Five exam-format questions across all L5.5 topics: defense in depth, secure coding, input validation, output encoding, authentication and session controls, CSP, WAF, and rate limiting. Mix of spot-the-error, I/II/III multi-correct, and scenario-based stems — exactly the formats you will see on the AP exam.
5 Questions~12 minExam Format
How to Approach These
1. Identify the OWASP category from the stem before reading options.
2. For I/II/III questions, evaluate each statement independently. Do not anchor on the first true statement.
3. For code questions, trace what happens line by line. Look for trusted-input-into-interpreter patterns, denylist filters, and fail-open logic.
4. Prefer root-cause controls over compensating controls. Parameterized queries, MFA, encoding, and session regeneration beat WAFs, CAPTCHAs, and signature-based filters.
Score0 / 5
Question 1
Examine this authentication check. Assume verify_password returns True when the submitted password matches the stored bcrypt hash.
def login(request): email = request.form['email'] pw = request.form['password'] user = User.find_by_email(email) if user is None: return error("No account with that email") if not verify_password(pw, user.pw_hash): return error("Wrong password") login_user(user) return redirect("/dashboard")
Which security issue is most significant?
Question 2
Which of the following statements about input validation are correct?
I. Allowlist validation (specify what is acceptable) is structurally stronger than denylist validation (specify what is forbidden). II. Client-side input validation is sufficient as long as the client is a modern browser with JavaScript enabled. III. Input validation should be performed at the server, at the point where the data crosses into business logic. IV. Input validation and output encoding address the same failure and only one is needed.
Question 3
A developer inherits a web application with the following security posture: HTTPS everywhere, bcrypt password hashing, HttpOnly and Secure cookie flags, and server-side input validation. The site recently suffered a successful Cross-Site Request Forgery (CSRF) attack that transferred funds from users' accounts. Given this baseline, which single additional control is the best primary CSRF defense?
Question 4
Which of the following are true about Content Security Policy (CSP)?
I. A strict CSP can prevent injected scripts from executing even if XSS injection succeeds. II. Adding unsafe-inline to script-src is required for most modern applications and does not weaken CSP. III. CSP is browser-enforced; the policy has no effect if the browser ignores it. IV. CSP directives like connect-src can limit where a page may fetch() data to, mitigating some XSS-driven exfiltration.
Question 5
A SaaS platform receives complaints that password-reset emails are flooding inboxes — a user reports 47 reset emails arrived at their address in 2 minutes. Investigation finds that an attacker can trigger a password-reset email by submitting the user's email address; there is no rate limit. The attacker is using this to harass a specific user. What is the best immediate control?
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.