AP Cybersecurity Unit 5 Practice Exam | 40 MCQ
Unit 5 Practice Exam — Securing Applications & Data
Forty AP-format multiple-choice questions covering every lesson in Unit 5. Mix of scenario, I/II/III multi-correct, spot-the-error, and EXCEPT formats. Per-option feedback on every answer.
Directions
Each question has exactly one best answer. For the hardest gains, read the stem carefully and try to form your answer before looking at the options. Then eliminate clearly wrong choices first and select the best remaining option.
Keywords. Watch for NOT, EXCEPT, ALWAYS, NEVER, and MOST in the stem — they change what you are looking for.
Feedback. After you answer, the explanation appears directly under the question. Use the wrong-answer explanations as a study tool — they tell you exactly where you misread the scenario.
Lesson 5.1 — Application & Data Vulnerabilities
A developer builds a login form that constructs this database query by concatenating the username and password entered by the user:
SELECT * FROM users WHERE name = '' + userInput + '' AND pw = '' + pwInput + '';
A public comment feed displays each comment by inserting the raw text directly into the page HTML. A security researcher warns that this is dangerous. Which attack does this design most directly enable?
A web application uses the following pseudocode to handle login attempts. Which line contains a security flaw?
Line 1: user = database.lookup(username)
Line 2: IF user == NULL THEN redirect("/login?err=nouser")
Line 3: IF enteredPassword == user.password THEN
Line 4: session.grantAccess(user.role)
Which of the following are examples of defensive input validation that reduce application vulnerabilities?
I. Rejecting usernames that contain characters outside [A-Za-z0-9_].
II. Using parameterized database queries instead of string concatenation.
III. Silently trimming all special characters from user input and submitting the remainder without notifying the user.
A backup file containing customer records is stored on a hard drive inside a locked server room. The file is encrypted. Which statement about this setup is most accurate?
A banking app URL for viewing an account is /accounts/view?id=10293. A user notices that changing the id to another number in the browser URL bar returns another customer's account details. Which vulnerability class best describes this?
All of the following are common application-layer vulnerabilities EXCEPT:
Lesson 5.2 — Symmetric Cryptography
An engineer wants to use AES-256 to protect files shared between two offices. The key must reach the remote office. Which property of symmetric encryption does this scenario illustrate?
Which of the following statements about AES (Advanced Encryption Standard) are correct?
I. AES uses the same key for encryption and decryption.
II. AES is considered secure at key sizes of 128, 192, and 256 bits.
III. AES produces a public/private key pair for each message.
A video platform needs to encrypt 4K movie streams of hundreds of gigabytes for subscribers. Performance is critical. Which cryptographic approach is most appropriate for the bulk video content itself?
A developer writes an encryption routine summarized as: "Split the file into 16-byte blocks. Encrypt each block with AES using the same key. Concatenate the results." What is the most significant problem with this routine?
An analyst discovers that a shared AES key used to encrypt transaction logs for the past year has been leaked. Which of the following is the MOST immediate risk?
Lesson 5.3 — Hashing
A developer is choosing a hash function for verifying that a large software download has not been tampered with. Which property of a cryptographic hash is most important for this use case?
When storing user passwords, which of the following practices improve security against offline attacks?
I. Applying a per-user random salt before hashing.
II. Using a slow hash function such as bcrypt or Argon2.
III. Storing the password and its hash side by side so that verification is faster.
Which of the following best describes the difference between hashing and encryption?
A code-signing certificate uses SHA-1 as its hash function. A security researcher publishes a practical collision attack against SHA-1. Why is this a serious concern for the certificate?
A security team publishes a software installer along with the SHA-256 digest of the installer file. A user downloads the installer and wants to verify integrity. What must the user do?
Lesson 5.4 — Asymmetric Cryptography & PKI
Consider an asymmetric cryptosystem. Which of the following actions are correctly paired with the right key?
I. Alice encrypts a message for Bob using Bob's public key.
II. Bob decrypts the message using his private key.
III. Alice signs a message using Bob's private key.
A vendor publishes a firmware update along with a digital signature. A device verifies the signature using the vendor's public key. What does successful verification prove?
A browser visits https://bank.example and displays a padlock icon. Which of the following must have been validated for the browser to display the lock?
Which of the following best describes the role of a Certificate Authority (CA) in public-key infrastructure?
A developer writes the following signing pseudocode. What is the most significant error?
Line 1: message = getFormInput()
Line 2: signature = RSA.sign(message, recipient_public_key)
Line 3: send(message, signature)
Which statement about public and private keys is correct?
Lesson 5.5 — Protecting Applications
A web application implements the following controls. Which combination best illustrates defense-in-depth for protecting user data?
I. A web application firewall (WAF) in front of the server.
II. Input validation and parameterized queries in the application code.
III. Encrypted database backups stored in a separate region.
A web application connects to its database using an account that has DROP, ALTER, and GRANT privileges because "it is easier than managing permissions." A security auditor flags this. What principle is being violated?
Which of the following practices belong in a secure software development lifecycle (SSDLC)?
I. Threat modeling during design.
II. Static application security testing (SAST) of source code.
III. Patch management and vulnerability disclosure handling after release.
A site's login page is served over HTTPS, but the form's action attribute points to an http:// URL. Which of the following describes the problem?
An application stores session tokens in cookies but does not set the Secure or HttpOnly flags. Which attack does this most clearly enable?
All of the following are effective defenses against credential-stuffing attacks EXCEPT:
Which of the following values should generally NOT be written to application logs?
I. Full credit card numbers.
II. Session tokens.
III. User IDs (numeric, non-sensitive identifiers).
A news site includes a third-party advertising script via . The advertising network is breached and the script is modified to steal cookies from site visitors. What is the MOST appropriate mitigation against this specific class of supply-chain risk going forward?
Which of the following statements about a Web Application Firewall (WAF) are true?
I. A WAF can block common patterns like SQL injection and XSS payloads before they reach the application.
II. A WAF is a complete replacement for secure coding practices.
III. A WAF can be bypassed by attackers who encode or obfuscate payloads to evade signature rules.
Lesson 5.6 — Detection & Incident Response
Which of the following are valid reasons to send logs from multiple sources to a central SIEM?
I. Correlating events across systems (e.g., firewall allow + IDS alert + server authentication).
II. Preserving logs if an endpoint is compromised and its local logs are wiped.
III. Enabling cryptographic encryption of data at rest on every endpoint.
An analyst writes the following claim about indicators of compromise (IOCs): "Blocking a single malicious IP is the most disruptive control we can apply to an adversary." What is wrong with this claim?
UEBA (User and Entity Behavior Analytics) is most useful for detecting which of the following?
I. A valid user credential being used from a new country at an unusual hour.
II. A known malware hash in an EDR signature database.
III. An administrator downloading an anomalously large volume of data from a file share.
An analyst has just disconnected a compromised laptop from the network and is beginning to investigate how the attacker got in. In the NIST Incident Response lifecycle, which phase does this MOST closely map to?
A security team writes the following requirement for system logging: "Administrators shall be able to delete log entries older than 30 days at any time in order to save storage." What is the main problem with this requirement?
Which of the following correctly describe the difference between MTTD and MTTR?
I. MTTD measures the average time between when an attack starts and when defenders detect it.
II. MTTR measures the average time from detection to full recovery/resolution.
III. A high MTTD with a low MTTR means defenders react fast but miss attacks for long periods.
A SIEM dashboard shows 50,000 alerts per day. Analysts can realistically investigate maybe 100. Which of the following is the BEST long-term response to this situation?
During incident response, which of the following actions help preserve forensic evidence for later analysis?
I. Capturing a memory image (RAM dump) before powering off a suspected compromised host.
II. Documenting who touched the evidence, when, and why (chain of custody).
III. Formatting the suspect disk to quickly eliminate malware before the malware can spread.
Exam Complete
Calculating your results...
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]