WASF

Which statements on web applications security are true

$$ Common techniques for mitigating Cross$-$Site Scripting attacks include input validation, output encoding, and Content Security Policy.

$$ The Content Security Policy $($CSP$)$ is an opt$-$in security mechanism for web applications which allow security$-$related settings in special headers of web pages.

$$ Cross$-$Site Scripting attacks can only occur in web applications that use client$-$side scripting languages such as JavaScript.

$$ Side$-$channel attacks are only feasible against web systems that have been designed with security flaws.

Which of the following statements are correct

$$ The SSL$/$TLS protocol is used to establish an encrypted connection in HTTPS$.$

$$ Stored XSS attacks occur when a malicious script is included in a request to a web application and then sent back to the user.

$$ Passwords are an insecure way to protect sensitive data.

$$ A website with a self$-$signed certificate may be considered less secure than one with a certificate signed by a certificate authority

Which of the following statements are correct

$$ Session hijacking attacks can only occur if the attacker has physical access to the target's device.

$$ Denial of Service $($DoS$)$ is not one of the OWASP Top $10$ security risks.

$$ HTTPS is a secure web protocol which depends on certificates to identify servers, but does not involve TLS$.$

$$ The use of private browsing modes, such as Incognito in Google Chrome provides complete protection against fingerprinting.

$.$ Which of these listed statements are correct

$$ Session hijacking attacks can only occur if the attacker has physical access to the target's device.

$$ Denial of Service $($DoS$)$ is not one of the OWASP Top $10$ security risks.

$$ HTTPS is a secure web protocol which depends on certificates to identify servers, but does not involve TLS$.$

$$ The use of private browsing modes, such as Incognito in Google Chrome provides complete protection against fingerprinting.

Which of the below statements on web applications security are correct

$$ A web side$-$channel attack can target web applications and their underlying infrastructure, including browsers, servers, and other components to extract sensitive information that would otherwise be protected by exploiting the differences between the intended and actual execution of a system.

$$ Cross$-$Site Scripting attacks involve injecting malicious code into a vulnerable web application, but in general do not allow an attacker to steal sensitive information from users of the affected site.

$$ Code injection attacks cannot be executed in interpreted programming languages $($such as Python or JavaScript$).$

$$ The Domain Name System$-$Based Authentication of Named Entities $($DANE$)$ protocol is an alternative to certificate authorities for verifying the authenticity of TLS certificates.

Which of the below listed statements are correct

$$ TLS certificates must always be signed by a certificate authority $($CA$)$ for them to be trusted by web browsers.

$$ CSRF attacks can be prevented by requiring the user to authenticate themselves before executing any sensitive actions.

$$ Cross$-$Site Request Forgery $($CSRF$)$ is not one of the OWASP Top $10$ security risks.

$$ WebAuthn only supports FIDO$2$ authentication and cannot be used with other authentication protocols.

Which below statements are true

$$ The referer header can be easily forged.

$$ OWASP Top $10$ security risks include Broken Access Control.

$$ A well$-$configured firewall can completely prevent DNS rebinding attacks.

$$ Cookies security is well aligned with the SOP $($same origin policy

Which of these statements are true

$$ Self$-$signed or privately signed certificates are generally not trusted by default by web browsers, and may result in security warnings or errors for users, indicating that the website is not secure$.$

$$ Denial of Service attacks can be executed through the exploitation of vulnerabilities in a targeted website's code.

$$ Using a self$-$signed SSL certificate for a local HTTP server does not provide security for its users.

$$ A Forward Secrecy cipher suite is a type of encryption used in transport layer security $($TLS$)$ that provides additional protection against eavesdropping and decryption of recorded encrypted traffic by generation of a unique session key for each secure session, such that even if the private key of the server is compromised in the future, the encrypted traffic of a particular session cannot be decrypted.

$).$

Which below statements are correct

$$ Captcha security measures can be bypassed by advanced bots.

$$ Input validation is not an effective way to prevent SQL injection attacks.

$$ Wrongly designed API can be used to launch various attacks on websites.

$$ DNS rebinding attacks exploit the trust relationship between a web browser and a web server.

Which of the following statements on web applications security are true

$$ Referer header validation is a method where the server checks the source