CS 365

Web Security & OWASP

CWE

Cryptography

Cybersecurity Fundamentals

CVE & CVSS Scoring

100

What does XSS stand for?

Cross-Site Scripting

100

Which CWE involves trusting user input without validating its type, length, or format?

CWE-20: Improper Input Validation

100

Which algorithm is symmetric: AES or RSA?

AES

100

In the CIA Triad, which principle ensures information is only accessible to authorized users?

Confidentiality

100

What does CVE stand for?

Common Vulnerabilities and Exposures.

200

Which OWASP vulnerability allows attackers to modify or steal database data using malicious input?

SQL Injection

200

Which CWE involves writing past the end of a buffer?

CWE-787: Out-of-Bounds Write

200

In asymmetric encryption, what key does a sender use to ensure confidentiality when sending a message to a recipient?

The recipient’s public key

200

A weakness that can be exploited by a threat actor—such as an unpatched system or weak password—is known as what?

Vulnerability

200

A vulnerability with a CVSS score of 9.8 falls under what severity rating?

Critical

300

An attacker embeds harmful code into a website so future visitors get infected. What type of XSS is this?

Stored XSS

300

What CWE occurs when a program uses memory after freeing it?

CWE-416: Use-After-Free

300

A digital signature verifies integrity and authenticity. Which key is used to create the signature, and which key verifies it?

Created with private key, verified with public key

300

What term describes any event or actor that could cause harm by exploiting a vulnerability?

Threat

300

What does a CVSS score of 3.5 represent?

Low severity

400

Which OWASP category covers broken user role checks that allow privilege escalation?

Broken Access Control

400

What CWE occurs when sensitive credentials (e.g. passwords or API keys) are hardcoded in the source code?

CWE-798: Hardcoded Credentials

400

What cryptographic concept allows two parties to create a shared secret over an insecure channel?

Diffie–Hellman key exchange

400

If a system fails but its backup copy remains accessible and operational, which security property is preserved?

Availability

400

In a CVE record, what does the “CWE” field describe?

The underlying weakness that caused the vulnerability

500

What security feature prevents a website from making requests to a different domain unless allowed?

Same-Origin Policy

500

Accessing a file like ../../../etc/passwd is an example of what CWE?

CWE-22: Path Traversal

500

Which attack exploits hash collisions to create two different inputs with the same hash output?

A Collision Attack (related to the Birthday Attack)

500

What type of control is “mandatory annual cybersecurity training”?

Administrative control

500

A vulnerability where the attacker must be within the same network segment (like shared Wi-Fi) has which Attack Vector?

Adjacent Network (AV:A)