AP Cybersecurity Unit 5 Exam: Securing Applications & Data

Instructions
  • 20 multiple-choice questions spanning all six lessons in Unit 5 (3 or 4 questions per lesson).
  • Click Check Answer after each question to see feedback.
  • Your total score and a per-lesson breakdown appear at the bottom once you have answered all 20.
  • Target: 16 of 20 (80%) or better. Below 14 of 20, revisit the weakest lessons before the real AP exam.

00:00

Exam Coverage

5.1 Application & Data Vulnerabilities (Q1–Q3) · 5.2 Symmetric Cryptography (Q4–Q7) · 5.3 Hashing for Data Integrity (Q8–Q10) · 5.4 Asymmetric Cryptography & PKI (Q11–Q14) · 5.5 Protecting Applications (Q15–Q17) · 5.6 Detecting Attacks on Data & Applications (Q18–Q20)

Unit 5 Final Exam
Question 1 of 20 · Lesson 5.1 A developer is reviewing the following server-side handler for a public login form:
def authenticate(username, password):
    sql = "SELECT id FROM users WHERE name='" + username + "'"
    row = db.execute(sql).fetchone()
    if row and verify_hash(password, row.pw_hash):
        return row.id
    return None
Which single statement BEST identifies the most severe vulnerability in this code?
Question 2 of 20 · Lesson 5.1 A web application displays user-submitted comments directly in the HTML of a public page without any output encoding. Three potential attacks are listed below:

I. An attacker posts a comment containing that executes when any visitor loads the page.
II. An attacker crafts a link containing JavaScript in a URL parameter; users who click it from a phishing email run the script in the context of the vulnerable site.
III. An attacker brute-forces the application's administrator login via repeated HTTP POST requests.

Which of these attacks does the described vulnerability (missing output encoding) ENABLE?
Question 3 of 20 · Lesson 5.1 All of the following are examples of attacks that primarily violate the confidentiality property of the CIA triad EXCEPT which one?
Question 4 of 20 · Lesson 5.2 Which of the following BEST describes a defining property of AES-256 that distinguishes it from older symmetric ciphers such as DES?
Question 5 of 20 · Lesson 5.2 A junior developer writes the following routine to encrypt each record in a database using AES in CBC mode:
const KEY = loadSecretKey();
const IV  = Buffer.alloc(16, 0);   // all zeros, reused for every record

function encryptRecord(plaintext) {
    const cipher = crypto.createCipheriv('aes-256-cbc', KEY, IV);
    return Buffer.concat([cipher.update(plaintext), cipher.final()]);
}
Which of the following BEST describes the most serious cryptographic flaw in this implementation?
Question 6 of 20 · Lesson 5.2 Two systems need to exchange encrypted messages using AES. Before they can do so, they must first share the AES key securely. Which of the following accurately describes the central challenge that symmetric cryptography alone cannot solve?
Question 7 of 20 · Lesson 5.2 All of the following are legitimate practices for using AES encryption in a production application EXCEPT which one?
Question 8 of 20 · Lesson 5.3 Which of the following statements MOST ACCURATELY describes the difference between cryptographic hashing and encryption?
Question 9 of 20 · Lesson 5.3 A web application team is redesigning its password storage system. Which of the following approaches provides the STRONGEST protection against offline password-guessing attacks if the password database is stolen?
Question 10 of 20 · Lesson 5.3 A file download page publishes the SHA-256 hash of an installer so users can verify the file has not been tampered with. This use case depends primarily on which cryptographic property of SHA-256?
Question 11 of 20 · Lesson 5.4 Alice wants to send Bob a message that only Bob can read. Using asymmetric cryptography, which key is used to encrypt the message, and which key is used to decrypt it?
Question 12 of 20 · Lesson 5.4 A software vendor publishes a driver update accompanied by a digital signature produced using the vendor's private key. A user's operating system verifies the signature using the vendor's public key (obtained from a trusted certificate). If the signature verifies successfully, what specific claim can the user reasonably make about the update?
Question 13 of 20 · Lesson 5.4 Three students discuss how a web browser decides to trust a server's TLS certificate:

I. The browser verifies that the certificate was signed by a Certificate Authority (CA) whose root certificate is already installed in the browser's trust store.
II. The browser performs a DNS lookup to verify that the certificate's listed hostname resolves to the same IP address as the server presenting the certificate.
III. The browser checks that the certificate has not expired and has not been revoked.

Which of these statements accurately describe steps that a modern browser performs during TLS certificate validation?
Question 14 of 20 · Lesson 5.4 Modern secure protocols such as TLS typically combine asymmetric and symmetric cryptography in a hybrid scheme. Which of the following BEST explains the motivation for this design?
Question 15 of 20 · Lesson 5.5 A development team protects their web application from SQL injection by only validating inputs in client-side JavaScript before submitting the form. Which of the following BEST describes why this approach is inadequate?
Question 16 of 20 · Lesson 5.5 A web application's back-end connects to a PostgreSQL database using a single database user account that has been granted ALL PRIVILEGES on every table, including administrative permissions to create and drop tables. Which of the following principles is MOST DIRECTLY violated by this configuration?
Question 17 of 20 · Lesson 5.5 A security audit of a production web application finds that the server is running a version of a popular open-source library with a publicly disclosed CVE rated Critical. The patched version has been available for 90 days. Which of the following is the MOST APPROPRIATE immediate response?
Question 18 of 20 · Lesson 5.6 Following the NIST SP 800-61 incident-response lifecycle, which of the following sequences is the CORRECT ordering of phases after initial detection?
Question 19 of 20 · Lesson 5.6 A threat-intelligence team is evaluating which indicator to promote into a long-lived detection rule. According to the Pyramid of Pain, which indicator, if detected reliably, forces an attacker into the MOST EXPENSIVE response to evade the detection?
Question 20 of 20 · Lesson 5.6 All of the following are legitimate benefits of a SIEM correlation rule that joins events across multiple log sources EXCEPT which one?
0 / 20 0% Exam complete. Review any missed questions above.
Free Tool
AP Cybersecurity Score Calculator
Enter your MCQ and FRQ raw scores to instantly see your predicted AP grade (1–5) with personalized study tips.
Calculate My Score →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]