AP Cybersecurity Unit 5 Practice Exam | 40 MCQ

AP Cybersecurity · Unit 5 · Practice Exam

Unit 5 Practice Exam — Securing Applications & Data

Forty AP-format multiple-choice questions covering every lesson in Unit 5. Mix of scenario, I/II/III multi-correct, spot-the-error, and EXCEPT formats. Per-option feedback on every answer.

40 Questions AP Exam Format ~60 min All 6 Lessons Instant Feedback

Directions

Each question has exactly one best answer. For the hardest gains, read the stem carefully and try to form your answer before looking at the options. Then eliminate clearly wrong choices first and select the best remaining option.

Keywords. Watch for NOT, EXCEPT, ALWAYS, NEVER, and MOST in the stem — they change what you are looking for.

Feedback. After you answer, the explanation appears directly under the question. Use the wrong-answer explanations as a study tool — they tell you exactly where you misread the scenario.

Score 0 / 40

Lesson 5.1 — Application & Data Vulnerabilities

Question 1 L5.1 Scenario

A developer builds a login form that constructs this database query by concatenating the username and password entered by the user:

SELECT * FROM users WHERE name = '' + userInput + '' AND pw = '' + pwInput + '';
Question 2 L5.1 Scenario

A public comment feed displays each comment by inserting the raw text directly into the page HTML. A security researcher warns that this is dangerous. Which attack does this design most directly enable?

Question 3 L5.1 Spot-the-error

A web application uses the following pseudocode to handle login attempts. Which line contains a security flaw?

Line 1: user = database.lookup(username)
Line 2: IF user == NULL THEN redirect("/login?err=nouser")
Line 3: IF enteredPassword == user.password THEN
Line 4:     session.grantAccess(user.role)
Question 4 L5.1 I/II/III

Which of the following are examples of defensive input validation that reduce application vulnerabilities?

I. Rejecting usernames that contain characters outside [A-Za-z0-9_].
II. Using parameterized database queries instead of string concatenation.
III. Silently trimming all special characters from user input and submitting the remainder without notifying the user.

Question 5 L5.1 Scenario

A backup file containing customer records is stored on a hard drive inside a locked server room. The file is encrypted. Which statement about this setup is most accurate?

Question 6 L5.1 Scenario

A banking app URL for viewing an account is /accounts/view?id=10293. A user notices that changing the id to another number in the browser URL bar returns another customer's account details. Which vulnerability class best describes this?

Question 7 L5.1 EXCEPT

All of the following are common application-layer vulnerabilities EXCEPT:

Lesson 5.2 — Symmetric Cryptography

Question 8 L5.2 Scenario

An engineer wants to use AES-256 to protect files shared between two offices. The key must reach the remote office. Which property of symmetric encryption does this scenario illustrate?

Question 9 L5.2 I/II/III

Which of the following statements about AES (Advanced Encryption Standard) are correct?

I. AES uses the same key for encryption and decryption.
II. AES is considered secure at key sizes of 128, 192, and 256 bits.
III. AES produces a public/private key pair for each message.

Question 10 L5.2 Scenario

A video platform needs to encrypt 4K movie streams of hundreds of gigabytes for subscribers. Performance is critical. Which cryptographic approach is most appropriate for the bulk video content itself?

Question 11 L5.2 Spot-the-error

A developer writes an encryption routine summarized as: "Split the file into 16-byte blocks. Encrypt each block with AES using the same key. Concatenate the results." What is the most significant problem with this routine?

Question 12 L5.2 Scenario

An analyst discovers that a shared AES key used to encrypt transaction logs for the past year has been leaked. Which of the following is the MOST immediate risk?

Lesson 5.3 — Hashing

Question 13 L5.3 Scenario

A developer is choosing a hash function for verifying that a large software download has not been tampered with. Which property of a cryptographic hash is most important for this use case?

Question 14 L5.3 I/II/III

When storing user passwords, which of the following practices improve security against offline attacks?

I. Applying a per-user random salt before hashing.
II. Using a slow hash function such as bcrypt or Argon2.
III. Storing the password and its hash side by side so that verification is faster.

Question 15 L5.3 Scenario

Which of the following best describes the difference between hashing and encryption?

Question 16 L5.3 Scenario

A code-signing certificate uses SHA-1 as its hash function. A security researcher publishes a practical collision attack against SHA-1. Why is this a serious concern for the certificate?

Question 17 L5.3 Scenario

A security team publishes a software installer along with the SHA-256 digest of the installer file. A user downloads the installer and wants to verify integrity. What must the user do?

Lesson 5.4 — Asymmetric Cryptography & PKI

Question 18 L5.4 I/II/III

Consider an asymmetric cryptosystem. Which of the following actions are correctly paired with the right key?

I. Alice encrypts a message for Bob using Bob's public key.
II. Bob decrypts the message using his private key.
III. Alice signs a message using Bob's private key.

Question 19 L5.4 Scenario

A vendor publishes a firmware update along with a digital signature. A device verifies the signature using the vendor's public key. What does successful verification prove?

Question 20 L5.4 Scenario

A browser visits https://bank.example and displays a padlock icon. Which of the following must have been validated for the browser to display the lock?

Question 21 L5.4 Scenario

Which of the following best describes the role of a Certificate Authority (CA) in public-key infrastructure?

Question 22 L5.4 Spot-the-error

A developer writes the following signing pseudocode. What is the most significant error?

Line 1: message = getFormInput()
Line 2: signature = RSA.sign(message, recipient_public_key)
Line 3: send(message, signature)
Question 23 L5.4 Scenario

Which statement about public and private keys is correct?

Lesson 5.5 — Protecting Applications

Question 24 L5.5 I/II/III

A web application implements the following controls. Which combination best illustrates defense-in-depth for protecting user data?

I. A web application firewall (WAF) in front of the server.
II. Input validation and parameterized queries in the application code.
III. Encrypted database backups stored in a separate region.

Question 25 L5.5 Scenario

A web application connects to its database using an account that has DROP, ALTER, and GRANT privileges because "it is easier than managing permissions." A security auditor flags this. What principle is being violated?

Question 26 L5.5 I/II/III

Which of the following practices belong in a secure software development lifecycle (SSDLC)?

I. Threat modeling during design.
II. Static application security testing (SAST) of source code.
III. Patch management and vulnerability disclosure handling after release.

Question 27 L5.5 Spot-the-error

A site's login page is served over HTTPS, but the form's action attribute points to an http:// URL. Which of the following describes the problem?

Question 28 L5.5 Scenario

An application stores session tokens in cookies but does not set the Secure or HttpOnly flags. Which attack does this most clearly enable?

Question 29 L5.5 EXCEPT

All of the following are effective defenses against credential-stuffing attacks EXCEPT:

Question 30 L5.5 I/II/III

Which of the following values should generally NOT be written to application logs?

I. Full credit card numbers.
II. Session tokens.
III. User IDs (numeric, non-sensitive identifiers).

Question 31 L5.5 Scenario

A news site includes a third-party advertising script via . The advertising network is breached and the script is modified to steal cookies from site visitors. What is the MOST appropriate mitigation against this specific class of supply-chain risk going forward?

Question 32 L5.5 I/II/III

Which of the following statements about a Web Application Firewall (WAF) are true?

I. A WAF can block common patterns like SQL injection and XSS payloads before they reach the application.
II. A WAF is a complete replacement for secure coding practices.
III. A WAF can be bypassed by attackers who encode or obfuscate payloads to evade signature rules.

Lesson 5.6 — Detection & Incident Response

Question 33 L5.6 I/II/III

Which of the following are valid reasons to send logs from multiple sources to a central SIEM?

I. Correlating events across systems (e.g., firewall allow + IDS alert + server authentication).
II. Preserving logs if an endpoint is compromised and its local logs are wiped.
III. Enabling cryptographic encryption of data at rest on every endpoint.

Question 34 L5.6 Spot-the-error

An analyst writes the following claim about indicators of compromise (IOCs): "Blocking a single malicious IP is the most disruptive control we can apply to an adversary." What is wrong with this claim?

Question 35 L5.6 I/II/III

UEBA (User and Entity Behavior Analytics) is most useful for detecting which of the following?

I. A valid user credential being used from a new country at an unusual hour.
II. A known malware hash in an EDR signature database.
III. An administrator downloading an anomalously large volume of data from a file share.

Question 36 L5.6 Scenario

An analyst has just disconnected a compromised laptop from the network and is beginning to investigate how the attacker got in. In the NIST Incident Response lifecycle, which phase does this MOST closely map to?

Question 37 L5.6 Spot-the-error

A security team writes the following requirement for system logging: "Administrators shall be able to delete log entries older than 30 days at any time in order to save storage." What is the main problem with this requirement?

Question 38 L5.6 I/II/III

Which of the following correctly describe the difference between MTTD and MTTR?

I. MTTD measures the average time between when an attack starts and when defenders detect it.
II. MTTR measures the average time from detection to full recovery/resolution.
III. A high MTTD with a low MTTR means defenders react fast but miss attacks for long periods.

Question 39 L5.6 Scenario

A SIEM dashboard shows 50,000 alerts per day. Analysts can realistically investigate maybe 100. Which of the following is the BEST long-term response to this situation?

Question 40 L5.6 I/II/III

During incident response, which of the following actions help preserve forensic evidence for later analysis?

I. Capturing a memory image (RAM dump) before powering off a suspected compromised host.
II. Documenting who touched the evidence, when, and why (chain of custody).
III. Formatting the suspect disk to quickly eliminate malware before the malware can spread.

Exam Complete

0 / 40

Calculating your results...

Free Tool
AP Cybersecurity Score Calculator
Enter your MCQ and FRQ raw scores to instantly see your predicted AP grade (1–5) with personalized study tips.
Calculate My Score →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]