AP Cybersecurity · Unit 5 · Topic 5.5 · Exercise 1
Match the Control to the Failure
Eight predict-first MCQs. Each stem describes a breach, a piece of code, or a misconfiguration. Your job: identify the single control that would have prevented it — root cause, not a symptom fix.
8 Questions~15 minScored
How This Exercise Works
1. Read each stem carefully. Most include a code snippet, a breach timeline, or a configuration. Identify the root-cause OWASP category before you look at options.
2. Commit to an answer before reading the options — the yellow predict-gate box is your reminder.
3. Click your answer. Immediate feedback explains why the correct option wins and why each trap is wrong. Read all feedback even on correct answers — the distractor explanations are half the learning.
4. Aim for 7/8 or better. If you score below 6, re-read sections 5.5.4-5.5.8 of the main lesson before attempting Exercise 2.
Score0 / 8
Question 1
A web developer wrote the following login code. Assume the password column in the database already stores salted bcrypt hashes.
email = request.form['email'] pw = request.form['password'] row = db.execute("SELECT id, pw_hash FROM users WHERE email='" + email + "'") if row and bcrypt.verify(pw, row['pw_hash']): login(row['id'])
The code is reviewed before merge. Which single change is the primary fix?
✎ Predict: which line is structurally unsafe, and what replaces it?
Question 2
A banking app stores session tokens in cookies. An attacker successfully injects stored XSS into the comments section. Which combination of controls would prevent the attacker from using that XSS to steal and reuse session tokens?
I. HttpOnly cookie flag on session cookies II. Secure cookie flag on session cookies III. Content Security Policy blocking script-src to 'self' IV. SameSite=Strict cookie attribute
✎ Predict: session theft via XSS requires JS reading the cookie. Which flags block that?
Question 3
A company deploys a WAF in blocking mode with up-to-date SQL injection and XSS signatures. A month later, attackers compromise a checkout endpoint by submitting a request with a modified price field: {"item_id": 42, "quantity": 1, "price": 0.01}. The server-side code trusts the client-supplied price. The WAF logs show it inspected every request and found no signature matches. Which statement best explains the WAF's failure?
✎ Predict: what class of attack does a WAF not detect?
Question 4
A developer writes this input validator for a comment-length constraint. Identify the error.
def validate_comment(text): if len(text) > 5000: return False if " or a script-loading tag into the comment HTML, the browser refuses to execute it unless the source matches the CSP allowlist. The rich HTML (, , ) still renders; only script execution is blocked. CSP is the primary XSS control when HTML must be preserved." onclick="u5l5ex1Answer(this,7)">B.Deploy a strict Content Security Policy that disallows inline scripts and only allows scripts from the site's own origin.
Question 8
Review this authorization check in a file-download handler:
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.