MockRounds Logo

Secure Coding Practices Quiz: Identifying and Fixing Vulnerabilities Quiz

  1. Hardcoded Credentials Risk

    Which of the following practices is the best way to resolve hardcoded database credentials found by a static code analysis tool?

    1. Store credentials in environment variables
    2. Comment out the credentials in code
    3. Change the credentials to 'admin:admin'
    4. Store credentials in a public GitHub repo
    5. Hardcode the credentials with a warning comment

  2. SQL Injection Detection

    Static analysis found this code vulnerable to SQL injection: String query = 'SELECT * FROM users WHERE username = ' + userInput; What is the most secure way to fix it?

    1. Use parameterized queries
    2. Escape all single quotes in userInput manually
    3. Log the query before running it
    4. Use userInput.toUpperCase()
    5. Remove the input check entirely

  3. Cross-Site Scripting (XSS)

    Given the code snippet: output.write(userComment);, which remediation prevents cross-site scripting attacks?

    1. Sanitize user input before output
    2. Minify the output HTML
    3. Write the output inside a u003Cscriptu003E tag
    4. Only log the comment to the console
    5. Remove all whitespace from output

  4. Improper Input Validation

    Why is it insecure to use this logic? if (!input.isEmpty()) { process(input); }

    1. It does not validate the input's type or content
    2. It takes too much CPU time
    3. It never calls process(input)
    4. It validates input length only
    5. It throws a NullPointException

  5. Untrusted Data in File Paths

    A static analyzer flags this: File f = new File('/uploads/' + filename); What is the risk if filename comes from user input?

    1. Path traversal vulnerability
    2. File is always a .txt file
    3. Automatic file encryption
    4. Improved upload speed
    5. Lower memory usage

  6. Insecure Cryptography Usage

    The code uses MD5 for storing passwords: String hash = MD5(password); Why is this flagged as insecure?

    1. MD5 is fast and vulnerable to brute-force attacks
    2. MD5 uses too much memory
    3. MD5 requires a license fee
    4. MD5 changes the password format
    5. MD5 is only for image files

  7. Command Injection

    A scanner reports this as dangerous: Runtime.getRuntime().exec('ping ' + userInput); What is the best way to eliminate the command injection risk?

    1. Validate and whitelist userInput
    2. Use userInput.trim()
    3. Replace 'ping' with 'pong'
    4. Catch and ignore exceptions
    5. Log the command before execution

  8. Sensitive Information in Logs

    Review the logging statement: logger.info('User password: ' + password); What is the security vulnerability?

    1. Sensitive data exposure in logs
    2. Password is too long
    3. Logger might crash
    4. Logs are only accessible to admins
    5. Password is not encoded

  9. Improper Use of Randomness

    Why is this not secure for generating tokens? int token = (int)(Math.random() * 100000);

    1. Math.random() is not cryptographically secure
    2. token is too long
    3. Math.random() requires an internet connection
    4. The result is always negative
    5. The code is not written in Python

  10. Use of Deprecated APIs

    Static analysis warns: 'Use of deprecated API SecureRandom.getSeed(int)'. What should you do?

    1. Use a more current and secure API for random number generation
    2. Ignore the warning
    3. Increase the seed size
    4. Switch to Random.nextInt()
    5. Reduce the number of function calls
mockrounds.com Learn • Practice • Evaluate