Crowdly

What distinguishes a valid XML document from a well-formed XML document?

A valid document conforms to a schema or DTD, while a well-formed document only follows syntax rules

A valid document can only be parsed using a validation parser

A valid document includes an XML declaration, while a well-formed document does not

A valid document uses predefined tags, while a well-formed document does not

How can server-side request forgery (SSRF) be achieved through XXE?

By injecting SQL commands into XML attributes

By forcing the server to make unauthorized HTTP requests

By manipulating JSON tokens in the application

By redirecting XML processing to an external parser

Which of the following is NOT a recommended mitigation strategy for Direct Object Reference vulnerabilities?

Implementing a deny-by-default policy for all resources

Disabling directory listings on the server

Validating user ownership of accessed records

Allowing users unrestricted file path access for convenience

Which of the following is an example of a Direct Object Reference vulnerability?

Exploiting a weak password recovery question

Injecting malicious scripts via input fields

Accessing a resource by manipulating predictable identifiers in the URL

Guessing session tokens in a brute-force attack

Which mitigation technique is most effective against parameter tampering attacks?

Using cookies to pass parameters instead of the URL

Implementing robust server-side input validation

Encrypting all parameters before transmission

Storing parameters in LocalStorage

What makes secret questions a weak method for password recovery?

They require advanced hashing algorithms for answers

They are only applicable to multi-factor authentication

They cannot be guessed by attackers

Social engineering and publicly available data make answers easy to find

✅

What is the Principle of Least Privilege in access control?

Granting users only the access necessary to perform their tasks

Denying all users by default

Allowing all users the same level of access

Revoking all permissions after authentication

What is the primary goal of the Zero Trust (TNO) security model?

To simplify access controls across internal networks

To restrict external users from accessing internal resources

To assume no inherent trust between users, devices, or network components

✅

To eliminate authentication for trusted users

What is a primary characteristic of Parameter Tampering attacks?

They involve the modification of client-side transmitted data

✅

They manipulate authentication cookies

They are based on brute-forcing session IDs

They exploit vulnerabilities in server-side encryption