5.1 Quiz: Application & Data Vulnerabilities

AP Cybersecurity · Unit 5 · Topic 5.1 · Quiz

5.1 Checkpoint: Application & Data Vulnerabilities

Five questions. Harder than the lesson examples. Each one tests a distinction the AP exam loves to exploit: Broken Auth vs Access Control, Injection vs Sensitive Data Exposure, right-layer vs wrong-layer controls.

5 Questions ~10 min Scored Exam-style

How to Approach

Predict-first: read each question, commit to a category, then look at options. The AP exam includes plausible-sounding wrong answers precisely to catch students who let options shape their thinking.

Watch for trap distractors: wrong-layer controls (firewalls for application attacks), wrong-category labels (Broken Auth vs Broken Access Control), and symptom fixes (changing passwords when sessions were stolen).

Score0 / 5
Question 1
A web application concatenates the contents of a URL parameter directly into a SQL query. An attacker submits a URL containing '; DROP TABLE users; -- and the users table is deleted. Which OWASP Top 10 category applies?
✎ Predict before reading options. Commit to a category first.
Exam TipUntrusted input + SQL = Injection.
Question 2
A developer stores user passwords in the database as MD5(password) with no salt. Which of the following statements are TRUE?

I. If the database is breached, attackers can crack most passwords quickly using rainbow tables.
II. This is classified as Broken Authentication because it concerns password storage.
III. Switching to bcrypt or Argon2 with a per-user salt would make offline cracking dramatically slower.
✎ Predict before reading options. Commit to a category first.
Exam TipTest of the Broken Auth vs Cryptographic Failures distinction. Password storage choices = Cryptographic Failures. Login process failures = Broken Authentication.
Question 3
A company's internal report tool shows each user a URL like /reports/[their_employee_id]. A user discovers that changing the employee ID in the URL to another employee's ID returns that employee's salary report. The user was properly authenticated. What is the correct classification, and what is the correct fix?
✎ Predict before reading options. Commit to a category first.
Exam TipPattern: authenticated user modifies URL/ID and sees other users' data. Always Broken Access Control. Fix: authorization per request.
Question 4
Review the following four statements about application security controls. Which is NOT a valid defense against its stated threat?
✎ Predict before reading options. Commit to a category first.
Exam TipWatch for wrong-layer answers. Network controls (firewalls, IDS) don't stop application-layer attacks. This is one of the AP exam's favorite traps.
Question 5
A company discovers that their application logs, shipped to a third-party monitoring SaaS, contain full HTTP request bodies including password fields submitted during login. The third-party SaaS retains logs for 3 years. No active attack has been confirmed. How should this finding be classified, and what is the PRIMARY control?
✎ Predict before reading options. Commit to a category first.
Exam TipSensitive data in logs = Sensitive Data Exposure. Primary control is don't log sensitive data, not restricting who sees the logs.

Quiz Complete

— / 5

AP Cybersecurity · Unit 5 · Lesson 5.1 · Quiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]