145. How can APIs prevent open redirect vulnerabilities?
A) Enforcing strict allowlists for redirects
B) Allowing unrestricted redirections
C) Storing redirect URLs in plaintext
D) Disabling API authentication
β
Answer: A) Enforcing strict allowlists for redirects
π Explanation: Redirect allowlists ensure APIs only redirect to trusted domains.
146. What is an API Clickjacking attack?
A) An attack where an API is embedded in an iframe to trick users into interacting with malicious elements
B) A method to optimize API caching
C) A secure way to display API responses
D) A technique for API debugging
β
Answer: A) An attack where an API is embedded in an iframe to trick users into interacting with malicious elements
π Explanation: Clickjacking tricks users into clicking malicious elements by embedding an API interface within an invisible iframe.
147. How can APIs prevent Clickjacking attacks?
A) Enforcing X-Frame-Options and Content Security Policy (CSP)
B) Allowing unrestricted iframe embedding
C) Removing authentication for embedded APIs
D) Logging all API responses publicly
β
Answer: A) Enforcing X-Frame-Options and Content Security Policy (CSP)
π Explanation: X-Frame-Options and CSP prevent APIs from being embedded in iframes by unauthorized sites.
148. Why should APIs enforce HTTP Strict Transport Security (HSTS)?
A) To prevent downgrade attacks and force HTTPS
B) To increase API response time
C) To allow unrestricted HTTP requests
D) To remove the need for authentication
β
Answer: A) To prevent downgrade attacks and force HTTPS
π Explanation: HSTS forces HTTPS connections, protecting APIs from downgrade attacks.
149. What is an API Mass Assignment vulnerability?
A) A security flaw where an API allows unauthorized modification of object properties
B) A method for improving API logging
C) A legitimate API optimization technique
D) A secure authentication feature
β
Answer: A) A security flaw where an API allows unauthorized modification of object properties
π Explanation: Mass assignment vulnerabilities occur when APIs allow unrestricted modification of object properties.
150. How can APIs prevent mass assignment vulnerabilities?
A) Using allowlists for object properties in API requests
B) Allowing unrestricted object property modifications
C) Removing authentication for internal APIs
D) Logging API requests publicly
β
Answer: A) Using allowlists for object properties in API requests
π Explanation: Allowlisting properties ensures only authorized attributes can be modified.
151. What is API Session Fixation?
A) An attack where an attacker forces a user to use a known session ID
B) A legitimate method for improving API performance
C) A way to reduce API response times
D) A security feature in OAuth 2.0
β
Answer: A) An attack where an attacker forces a user to use a known session ID
π Explanation: Session Fixation occurs when an attacker assigns a known session ID to a user and then hijacks the session after authentication.
152. How can APIs prevent session fixation attacks?
A) Regenerating session IDs after authentication
B) Storing session IDs in URLs
C) Disabling session expiration
D) Allowing long-lived session IDs
β
Answer: A) Regenerating session IDs after authentication
π Explanation: Generating a new session ID after login prevents attackers from hijacking a fixed session.
153. What is an API Schema Pollution attack?
A) An attack where an attacker injects unexpected fields into API requests to manipulate schema behavior
B) A method for optimizing API caching
C) A secure authentication process
D) A technique for improving API response times
β
Answer: A) An attack where an attacker injects unexpected fields into API requests to manipulate schema behavior
π Explanation: Schema Pollution attacks occur when APIs fail to enforce strict schema validation, leading to unexpected behavior.
154. How can APIs prevent schema pollution attacks?
A) Enforcing strict schema validation and rejecting unexpected fields
B) Allowing dynamic field injection
C) Disabling input validation
D) Logging all API responses publicly
β
Answer: A) Enforcing strict schema validation and rejecting unexpected fields
π Explanation: Strict schema enforcement ensures only expected fields are processed, reducing attack risks.
155. Why should APIs avoid exposing stack traces in error messages?
A) Stack traces reveal internal system details that attackers can exploit
B) It speeds up API response times
C) It improves authentication security
D) It enhances API caching
β
Answer: A) Stack traces reveal internal system details that attackers can exploit
π Explanation: Exposing stack traces can help attackers identify API technologies, frameworks, and weaknesses.
156. What is an API Forced Browsing attack?
A) An attack where attackers access restricted API resources by guessing URLs
B) A way to optimize API documentation
C) A secure authentication method
D) A feature of API rate limiting
β
Answer: A) An attack where attackers access restricted API resources by guessing URLs
π Explanation: Forced Browsing involves guessing API URLs to access unauthorized resources, often due to weak access controls.
157. How can APIs prevent forced browsing attacks?
A) Implementing proper authentication and authorization checks
B) Exposing all API endpoints publicly
C) Logging API credentials in plaintext
D) Allowing users to access any endpoint freely
β
Answer: A) Implementing proper authentication and authorization checks
π Explanation: Access controls should be enforced to prevent unauthorized access to API resources.
158. What is API Dependency Confusion?
A) An attack where an attacker uploads a malicious package with the same name as an internal API dependency
B) A way to optimize API caching
C) A method to increase API response times
D) A secure feature of package managers
β
Answer: A) An attack where an attacker uploads a malicious package with the same name as an internal API dependency
π Explanation: Dependency Confusion attacks exploit public package registries to trick APIs into downloading malicious dependencies.
159. How can APIs prevent dependency confusion attacks?
A) Using private package registries and explicit dependency versioning
B) Allowing automatic package updates from any source
C) Removing authentication from package downloads
D) Storing dependencies in public repositories
β
Answer: A) Using private package registries and explicit dependency versioning
π Explanation: Private registries and strict version control prevent APIs from pulling untrusted dependencies.
160. What is an API Payload Tampering attack?
A) An attack where attackers modify API request payloads to manipulate system behavior
B) A technique for improving API authentication
C) A secure way to store API credentials
D) A method to increase API response times
β
Answer: A) An attack where attackers modify API request payloads to manipulate system behavior
π Explanation: Payload tampering exploits weak input validation to alter data sent to APIs, potentially bypassing security controls.
161. How can APIs prevent payload tampering attacks?
A) Implementing strong input validation and cryptographic request signing
B) Allowing unrestricted modification of API requests
C) Removing authentication checks
D) Logging API tokens in plaintext
β
Answer: A) Implementing strong input validation and cryptographic request signing
π Explanation: Validating API payloads and using cryptographic request signing prevents tampering attacks.
162. What is API Function Splicing?
A) An attack where attackers call API functions in unintended ways to bypass security controls
B) A legitimate API optimization technique
C) A way to improve API caching
D) A secure API authentication method
β
Answer: A) An attack where attackers call API functions in unintended ways to bypass security controls
π Explanation: Function splicing attacks occur when APIs fail to properly enforce expected workflows, allowing attackers to trigger unintended behaviors.
163. How can APIs prevent function splicing attacks?
A) Enforcing strict function execution order and access control
B) Allowing flexible function execution flows
C) Removing validation on function calls
D) Storing API logs in public repositories
β
Answer: A) Enforcing strict function execution order and access control
π Explanation: APIs should enforce correct execution order to prevent unauthorized function manipulation.
164. What is an API Webhook Abuse attack?
A) An attack where attackers manipulate API webhooks to send unauthorized requests
B) A way to optimize API caching
C) A secure API event notification method
D) A technique for improving API response times
β
Answer: A) An attack where attackers manipulate API webhooks to send unauthorized requests
π Explanation: Webhook abuse occurs when attackers tamper with webhook requests to gain unauthorized access or inject malicious data.
165. How can APIs prevent webhook abuse attacks?
A) Using HMAC signatures to verify webhook authenticity
B) Allowing all incoming webhook requests
C) Removing webhook authentication
D) Storing webhook secrets in plaintext
β
Answer: A) Using HMAC signatures to verify webhook authenticity
π Explanation: HMAC signatures help verify that webhook requests come from trusted sources.
166. What is an API User Enumeration attack?
A) An attack where attackers discover valid usernames by analyzing API responses
B) A way to improve API documentation
C) A technique for optimizing API response times
D) A legitimate API performance method
β
Answer: A) An attack where attackers discover valid usernames by analyzing API responses
π Explanation: User enumeration attacks exploit APIs that return different responses for valid vs. invalid usernames.
167. How can APIs prevent user enumeration attacks?
A) Returning generic error messages for invalid credentials
B) Exposing detailed error messages
C) Allowing unrestricted access to API user lists
D) Storing API logs in public repositories
β
Answer: A) Returning generic error messages for invalid credentials
π Explanation: Generic authentication errors prevent attackers from distinguishing between valid and invalid usernames.
168. What is API GraphQL Introspection Misconfiguration?
A) A vulnerability where GraphQL introspection reveals sensitive schema details
B) A legitimate GraphQL optimization technique
C) A method for caching GraphQL queries
D) A secure feature of GraphQL
β
Answer: A) A vulnerability where GraphQL introspection reveals sensitive schema details
π Explanation: Improperly configured introspection in GraphQL APIs can expose sensitive API structure details.
169. How can APIs prevent GraphQL introspection attacks?
A) Disabling introspection in production environments
B) Allowing unrestricted introspection access
C) Logging GraphQL queries in public repositories
D) Removing authentication from GraphQL APIs
β
Answer: A) Disabling introspection in production environments
π Explanation: Disabling GraphQL introspection prevents attackers from mapping out API structures.
170. What is an API JWT Expiry Attack?
A) An attack where attackers reuse expired JWTs to gain access
B) A method to secure API authentication
C) A legitimate API optimization technique
D) A secure API rate-limiting feature
β
Answer: A) An attack where attackers reuse expired JWTs to gain access
π Explanation: JWT expiry attacks exploit APIs that fail to properly check token expiration.
171. What is an API Signature Wrapping attack?
A) An attack where attackers modify signed API requests while keeping the signature valid
B) A legitimate API encryption technique
C) A method for improving API response times
D) A secure authentication mechanism
β
Answer: A) An attack where attackers modify signed API requests while keeping the signature valid
π Explanation: Signature Wrapping attacks occur when attackers manipulate signed API requests to bypass security mechanisms.
172. How can APIs prevent Signature Wrapping attacks?
A) Enforcing strict cryptographic validation of API signatures
B) Removing API request signing
C) Allowing dynamic request modification
D) Storing API credentials in plaintext
β
Answer: A) Enforcing strict cryptographic validation of API signatures
π Explanation: Validating request signatures ensures attackers cannot alter signed API requests.
173. What is API Event Injection?
A) An attack where attackers inject malicious data into API event streams
B) A legitimate API performance optimization
C) A secure way to process API requests
D) A method for API load balancing
β
Answer: A) An attack where attackers inject malicious data into API event streams
π Explanation: Event injection manipulates API event-driven systems to send malicious or unauthorized data.
174. How can APIs prevent Event Injection attacks?
A) Validating and sanitizing event data before processing
B) Allowing unrestricted event inputs
C) Removing validation checks for event handlers
D) Logging all API events publicly
β
Answer: A) Validating and sanitizing event data before processing
π Explanation: Strict event data validation prevents malicious payloads from being injected into API event streams.
175. What is an API Deserialization Exploit?
A) An attack that manipulates API deserialization to execute arbitrary code
B) A technique for API performance improvement
C) A secure feature in API serialization
D) A way to increase API response times
β
Answer: A) An attack that manipulates API deserialization to execute arbitrary code
π Explanation: Insecure deserialization can lead to remote code execution (RCE) if user-controlled data is improperly deserialized.
176. How can APIs prevent deserialization attacks?
A) Using safe serialization formats and restricting deserialization of untrusted data
B) Allowing unrestricted deserialization of all inputs
C) Storing serialized data in public repositories
D) Using plaintext serialization
β
Answer: A) Using safe serialization formats and restricting deserialization of untrusted data
π Explanation: Validating and restricting deserialization prevents attackers from injecting malicious payloads.
177. What is an API Rate-Limiting Misconfiguration attack?
A) An attack where an APIβs rate-limiting rules are improperly enforced, allowing abuse
B) A legitimate API logging process
C) A method to reduce API latency
D) A secure authentication feature
β
Answer: A) An attack where an APIβs rate-limiting rules are improperly enforced, allowing abuse
π Explanation: Improperly configured rate-limiting can allow attackers to bypass API usage restrictions, leading to abuse.
178. How can APIs enforce proper rate limiting?
A) Setting per-user, per-IP, and per-method request limits
B) Allowing unlimited API requests
C) Storing API request logs publicly
D) Using wildcard CORS policies
β
Answer: A) Setting per-user, per-IP, and per-method request limits
π Explanation: Proper rate limiting rules prevent abuse, bot attacks, and DoS attempts.
179. What is API Query Parameter Pollution?
A) An attack where attackers manipulate query parameters to exploit API logic
B) A technique for improving API performance
C) A way to optimize database queries
D) A secure API debugging feature
β
Answer: A) An attack where attackers manipulate query parameters to exploit API logic
π Explanation: Query Parameter Pollution occurs when attackers inject multiple values into API parameters to manipulate behavior.
180. How can APIs prevent Query Parameter Pollution attacks?
A) Validating and rejecting unexpected duplicate query parameters
B) Allowing all query parameters without validation
C) Storing query parameters in localStorage
D) Logging query parameters in plaintext
β
Answer: A) Validating and rejecting unexpected duplicate query parameters
π Explanation: Strict query validation ensures attackers cannot manipulate API behavior through parameter pollution.
181. What is an API Cache Poisoning attack?
A) An attack where an attacker injects malicious content into cached API responses
B) A method to improve API response time
C) A way to increase API logging
D) A secure authentication feature
β
Answer: A) An attack where an attacker injects malicious content into cached API responses
π Explanation: Cache poisoning occurs when attackers store malicious responses in API caches, affecting future requests.
182. How can APIs prevent Cache Poisoning attacks?
A) Using cache key validation and restricting user-controlled caching
B) Allowing all API responses to be cached
C) Storing sensitive API responses in public caches
D) Removing authentication for cached API responses
β
Answer: A) Using cache key validation and restricting user-controlled caching
π Explanation: Validating cache keys and controlling what is cached prevents malicious cache manipulation.
183. What is API Recursive Payload Processing?
A) An attack where deeply nested JSON/XML payloads cause excessive processing
B) A method for API performance tuning
C) A secure API feature
D) A way to improve API response times
β
Answer: A) An attack where deeply nested JSON/XML payloads cause excessive processing
π Explanation: Recursive payloads can cause excessive resource consumption, leading to DoS attacks.
184. How can APIs prevent Recursive Payload Processing attacks?
A) Enforcing maximum nesting levels for API payloads
B) Allowing unlimited JSON/XML nesting
C) Removing validation for nested structures
D) Storing deeply nested payloads in plaintext
β
Answer: A) Enforcing maximum nesting levels for API payloads
π Explanation: Restricting payload depth prevents resource exhaustion from deeply nested structures.
185. What is an API JWT None Algorithm Attack?
A) An attack where attackers modify JWTs by changing the algorithm to “none”
B) A technique for improving API response times
C) A secure JWT signing method
D) A method for logging API requests
β
Answer: A) An attack where attackers modify JWTs by changing the algorithm to “none”
π Explanation: If an API accepts JWTs with alg=none, attackers can generate unsigned tokens and gain unauthorized access.
186. How can APIs prevent JWT None Algorithm attacks?
A) Enforcing strong JWT signature validation and rejecting “none” algorithm
B) Allowing JWTs without signatures
C) Storing JWTs in localStorage
D) Logging JWT secrets in plaintext
β
Answer: A) Enforcing strong JWT signature validation and rejecting “none” algorithm
π Explanation: APIs should explicitly reject alg=none to ensure all JWTs are properly signed.
187. What is API Multi-Step Request Forgery?
A) An attack where an attacker manipulates multiple API steps to achieve unauthorized actions
B) A technique to improve API security
C) A legitimate API load balancing method
D) A method for API response caching
β
Answer: A) An attack where an attacker manipulates multiple API steps to achieve unauthorized actions
π Explanation: Multi-step request forgery exploits poor API workflow enforcement, allowing attackers to skip security checks.
188. How can APIs prevent Multi-Step Request Forgery?
A) Implementing stateful request tracking and enforcing request sequences
B) Allowing flexible step execution
C) Storing API states in public repositories
D) Removing validation for multi-step workflows
β
Answer: A) Implementing stateful request tracking and enforcing request sequences
π Explanation: Tracking API request states ensures attackers cannot bypass required security steps.
189. What is an API Wildcard SSL Certificate Risk?
A) An issue where a compromised wildcard certificate can expose multiple subdomains
B) A technique to improve SSL encryption
C) A secure authentication mechanism
D) A method for API performance tuning
β
Answer: A) An issue where a compromised wildcard certificate can expose multiple subdomains
π Explanation: If a wildcard SSL certificate is stolen, all associated subdomains are compromised.
190. How can APIs mitigate Wildcard SSL Certificate risks?
A) Using separate certificates for critical subdomains
B) Allowing unrestricted wildcard certificates
C) Removing SSL encryption
D) Storing wildcard certificates in public repositories
β
Answer: A) Using separate certificates for critical subdomains
π Explanation: Limiting wildcard certificate use reduces the impact of certificate compromise.
191. What is API JSON Hijacking?
A) An attack where an attacker exploits a web applicationβs JSON response to steal sensitive data
B) A technique to optimize API performance
C) A secure way to handle JSON responses
D) A method for increasing API response speed
β
Answer: A) An attack where an attacker exploits a web applicationβs JSON response to steal sensitive data
π Explanation: JSON hijacking occurs when attackers use a malicious script to access sensitive JSON data returned by APIs.
192. How can APIs prevent JSON Hijacking attacks?
A) Using CSRF tokens and restricting JSON responses to authenticated requests
B) Allowing unrestricted JSON responses
C) Logging all JSON responses publicly
D) Removing authentication for JSON-based APIs
β
Answer: A) Using CSRF tokens and restricting JSON responses to authenticated requests
π Explanation: CSRF protection and authentication checks prevent attackers from stealing sensitive JSON data.
193. What is API Token Escalation?
A) An attack where attackers upgrade API access tokens to gain higher privileges
B) A method for API response caching
C) A legitimate way to optimize API authentication
D) A technique for increasing API request speed
β
Answer: A) An attack where attackers upgrade API access tokens to gain higher privileges
π Explanation: Token escalation attacks occur when misconfigured API permissions allow attackers to gain higher privileges.
194. How can APIs prevent Token Escalation attacks?
A) Implementing strict access control policies and scope validation
B) Allowing tokens to inherit higher privileges dynamically
C) Removing authentication from API endpoints
D) Storing API access logs in public repositories
β
Answer: A) Implementing strict access control policies and scope validation
π Explanation: Scope validation and least privilege enforcement prevent attackers from escalating API token permissions.
195. What is an API Side-Channel Attack?
A) An attack that extracts information based on API response timing and metadata
B) A technique to optimize API performance
C) A secure way to handle API logs
D) A method for increasing API speed
β
Answer: A) An attack that extracts information based on API response timing and metadata
π Explanation: Side-channel attacks analyze response timing, error messages, or other indirect indicators to infer sensitive API data.
196. How can APIs defend against Side-Channel Attacks?
A) Normalizing response times and avoiding detailed error messages
B) Allowing unrestricted response timing variations
C) Removing authentication from API logs
D) Logging all API responses publicly
β
Answer: A) Normalizing response times and avoiding detailed error messages
π Explanation: Keeping response times uniform and using generic error messages prevents attackers from extracting useful data.
197. What is API Content-Type Sniffing?
A) An attack where the browser incorrectly interprets API response content types
B) A technique to improve API authentication
C) A secure API header feature
D) A method for API debugging
β
Answer: A) An attack where the browser incorrectly interprets API response content types
π Explanation: Content-Type Sniffing can cause unintended execution of scripts if an API does not enforce correct MIME types.
198. How can APIs prevent Content-Type Sniffing attacks?
A) Enforcing X-Content-Type-Options: nosniff header
B) Allowing the browser to guess content types
C) Logging all content-type headers in plaintext
D) Removing authentication for all API responses
β
Answer: A) Enforcing X-Content-Type-Options: nosniff header
π Explanation: Setting the nosniff header prevents browsers from incorrectly interpreting content types.
199. What is API Token Reuse?
A) An attack where an attacker reuses stolen or intercepted API tokens to gain access
B) A way to optimize API response times
C) A secure method of API token storage
D) A technique for increasing authentication speed
β
Answer: A) An attack where an attacker reuses stolen or intercepted API tokens to gain access
π Explanation: Token reuse attacks occur when APIs fail to expire or properly validate authentication tokens.
200. How can APIs prevent Token Reuse attacks?
A) Implementing short-lived access tokens and secure refresh tokens
B) Allowing unlimited token reuse
C) Storing tokens in localStorage
D) Removing authentication for token validation
β
Answer: A) Implementing short-lived access tokens and secure refresh tokens
π Explanation: Expiring tokens quickly and using refresh mechanisms reduces the risk of attackers reusing stolen tokens.
201. What is API URL Parameter Tampering?
A) An attack where attackers modify URL parameters to manipulate API behavior
B) A technique to optimize API caching
C) A method for improving API response times
D) A secure way to store API requests
β
Answer: A) An attack where attackers modify URL parameters to manipulate API behavior
π Explanation: Parameter tampering attacks involve modifying API query parameters to bypass security controls.
202. How can APIs prevent URL Parameter Tampering attacks?
A) Enforcing strict input validation and using HMAC-signed parameters
B) Allowing unrestricted URL parameter modification
C) Storing sensitive parameters in URLs
D) Logging API URLs in plaintext
β
Answer: A) Enforcing strict input validation and using HMAC-signed parameters
π Explanation: Validating input and signing critical parameters prevent manipulation of URL parameters.
203. What is API Forced Authentication Downgrade?
A) An attack where attackers force an API to use weaker authentication methods
B) A technique to increase authentication speed
C) A secure API load balancing feature
D) A method for logging API requests
β
Answer: A) An attack where attackers force an API to use weaker authentication methods
π Explanation: Forced authentication downgrade attacks occur when APIs allow fallback to less secure authentication.
204. How can APIs prevent Forced Authentication Downgrade attacks?
A) Enforcing strong authentication policies and disabling legacy authentication
B) Allowing users to choose weaker authentication methods
C) Removing authentication from API endpoints
D) Logging all authentication tokens in plaintext
β
Answer: A) Enforcing strong authentication policies and disabling legacy authentication
π Explanation: Disabling weak authentication methods ensures attackers cannot downgrade authentication security.
205. What is an API CORS Misconfiguration attack?
A) An attack where attackers exploit overly permissive cross-origin resource sharing (CORS) settings
B) A method to improve API response times
C) A secure API access control feature
D) A legitimate way to optimize API authentication
β
Answer: A) An attack where attackers exploit overly permissive cross-origin resource sharing (CORS) settings
π Explanation: CORS misconfigurations allow attackers to bypass same-origin policies and access restricted API resources.