JWT Validation
What is the primary purpose of validating a JSON Web Token (JWT) in API authentication testing?
- To ensure the API server is running correctly.
- To verify the JWT's expiration, signature, and claims.
- To check the size of the JWT.
- To confirm the user's IP address matches the JWT's origin.
- To only check the token's signature against a static secret.
OAuth 2.0 Grant Types
Which OAuth 2.0 grant type is most suitable for native mobile applications where the client secrets cannot be securely stored?
- Authorization Code Grant
- Resource Owner Password Credentials Grant
- Client Credentials Grant
- Implicit Grant
- Authorization Grant
RBAC Implementation
When testing Role-Based Access Control (RBAC) in an API, what is a critical test case to include?
- Ensuring that all users have access to all resources.
- Verifying that users can only access resources permitted by their assigned roles.
- Checking the API's response time for different user roles.
- Validating the format of the role identifiers.
- Confirming the database connection for roles is always active.
API Key Security
What is the most effective way to protect API keys from being compromised in a front-end web application?
- Store the API key directly in the JavaScript code.
- Use environment variables on the server-side and proxy API requests through the back-end.
- Obfuscate the API key in the client-side code.
- Encrypt the API key with a simple cipher.
- Never store API keys. Instead use public API's whenever possible.
Rate Limiting
What is the primary goal of implementing rate limiting in an API?
- To improve the API's documentation.
- To prevent denial-of-service attacks and manage API usage.
- To reduce the size of the API responses.
- To increase the number of supported API versions.
- To simplify the API's security configuration.
Input Validation for Authorization
Why is input validation crucial as part of the authorization process in an API?
- To speed up the authorization process.
- To prevent injection attacks and ensure only authorized data is processed.
- To reduce the size of the authorization headers.
- To comply with regulatory requirements for data storage.
- To ensure the API is easy to use.
Authentication vs. Authorization
Which of the following best describes the difference between authentication and authorization?
- Authentication verifies identity; authorization grants access based on that identity.
- Authentication grants access; authorization verifies identity.
- Authentication and authorization are the same thing.
- Authentication is used for internal APIs; authorization for external APIs.
- Authentication uses passwords; authorization uses API keys.
Testing IDOR Vulnerabilities
When testing for Insecure Direct Object Reference (IDOR) vulnerabilities in an API, what should you primarily focus on?
- Validating the API's response time.
- Ensuring that users cannot access or modify resources belonging to other users.
- Testing the API's error handling capabilities.
- Checking the API's documentation for clarity.
- Verifying the API's compliance with industry standards.
CORS Misconfiguration
A misconfigured Cross-Origin Resource Sharing (CORS) policy can lead to which of the following security vulnerabilities?
- SQL injection attacks.
- Cross-site scripting (XSS).
- Denial-of-service (DoS) attacks.
- Unauthorized access to API resources from different origins.
- Data exfiltration through server side rendering.
Testing for Brute Force Attacks
What is a common technique for testing an API's resistance to brute-force attacks on authentication endpoints?
- Disabling rate limiting to observe maximum request volume.
- Submitting a large number of login requests with valid credentials.
- Submitting a large number of login requests with invalid credentials in a short period.
- Analyzing the API's code for potential vulnerabilities.
- Using a complex password for the administrator account.
