D488 | D488 Cybersecurity Architecture and
Engineering Exam 2 Version 3 Questions with
Correct Answers and Expert Explanation for Each
Question
1. A security engineer is reviewing an application that allows users to upload files to a
server. Which vulnerability is most likely present if the application does not validate
the file extension or content type?
A. Unrestricted Executable File Upload
B. Cross-Site Scripting (XSS)
C. SQL Injection
D. Security Misconfiguration
Correct Answer: A
Expert Explanation: Unrestricted file upload occurs when an application allows
users to upload files without sufficient validation. This vulnerability enables
attackers to upload malicious scripts or shells to the server. Once executed, these
files can grant the attacker full control over the host system. To mitigate this risk,
developers must implement strict file type white-listing and scan files for malware.
This process ensures that only safe and intended file formats are processed by the
web server.
,2. During a security audit, a developer discovers that sensitive session tokens are
being transmitted in the URL as query parameters. Which OWASP risk category does
this fall under?
A. Cryptographic Failures
B. Broken Access Control
C. Insecure Design
D. Identification and Authentication Failures
Correct Answer: D
Expert Explanation: Identification and Authentication Failures involve weaknesses
in how an application manages user identities and sessions. Passing session tokens
in URLs is a dangerous practice because URLs are often logged by intermediate
proxies and browsers. If an attacker gains access to these logs, they can easily hijack
the user’s active session. Secure session management requires tokens to be stored
in secure, HttpOnly cookies instead of the URL. This practice minimizes the
exposure of sensitive credentials during transit and storage.
3. Which technique is the most effective way to prevent SQL injection attacks in a web
application?
A. Using prepared statements with parameterized queries
B. Implementing a Web Application Firewall (WAF)
,C. Encoding all output displayed to the user
D. Using client-side JavaScript for input validation
Correct Answer: A
Expert Explanation: Prepared statements ensure that the database treats user
input as data rather than executable code. This approach separates the query
structure from the actual values provided by the user. Even if an attacker enters
malicious SQL commands, the database will not execute them. While WAFs provide
an extra layer of defense, they cannot replace secure coding practices at the
application level. Therefore, parameterization remains the primary and most
reliable defense against various injection flaws.
4. An organization is implementing a DevSecOps pipeline. At which stage should Static
Application Security Testing (SAST) be integrated for the best results?
A. During the deployment phase
B. During the coding and build phase
C. During the monitoring and logging phase
D. During the final manual penetration test
Correct Answer: B
, Expert Explanation: SAST tools analyze the source code or compiled binaries for
security vulnerabilities without executing the program. Integrating SAST early in the
software development lifecycle allows developers to identify and fix flaws
immediately. This ‘shift-left’ approach reduces the cost and effort required to
remediate security issues later. By catching bugs during the build phase, teams can
ensure that only secure code moves forward. This proactive strategy is a
cornerstone of modern cybersecurity architecture and engineering.
5. In the context of threat modeling using the STRIDE methodology, which threat is
associated with an attacker performing actions on behalf of another user without
their consent?
A. Information Disclosure
B. Repudiation
C. Spoofing
D. Tampering
Correct Answer: C
Expert Explanation: Spoofing involves an attacker pretending to be a different user
or system to gain unauthorized access. This threat category focuses on the violation
of authenticity within an application environment. By impersonating a legitimate
entity, attackers can bypass security controls and access sensitive data. Mitigation
Engineering Exam 2 Version 3 Questions with
Correct Answers and Expert Explanation for Each
Question
1. A security engineer is reviewing an application that allows users to upload files to a
server. Which vulnerability is most likely present if the application does not validate
the file extension or content type?
A. Unrestricted Executable File Upload
B. Cross-Site Scripting (XSS)
C. SQL Injection
D. Security Misconfiguration
Correct Answer: A
Expert Explanation: Unrestricted file upload occurs when an application allows
users to upload files without sufficient validation. This vulnerability enables
attackers to upload malicious scripts or shells to the server. Once executed, these
files can grant the attacker full control over the host system. To mitigate this risk,
developers must implement strict file type white-listing and scan files for malware.
This process ensures that only safe and intended file formats are processed by the
web server.
,2. During a security audit, a developer discovers that sensitive session tokens are
being transmitted in the URL as query parameters. Which OWASP risk category does
this fall under?
A. Cryptographic Failures
B. Broken Access Control
C. Insecure Design
D. Identification and Authentication Failures
Correct Answer: D
Expert Explanation: Identification and Authentication Failures involve weaknesses
in how an application manages user identities and sessions. Passing session tokens
in URLs is a dangerous practice because URLs are often logged by intermediate
proxies and browsers. If an attacker gains access to these logs, they can easily hijack
the user’s active session. Secure session management requires tokens to be stored
in secure, HttpOnly cookies instead of the URL. This practice minimizes the
exposure of sensitive credentials during transit and storage.
3. Which technique is the most effective way to prevent SQL injection attacks in a web
application?
A. Using prepared statements with parameterized queries
B. Implementing a Web Application Firewall (WAF)
,C. Encoding all output displayed to the user
D. Using client-side JavaScript for input validation
Correct Answer: A
Expert Explanation: Prepared statements ensure that the database treats user
input as data rather than executable code. This approach separates the query
structure from the actual values provided by the user. Even if an attacker enters
malicious SQL commands, the database will not execute them. While WAFs provide
an extra layer of defense, they cannot replace secure coding practices at the
application level. Therefore, parameterization remains the primary and most
reliable defense against various injection flaws.
4. An organization is implementing a DevSecOps pipeline. At which stage should Static
Application Security Testing (SAST) be integrated for the best results?
A. During the deployment phase
B. During the coding and build phase
C. During the monitoring and logging phase
D. During the final manual penetration test
Correct Answer: B
, Expert Explanation: SAST tools analyze the source code or compiled binaries for
security vulnerabilities without executing the program. Integrating SAST early in the
software development lifecycle allows developers to identify and fix flaws
immediately. This ‘shift-left’ approach reduces the cost and effort required to
remediate security issues later. By catching bugs during the build phase, teams can
ensure that only secure code moves forward. This proactive strategy is a
cornerstone of modern cybersecurity architecture and engineering.
5. In the context of threat modeling using the STRIDE methodology, which threat is
associated with an attacker performing actions on behalf of another user without
their consent?
A. Information Disclosure
B. Repudiation
C. Spoofing
D. Tampering
Correct Answer: C
Expert Explanation: Spoofing involves an attacker pretending to be a different user
or system to gain unauthorized access. This threat category focuses on the violation
of authenticity within an application environment. By impersonating a legitimate
entity, attackers can bypass security controls and access sensitive data. Mitigation
