OWASP Online Test

Q: What are the main security tests?

Here are some important security tests: Cyber Security Assessment Test Penetration Testing Test Ethical Hacking Test

The OWASP Online Test evaluates a candidate's understanding of the top 10 vulnerabilities and risks in web application security. It covers topics like injection, broken authentication, sensitive data exposure, and more. The test assesses knowledge through multiple-choice questions offering insights into a candidate's ability to identify and mitigate these security vulnerabilities.

Covered skills:

Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring

Get started for free

Preview questions

About the OWASP Test

The OWASP Online Test helps recruiters and hiring managers identify qualified candidates from a pool of resumes, and helps in taking objective hiring decisions. It reduces the administrative overhead of interviewing too many candidates and saves time by filtering out unqualified candidates at the first step of the hiring process.

The test screens for the following skills that hiring managers look for in candidates:

Able to effectively identify and exploit injection vulnerabilities
Knowledgeable in best practices for authentication and preventing broken authentication
Understanding of secure handling and protection of sensitive data
Familiarity with XML External Entities (XXE) and how to prevent attacks
Proficient in implementing and maintaining secure access controls
Ability to identify and address security misconfigurations
Knowledgeable in preventing and mitigating Cross-Site Scripting (XSS) attacks
Understanding of secure deserialization and prevention of insecure deserialization
Awareness of components with known vulnerabilities and how to handle them
Understanding of the importance of sufficient and effective logging and monitoring

1200+ customers in 80 countries

Use Adaface tests trusted by recruitment teams globally. Adaface skill assessments measure on-the-job skills of candidates, providing employers with an accurate tool for screening potential hires.

Get started for free

Preview questions

Non-googleable questions

We have a very high focus on the quality of questions that test for on-the-job skills. Every question is non-googleable and we have a very high bar for the level of subject matter experts we onboard to create these questions. We have crawlers to check if any of the questions are leaked online. If/ when a question gets leaked, we get an alert. We change the question for you & let you know.

How we design questions

These are just a small sample from our library of 15,000+ questions. The actual questions on this OWASP Online Test will be non-googleable.

🧐 Question
Medium Database testcase Regression Testing Regression Testing In Specific Contexts Test Case Analysis	Solve
Adaface is developing a new database system called “Helen”. The tester at Adaface developed the following testcase for regression testing: 1. Open Helen 2. Open “Students” database 3. Enter data for “Sid” 4. Set checkpoint 5. Store “Sid” data in “Students” 6. Restart Helen 7. Read “Sid” data from “Students” 8. Compare checkpoint with the contents When the tester ran the testcase the first time, it worked as expected. Pick the correct statements: A: When the test case is ran the second time, the data entry for “Sid” already exists in the database. B: When the test case is ran the second time, it performs exactly as it did the first time C: The testcase is a good example for regression testing “Helen” D: The testcase is not a good example for regression testing “Helen” since the system behaves differently when the testcase is ran the second time
Medium Decision Table	Solve
Check the following decision table: What are the expected actions for following testcases? I: Joey's age is 22. He is a smoker residing in India II: Jennifer's age is 62. She is a non-smoker not residing in India A) I - Insure, 10% discount. II - Insure, no discount B) I - Don't insure. II - Don't insure C) I - Insure, no discount. II - Don't insure D) I - Insure, no discount. II - Insure, 10% discount
Easy Cart Checkout Incident Report	Solve
Review the following incident report written QA team of LWB, Little White Book (an e-commerce app): 1. Place any items in the cart (Say “Nike FST Men”). 2. Place any other (different) item in the shopping cart (Say “Nike Air Max”). 3. Remove “Nike FST Men” from the shopping cart, but leave “Nike Air Max” in the cart. 4. Click on “Check out” button. 5. Expect the app to display the check out screen, instead ‘No items in the shopping cart. Click continue to go back to shopping.’ error message is shown as a popup. 6. Click “Continue”. 7. Expect the app to go to shopping screen to add/remove items from the cart. Instead the app crashes. 8. The error in steps 5 and 7 occurred in every attempt of 5 attempts (1 2 3 4 and 6). Which of the following information is missing from the incident report?
Medium Cookie Security Analysis Web Application Security HTTP Cookies Cross-Domain Communication	Solve
You are a cybersecurity officer and a new third-party payment gateway is integrated into your company's e-commerce website. The payment gateway API is hosted on a different domain (pay-gateway.com) than your e-commerce site (my-ecommerce.com). You receive some reports that users are unable to complete their transactions intermittently. You obtain the following set of HTTP cookies from an affected user: 1. user_session=1; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly 2. payment_session=xyz123; Domain=pay-gateway.com; Path=/; Secure; HttpOnly 3. cart_id=abcd1234; Domain=my-ecommerce.com; Path=/; Secure 4. csrf_token=efgh5678; Domain=my-ecommerce.com; Path=/; Secure 5. currency=USD; Domain=my-ecommerce.com; Path=/; 6. same_site_test=1; Domain=my-ecommerce.com; Path=/; Secure; SameSite=None 7. payment_verification=; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly Which of the following configuration modifications would likely solve the intermittent transaction failure issue? A: Set SameSite=Strict attribute on all cookies. B: Set "SameSite=None; Secure" attribute on the payment_session cookie. C: Change the Domain attribute of payment_session cookie to my-ecommerce.com. D: Set HttpOnly attribute on cart_id and csrf_token cookies. E: Remove Secure attribute from user_session cookie.
Medium Security Incident Log Analysis Security Pattern Recognition	Solve
You are the security analyst for a company and are currently investigating a security incident. You found the following log entries in your HTTP server logs, which appear to be linked to the incident: 1. 192.0.2.4 - - [24/May/2023:13:15:30 +0000] "GET /wp-login.php HTTP/1.1" 200 167 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 2. 192.0.2.4 - - [24/May/2023:13:15:31 +0000] "POST /wp-login.php HTTP/1.1" 302 152 "http://www.example.com/wp-login.php" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 3. 192.0.2.4 - - [24/May/2023:13:15:32 +0000] "GET /wp-admin/install.php HTTP/1.1" 200 125 "http://www.example.com/wp-admin/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" Based on this information, which of the following statements are correct? A: The attacker was unable to compromise the Wordpress login page but was successful in accessing the installation page. B: The attacker attempted to login to a Wordpress site and, despite the login failing, was able to access the Wordpress installation page. C: The attacker was attempting a dictionary attack on the Wordpress site and accessed the Wordpress installation page. D: The logs indicate that the attacker was able to compromise the Wordpress login and directly access the installation page. E: The attacker attempted to login to a Wordpress site, succeeded, and then tried to access the Wordpress installation page.
Medium Network Traffic Anomaly Network Traffic Analysis Network Protocols Dns Traffic Analysis Network Anomaly Detection	Solve
You are a cybersecurity engineer working on a network traffic analysis case. You have been given the following set of observations from network logs of the past 24 hours: - Observation 1: 1,000,000 DNS requests were recorded, 50% more than the usual daily traffic. - Observation 2: 85% of these DNS requests have the same subdomain but different domain names. - Observation 3: For each of these DNS requests, an HTTP POST request follows immediately. - Observation 4: No other significant anomalies were detected in the system logs. Given these observations, what would you suspect is happening? A: The network is experiencing a DNS amplification attack B: There is a misconfiguration in the DNS settings C: The system is the source of a SYN flood attack D: A fast-flux DNS network is in operation E: The system is infected with a DNS tunneling based malware
Medium SQL Log Analysis SQL Injection Log Analysis Sql Injection Pattern Recognition	Solve
You are investigating a possible SQL injection attack on your company's web application. You found the following entries in the HTTP server logs: Note that each log line contains the following information: IP Address - Timestamp - Request URI - Request Status - Response Size Based on the log entries, which of the following statements are correct? A: The attacker logged in successfully but failed to execute the SQL injection. B: The attacker failed in the SQL injection attack. C: The attacker failed to login but successfully accessed the admin page. D: The attacker performed a successful SQL injection attack that dumped all product information. E: The attacker was unsuccessful in both the SQL injection attack and the login attempt.
Medium Misappropriation Post-Migration DNS Management Infrastructure Migration Subdomain Hijacking	Solve
A software company decided to move some of their web services from one cloud provider (Vendor A) to another (Vendor B) for better cost optimization. Initially, their main web application "webapp.company.com" was hosted at IP 192.0.2.1 on Vendor A's infrastructure. As part of this transition, it was moved to IP 203.0.113.1 on Vendor B's setup. Subsequently, a secondary web service previously hosted on "serviceA.company.com" at IP 192.0.2.2 (Vendor A), was migrated and re-hosted at "serviceB.company.com" at IP 203.0.113.2 (Vendor B). A month post-migration, the SEO team reported an unexpected spike in organic traffic to the "company.com" domain. Upon investigating, the IT team noticed unusual activity related to "serviceA.company.com" in the server access logs, including successful HTTP 200 responses from several requests. A suspicious HTTPS GET request, `GET /explicit-content.html HTTP/1.1`, was also recorded. Running `dig +short serviceA.company.com` returned IP address 198.51.100.1. Cross-checking this information with the company's DNS records revealed: Based on the details provided, identify the probable cause for the unexpected increase in organic traffic: A: The company failed to delete the DNS "A" record for "serviceB.company.com" before migration on vendor A. B: The company failed to delete the DNS "A" record for "serviceA.company.com" after migration. C: The company did not configure DNS record for webapp.company.com properly on Vendor B's platform. D: The DNS configuration for serviceB.company.com is incorrect post migration
Medium Mac address and IP on router hop Routers Switches Mac Address Resolution Packet Forwarding	Solve
Refer to the following exhibit: Host A is sending a packet to Host B. 1. What is the source and destination MAC address at point PA? 2. What is the source and destination IP address at point PB? // Option A PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1 // Option B PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option C PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option D PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1
Easy MX Record, DMARC and Email Authentication DNS MX Records DMARC SPF DKIM	Solve
You work as a network administrator for a company, "example.com", that recently started experiencing issues with email spoofing. To mitigate the problem, you decide to implement DMARC (Domain-based Message Authentication, Reporting & Conformance) in addition to existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. Your current DNS records for example.com include the following: - MX 10 mail.example.com (IP address 203.0.113.10) - TXT "v=spf1 ip4:203.0.113.10 -all" - TXT "v=DKIM1; k=rsa; p=public-key-here" You add the following DMARC record: - TXT "_dmarc.example.com" "v=DMARC1; p=quarantine; pct=100; rua=mailto:report@example.com" After implementing the DMARC record, an external mail server sends an email to your domain. The email passes the SPF and DKIM checks but fails the DMARC check. What will likely happen to the email? A: The email will be accepted and delivered to the recipient's inbox. B: The email will be rejected and returned to the sender as undeliverable. C: The email might be delivered to the recipient's spam or junk folder. D: The email will be accepted, but a report will be sent to the sender. E: The email will be silently discarded, and the sender will not be notified.
Medium Remote network resources Gateway Routing protocols Ospf Routing Network Connectivity	Solve
Review the following exhibit: Angelina noticed that the computers on 192.168.10.0/24 network can ping their default gateway. But they found that these computers cannot connect to any remote network resources. Which of the following is the most likely reason for this?
Medium SSL Certificate Expiry SSL/TLS Network Security Ssl/tls	Solve
You are a network administrator for an e-commerce company. The company's online store allows customers to browse products and make purchases securely over the internet. The online store uses SSL/TLS for secure communication. You receive reports that some customers are seeing a security warning in their web browsers when trying to access the online store. Upon investigation, you discover the following information: - The SSL certificate used by the online store's web server is valid for one year and is due to expire in two days. - The web server is configured to automatically redirect HTTP traffic to HTTPS. - The SSL certificate was issued by a trusted certificate authority (CA), and all major web browsers have the CA's root certificate in their trusted certificate stores. - The SSL certificate includes the correct domain name for the online store. Given the above information, which of the following steps should be taken to resolve the issue and prevent customers from seeing the security warning? A: Extend the validity of the current SSL certificate by one year. B: Obtain a new SSL certificate from the same CA and install it on the web server before the current certificate expires. C: Remove the automatic redirect from HTTP to HTTPS on the web server. D: Ask customers to ignore the security warning and proceed to the online store. E: Replace the SSL certificate with a self-signed certificate.

	🧐 Question	🔧 Skill
	Medium Database testcase Regression Testing Regression Testing In Specific Contexts Test Case Analysis	2 mins Testing	Solve
Adaface is developing a new database system called “Helen”. The tester at Adaface developed the following testcase for regression testing: 1. Open Helen 2. Open “Students” database 3. Enter data for “Sid” 4. Set checkpoint 5. Store “Sid” data in “Students” 6. Restart Helen 7. Read “Sid” data from “Students” 8. Compare checkpoint with the contents When the tester ran the testcase the first time, it worked as expected. Pick the correct statements: A: When the test case is ran the second time, the data entry for “Sid” already exists in the database. B: When the test case is ran the second time, it performs exactly as it did the first time C: The testcase is a good example for regression testing “Helen” D: The testcase is not a good example for regression testing “Helen” since the system behaves differently when the testcase is ran the second time
	Medium Decision Table	3 mins Testing	Solve
Check the following decision table: What are the expected actions for following testcases? I: Joey's age is 22. He is a smoker residing in India II: Jennifer's age is 62. She is a non-smoker not residing in India A) I - Insure, 10% discount. II - Insure, no discount B) I - Don't insure. II - Don't insure C) I - Insure, no discount. II - Don't insure D) I - Insure, no discount. II - Insure, 10% discount
	Easy Cart Checkout Incident Report	2 mins Testing	Solve
Review the following incident report written QA team of LWB, Little White Book (an e-commerce app): 1. Place any items in the cart (Say “Nike FST Men”). 2. Place any other (different) item in the shopping cart (Say “Nike Air Max”). 3. Remove “Nike FST Men” from the shopping cart, but leave “Nike Air Max” in the cart. 4. Click on “Check out” button. 5. Expect the app to display the check out screen, instead ‘No items in the shopping cart. Click continue to go back to shopping.’ error message is shown as a popup. 6. Click “Continue”. 7. Expect the app to go to shopping screen to add/remove items from the cart. Instead the app crashes. 8. The error in steps 5 and 7 occurred in every attempt of 5 attempts (1 2 3 4 and 6). Which of the following information is missing from the incident report?
	Medium Cookie Security Analysis Web Application Security HTTP Cookies Cross-Domain Communication	2 mins Cyber Security	Solve
You are a cybersecurity officer and a new third-party payment gateway is integrated into your company's e-commerce website. The payment gateway API is hosted on a different domain (pay-gateway.com) than your e-commerce site (my-ecommerce.com). You receive some reports that users are unable to complete their transactions intermittently. You obtain the following set of HTTP cookies from an affected user: 1. user_session=1; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly 2. payment_session=xyz123; Domain=pay-gateway.com; Path=/; Secure; HttpOnly 3. cart_id=abcd1234; Domain=my-ecommerce.com; Path=/; Secure 4. csrf_token=efgh5678; Domain=my-ecommerce.com; Path=/; Secure 5. currency=USD; Domain=my-ecommerce.com; Path=/; 6. same_site_test=1; Domain=my-ecommerce.com; Path=/; Secure; SameSite=None 7. payment_verification=; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly Which of the following configuration modifications would likely solve the intermittent transaction failure issue? A: Set SameSite=Strict attribute on all cookies. B: Set "SameSite=None; Secure" attribute on the payment_session cookie. C: Change the Domain attribute of payment_session cookie to my-ecommerce.com. D: Set HttpOnly attribute on cart_id and csrf_token cookies. E: Remove Secure attribute from user_session cookie.
	Medium Security Incident Log Analysis Security Pattern Recognition	2 mins Cyber Security	Solve
You are the security analyst for a company and are currently investigating a security incident. You found the following log entries in your HTTP server logs, which appear to be linked to the incident: 1. 192.0.2.4 - - [24/May/2023:13:15:30 +0000] "GET /wp-login.php HTTP/1.1" 200 167 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 2. 192.0.2.4 - - [24/May/2023:13:15:31 +0000] "POST /wp-login.php HTTP/1.1" 302 152 "http://www.example.com/wp-login.php" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 3. 192.0.2.4 - - [24/May/2023:13:15:32 +0000] "GET /wp-admin/install.php HTTP/1.1" 200 125 "http://www.example.com/wp-admin/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" Based on this information, which of the following statements are correct? A: The attacker was unable to compromise the Wordpress login page but was successful in accessing the installation page. B: The attacker attempted to login to a Wordpress site and, despite the login failing, was able to access the Wordpress installation page. C: The attacker was attempting a dictionary attack on the Wordpress site and accessed the Wordpress installation page. D: The logs indicate that the attacker was able to compromise the Wordpress login and directly access the installation page. E: The attacker attempted to login to a Wordpress site, succeeded, and then tried to access the Wordpress installation page.
	Medium Network Traffic Anomaly Network Traffic Analysis Network Protocols Dns Traffic Analysis Network Anomaly Detection	2 mins Cyber Security	Solve
You are a cybersecurity engineer working on a network traffic analysis case. You have been given the following set of observations from network logs of the past 24 hours: - Observation 1: 1,000,000 DNS requests were recorded, 50% more than the usual daily traffic. - Observation 2: 85% of these DNS requests have the same subdomain but different domain names. - Observation 3: For each of these DNS requests, an HTTP POST request follows immediately. - Observation 4: No other significant anomalies were detected in the system logs. Given these observations, what would you suspect is happening? A: The network is experiencing a DNS amplification attack B: There is a misconfiguration in the DNS settings C: The system is the source of a SYN flood attack D: A fast-flux DNS network is in operation E: The system is infected with a DNS tunneling based malware
	Medium SQL Log Analysis SQL Injection Log Analysis Sql Injection Pattern Recognition	2 mins Cyber Security	Solve
You are investigating a possible SQL injection attack on your company's web application. You found the following entries in the HTTP server logs: Note that each log line contains the following information: IP Address - Timestamp - Request URI - Request Status - Response Size Based on the log entries, which of the following statements are correct? A: The attacker logged in successfully but failed to execute the SQL injection. B: The attacker failed in the SQL injection attack. C: The attacker failed to login but successfully accessed the admin page. D: The attacker performed a successful SQL injection attack that dumped all product information. E: The attacker was unsuccessful in both the SQL injection attack and the login attempt.
	Medium Misappropriation Post-Migration DNS Management Infrastructure Migration Subdomain Hijacking	3 mins Cyber Security	Solve
A software company decided to move some of their web services from one cloud provider (Vendor A) to another (Vendor B) for better cost optimization. Initially, their main web application "webapp.company.com" was hosted at IP 192.0.2.1 on Vendor A's infrastructure. As part of this transition, it was moved to IP 203.0.113.1 on Vendor B's setup. Subsequently, a secondary web service previously hosted on "serviceA.company.com" at IP 192.0.2.2 (Vendor A), was migrated and re-hosted at "serviceB.company.com" at IP 203.0.113.2 (Vendor B). A month post-migration, the SEO team reported an unexpected spike in organic traffic to the "company.com" domain. Upon investigating, the IT team noticed unusual activity related to "serviceA.company.com" in the server access logs, including successful HTTP 200 responses from several requests. A suspicious HTTPS GET request, `GET /explicit-content.html HTTP/1.1`, was also recorded. Running `dig +short serviceA.company.com` returned IP address 198.51.100.1. Cross-checking this information with the company's DNS records revealed: Based on the details provided, identify the probable cause for the unexpected increase in organic traffic: A: The company failed to delete the DNS "A" record for "serviceB.company.com" before migration on vendor A. B: The company failed to delete the DNS "A" record for "serviceA.company.com" after migration. C: The company did not configure DNS record for webapp.company.com properly on Vendor B's platform. D: The DNS configuration for serviceB.company.com is incorrect post migration
	Medium Mac address and IP on router hop Routers Switches Mac Address Resolution Packet Forwarding	2 mins Computer Networks	Solve
Refer to the following exhibit: Host A is sending a packet to Host B. 1. What is the source and destination MAC address at point PA? 2. What is the source and destination IP address at point PB? // Option A PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1 // Option B PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option C PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option D PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1
	Easy MX Record, DMARC and Email Authentication DNS MX Records DMARC SPF DKIM	2 mins Computer Networks	Solve
You work as a network administrator for a company, "example.com", that recently started experiencing issues with email spoofing. To mitigate the problem, you decide to implement DMARC (Domain-based Message Authentication, Reporting & Conformance) in addition to existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. Your current DNS records for example.com include the following: - MX 10 mail.example.com (IP address 203.0.113.10) - TXT "v=spf1 ip4:203.0.113.10 -all" - TXT "v=DKIM1; k=rsa; p=public-key-here" You add the following DMARC record: - TXT "_dmarc.example.com" "v=DMARC1; p=quarantine; pct=100; rua=mailto:report@example.com" After implementing the DMARC record, an external mail server sends an email to your domain. The email passes the SPF and DKIM checks but fails the DMARC check. What will likely happen to the email? A: The email will be accepted and delivered to the recipient's inbox. B: The email will be rejected and returned to the sender as undeliverable. C: The email might be delivered to the recipient's spam or junk folder. D: The email will be accepted, but a report will be sent to the sender. E: The email will be silently discarded, and the sender will not be notified.
	Medium Remote network resources Gateway Routing protocols Ospf Routing Network Connectivity	3 mins Computer Networks	Solve
Review the following exhibit: Angelina noticed that the computers on 192.168.10.0/24 network can ping their default gateway. But they found that these computers cannot connect to any remote network resources. Which of the following is the most likely reason for this?
	Medium SSL Certificate Expiry SSL/TLS Network Security Ssl/tls	2 mins Computer Networks	Solve
You are a network administrator for an e-commerce company. The company's online store allows customers to browse products and make purchases securely over the internet. The online store uses SSL/TLS for secure communication. You receive reports that some customers are seeing a security warning in their web browsers when trying to access the online store. Upon investigation, you discover the following information: - The SSL certificate used by the online store's web server is valid for one year and is due to expire in two days. - The web server is configured to automatically redirect HTTP traffic to HTTPS. - The SSL certificate was issued by a trusted certificate authority (CA), and all major web browsers have the CA's root certificate in their trusted certificate stores. - The SSL certificate includes the correct domain name for the online store. Given the above information, which of the following steps should be taken to resolve the issue and prevent customers from seeing the security warning? A: Extend the validity of the current SSL certificate by one year. B: Obtain a new SSL certificate from the same CA and install it on the web server before the current certificate expires. C: Remove the automatic redirect from HTTP to HTTPS on the web server. D: Ask customers to ignore the security warning and proceed to the online store. E: Replace the SSL certificate with a self-signed certificate.

	🧐 Question	🔧 Skill	💪 Difficulty	⌛ Time
	Database testcase Regression Testing Regression Testing In Specific Contexts Test Case Analysis	Testing	Medium	2 mins	Solve
Adaface is developing a new database system called “Helen”. The tester at Adaface developed the following testcase for regression testing: 1. Open Helen 2. Open “Students” database 3. Enter data for “Sid” 4. Set checkpoint 5. Store “Sid” data in “Students” 6. Restart Helen 7. Read “Sid” data from “Students” 8. Compare checkpoint with the contents When the tester ran the testcase the first time, it worked as expected. Pick the correct statements: A: When the test case is ran the second time, the data entry for “Sid” already exists in the database. B: When the test case is ran the second time, it performs exactly as it did the first time C: The testcase is a good example for regression testing “Helen” D: The testcase is not a good example for regression testing “Helen” since the system behaves differently when the testcase is ran the second time
	Decision Table	Testing	Medium	3 mins	Solve
Check the following decision table: What are the expected actions for following testcases? I: Joey's age is 22. He is a smoker residing in India II: Jennifer's age is 62. She is a non-smoker not residing in India A) I - Insure, 10% discount. II - Insure, no discount B) I - Don't insure. II - Don't insure C) I - Insure, no discount. II - Don't insure D) I - Insure, no discount. II - Insure, 10% discount
	Cart Checkout Incident Report	Testing	Easy	2 mins	Solve
Review the following incident report written QA team of LWB, Little White Book (an e-commerce app): 1. Place any items in the cart (Say “Nike FST Men”). 2. Place any other (different) item in the shopping cart (Say “Nike Air Max”). 3. Remove “Nike FST Men” from the shopping cart, but leave “Nike Air Max” in the cart. 4. Click on “Check out” button. 5. Expect the app to display the check out screen, instead ‘No items in the shopping cart. Click continue to go back to shopping.’ error message is shown as a popup. 6. Click “Continue”. 7. Expect the app to go to shopping screen to add/remove items from the cart. Instead the app crashes. 8. The error in steps 5 and 7 occurred in every attempt of 5 attempts (1 2 3 4 and 6). Which of the following information is missing from the incident report?
	Cookie Security Analysis Web Application Security HTTP Cookies Cross-Domain Communication	Cyber Security	Medium	2 mins	Solve
You are a cybersecurity officer and a new third-party payment gateway is integrated into your company's e-commerce website. The payment gateway API is hosted on a different domain (pay-gateway.com) than your e-commerce site (my-ecommerce.com). You receive some reports that users are unable to complete their transactions intermittently. You obtain the following set of HTTP cookies from an affected user: 1. user_session=1; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly 2. payment_session=xyz123; Domain=pay-gateway.com; Path=/; Secure; HttpOnly 3. cart_id=abcd1234; Domain=my-ecommerce.com; Path=/; Secure 4. csrf_token=efgh5678; Domain=my-ecommerce.com; Path=/; Secure 5. currency=USD; Domain=my-ecommerce.com; Path=/; 6. same_site_test=1; Domain=my-ecommerce.com; Path=/; Secure; SameSite=None 7. payment_verification=; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly Which of the following configuration modifications would likely solve the intermittent transaction failure issue? A: Set SameSite=Strict attribute on all cookies. B: Set "SameSite=None; Secure" attribute on the payment_session cookie. C: Change the Domain attribute of payment_session cookie to my-ecommerce.com. D: Set HttpOnly attribute on cart_id and csrf_token cookies. E: Remove Secure attribute from user_session cookie.
	Security Incident Log Analysis Security Pattern Recognition	Cyber Security	Medium	2 mins	Solve
You are the security analyst for a company and are currently investigating a security incident. You found the following log entries in your HTTP server logs, which appear to be linked to the incident: 1. 192.0.2.4 - - [24/May/2023:13:15:30 +0000] "GET /wp-login.php HTTP/1.1" 200 167 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 2. 192.0.2.4 - - [24/May/2023:13:15:31 +0000] "POST /wp-login.php HTTP/1.1" 302 152 "http://www.example.com/wp-login.php" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 3. 192.0.2.4 - - [24/May/2023:13:15:32 +0000] "GET /wp-admin/install.php HTTP/1.1" 200 125 "http://www.example.com/wp-admin/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" Based on this information, which of the following statements are correct? A: The attacker was unable to compromise the Wordpress login page but was successful in accessing the installation page. B: The attacker attempted to login to a Wordpress site and, despite the login failing, was able to access the Wordpress installation page. C: The attacker was attempting a dictionary attack on the Wordpress site and accessed the Wordpress installation page. D: The logs indicate that the attacker was able to compromise the Wordpress login and directly access the installation page. E: The attacker attempted to login to a Wordpress site, succeeded, and then tried to access the Wordpress installation page.
	Network Traffic Anomaly Network Traffic Analysis Network Protocols Dns Traffic Analysis Network Anomaly Detection	Cyber Security	Medium	2 mins	Solve
You are a cybersecurity engineer working on a network traffic analysis case. You have been given the following set of observations from network logs of the past 24 hours: - Observation 1: 1,000,000 DNS requests were recorded, 50% more than the usual daily traffic. - Observation 2: 85% of these DNS requests have the same subdomain but different domain names. - Observation 3: For each of these DNS requests, an HTTP POST request follows immediately. - Observation 4: No other significant anomalies were detected in the system logs. Given these observations, what would you suspect is happening? A: The network is experiencing a DNS amplification attack B: There is a misconfiguration in the DNS settings C: The system is the source of a SYN flood attack D: A fast-flux DNS network is in operation E: The system is infected with a DNS tunneling based malware
	SQL Log Analysis SQL Injection Log Analysis Sql Injection Pattern Recognition	Cyber Security	Medium	2 mins	Solve
You are investigating a possible SQL injection attack on your company's web application. You found the following entries in the HTTP server logs: Note that each log line contains the following information: IP Address - Timestamp - Request URI - Request Status - Response Size Based on the log entries, which of the following statements are correct? A: The attacker logged in successfully but failed to execute the SQL injection. B: The attacker failed in the SQL injection attack. C: The attacker failed to login but successfully accessed the admin page. D: The attacker performed a successful SQL injection attack that dumped all product information. E: The attacker was unsuccessful in both the SQL injection attack and the login attempt.
	Misappropriation Post-Migration DNS Management Infrastructure Migration Subdomain Hijacking	Cyber Security	Medium	3 mins	Solve
A software company decided to move some of their web services from one cloud provider (Vendor A) to another (Vendor B) for better cost optimization. Initially, their main web application "webapp.company.com" was hosted at IP 192.0.2.1 on Vendor A's infrastructure. As part of this transition, it was moved to IP 203.0.113.1 on Vendor B's setup. Subsequently, a secondary web service previously hosted on "serviceA.company.com" at IP 192.0.2.2 (Vendor A), was migrated and re-hosted at "serviceB.company.com" at IP 203.0.113.2 (Vendor B). A month post-migration, the SEO team reported an unexpected spike in organic traffic to the "company.com" domain. Upon investigating, the IT team noticed unusual activity related to "serviceA.company.com" in the server access logs, including successful HTTP 200 responses from several requests. A suspicious HTTPS GET request, `GET /explicit-content.html HTTP/1.1`, was also recorded. Running `dig +short serviceA.company.com` returned IP address 198.51.100.1. Cross-checking this information with the company's DNS records revealed: Based on the details provided, identify the probable cause for the unexpected increase in organic traffic: A: The company failed to delete the DNS "A" record for "serviceB.company.com" before migration on vendor A. B: The company failed to delete the DNS "A" record for "serviceA.company.com" after migration. C: The company did not configure DNS record for webapp.company.com properly on Vendor B's platform. D: The DNS configuration for serviceB.company.com is incorrect post migration
	Mac address and IP on router hop Routers Switches Mac Address Resolution Packet Forwarding	Computer Networks	Medium	2 mins	Solve
Refer to the following exhibit: Host A is sending a packet to Host B. 1. What is the source and destination MAC address at point PA? 2. What is the source and destination IP address at point PB? // Option A PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1 // Option B PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option C PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option D PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1
	MX Record, DMARC and Email Authentication DNS MX Records DMARC SPF DKIM	Computer Networks	Easy	2 mins	Solve
You work as a network administrator for a company, "example.com", that recently started experiencing issues with email spoofing. To mitigate the problem, you decide to implement DMARC (Domain-based Message Authentication, Reporting & Conformance) in addition to existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. Your current DNS records for example.com include the following: - MX 10 mail.example.com (IP address 203.0.113.10) - TXT "v=spf1 ip4:203.0.113.10 -all" - TXT "v=DKIM1; k=rsa; p=public-key-here" You add the following DMARC record: - TXT "_dmarc.example.com" "v=DMARC1; p=quarantine; pct=100; rua=mailto:report@example.com" After implementing the DMARC record, an external mail server sends an email to your domain. The email passes the SPF and DKIM checks but fails the DMARC check. What will likely happen to the email? A: The email will be accepted and delivered to the recipient's inbox. B: The email will be rejected and returned to the sender as undeliverable. C: The email might be delivered to the recipient's spam or junk folder. D: The email will be accepted, but a report will be sent to the sender. E: The email will be silently discarded, and the sender will not be notified.
	Remote network resources Gateway Routing protocols Ospf Routing Network Connectivity	Computer Networks	Medium	3 mins	Solve
Review the following exhibit: Angelina noticed that the computers on 192.168.10.0/24 network can ping their default gateway. But they found that these computers cannot connect to any remote network resources. Which of the following is the most likely reason for this?
	SSL Certificate Expiry SSL/TLS Network Security Ssl/tls	Computer Networks	Medium	2 mins	Solve
You are a network administrator for an e-commerce company. The company's online store allows customers to browse products and make purchases securely over the internet. The online store uses SSL/TLS for secure communication. You receive reports that some customers are seeing a security warning in their web browsers when trying to access the online store. Upon investigation, you discover the following information: - The SSL certificate used by the online store's web server is valid for one year and is due to expire in two days. - The web server is configured to automatically redirect HTTP traffic to HTTPS. - The SSL certificate was issued by a trusted certificate authority (CA), and all major web browsers have the CA's root certificate in their trusted certificate stores. - The SSL certificate includes the correct domain name for the online store. Given the above information, which of the following steps should be taken to resolve the issue and prevent customers from seeing the security warning? A: Extend the validity of the current SSL certificate by one year. B: Obtain a new SSL certificate from the same CA and install it on the web server before the current certificate expires. C: Remove the automatic redirect from HTTP to HTTPS on the web server. D: Ask customers to ignore the security warning and proceed to the online store. E: Replace the SSL certificate with a self-signed certificate.

Get started for free

Preview questions

With Adaface, we were able to optimise our initial screening process by upwards of 75%, freeing up precious time for both hiring managers and our talent acquisition team alike!

Brandon Lee, Head of People, Love, Bonito

It's very easy to share assessments with candidates and for candidates to use. We get good feedback from candidates about completing the tests. Adaface are very responsive and friendly to deal with.

Kirsty Wood, Human Resources, WillyWeather

We were able to close 106 positions in a record time of 45 days! Adaface enables us to conduct aptitude and psychometric assessments seamlessly. My hiring managers have never been happier with the quality of candidates shortlisted.

Amit Kataria, CHRO, Hanu

We evaluated several of their competitors and found Adaface to be the most compelling. Great library of questions that are designed to test for fit rather than memorization of algorithms.

Swayam Narain, CTO, Affable

Why you should use Pre-employment OWASP Online Test?

The OWASP Online Test makes use of scenario-based questions to test for on-the-job skills as opposed to theoretical knowledge, ensuring that candidates who do well on this screening test have the relavant skills. The questions are designed to covered following on-the-job aspects:

Testing for injection vulnerabilities in web applications
Understanding and implementing secure authentication mechanisms
Identifying and resolving issues related to sensitive data exposure
Detecting and mitigating XML external entity (XXE) attacks
Designing and implementing strong access control measures
Addressing common security misconfigurations to ensure application security
Preventing cross-site scripting (XSS) attacks on web applications
Handling secure deserialization of data to prevent exploitation
Identifying and addressing vulnerabilities arising from using components with known security flaws
Implementing sufficient logging and monitoring for effective incident response

Once the test is sent to a candidate, the candidate receives a link in email to take the test. For each candidate, you will receive a detailed report with skills breakdown and benchmarks to shortlist the top candidates from your pool.

What topics are covered in the OWASP Online Test?

Injection: Injection refers to a vulnerability where untrusted data is incorporated into a command or query, allowing an attacker to manipulate the execution of the program. This skill should be measured in the test to evaluate the ability of candidates in preventing and detecting injection attacks, which can lead to unauthorized access, data breaches, and system compromises.

Broken Authentication: Broken Authentication refers to vulnerabilities that arise from poor implementation of authentication and session management mechanisms. It can result in unauthorized access, identity theft, and exposure of sensitive user information. Measuring this skill in the test helps assess the candidates' understanding of secure authentication practices and their ability to identify and address authentication flaws.

Sensitive Data Exposure: Sensitive Data Exposure refers to instances where sensitive information, such as passwords or credit card details, is exposed due to poorly implemented security controls. This skill is measured in the test to assess the candidates' knowledge of secure data handling practices and their ability to identify and mitigate vulnerabilities that could lead to data breaches and privacy violations.

XML External Entities (XXE): XML External Entities (XXE) is a vulnerability that occurs when an XML parser is insecurely configured and allows external entities to be defined and processed. This can be exploited to read sensitive files, perform server-side requests, or launch denial-of-service attacks. Measuring this skill in the test helps evaluate candidates' understanding of secure XML processing and their ability to detect and prevent XXE vulnerabilities.

Broken Access Control: Broken Access Control refers to weaknesses in access control mechanisms that allow unauthorized users to gain elevated privileges or access sensitive resources. Measuring this skill in the test helps assess candidates' understanding of access control principles and their ability to identify and mitigate access control vulnerabilities to prevent unauthorized actions and data exposure.

Security Misconfiguration: Security Misconfiguration refers to insecure configuration settings and defaults that can leave systems and applications vulnerable to attacks. This skill is measured in the test to evaluate candidates' knowledge of secure configuration practices and their ability to identify and rectify misconfigurations that could lead to security breaches and unauthorized access.

Cross-Site Scripting (XSS): Cross-Site Scripting (XSS) refers to a vulnerability that occurs when malicious scripts are injected into web pages viewed by other users. This can lead to theft of sensitive information, session hijacking, and defacement of websites. Measuring this skill in the test helps assess candidates' understanding of XSS vulnerabilities, their ability to identify and mitigate XSS attacks, and their knowledge of secure coding practices.

Insecure Deserialization: Insecure Deserialization refers to vulnerabilities that arise when untrusted data is deserialized without proper validation and sanitization. Exploiting this vulnerability can result in remote code execution, tampering with object state, or denial-of-service attacks. Measuring this skill in the test helps evaluate candidates' understanding of secure deserialization practices and their ability to detect and prevent insecure deserialization vulnerabilities.

Using Components with Known Vulnerabilities: Using Components with Known Vulnerabilities refers to the use of outdated or vulnerable third-party libraries, frameworks, or plugins that can introduce security weaknesses into an application. Measuring this skill in the test helps assess candidates' awareness of the risks associated with using such components and their ability to identify and mitigate vulnerabilities arising from using components with known vulnerabilities.

Insufficient Logging and Monitoring: Insufficient Logging and Monitoring refers to the absence or inadequacy of logging and monitoring mechanisms, which can impede timely detection and response to security incidents. Measuring this skill in the test helps evaluate candidates' understanding of the importance of effective logging and monitoring, and their ability to assess and implement appropriate logging and monitoring measures to detect and respond to security events.

Full list of covered topics

The actual topics of the questions in the final test will depend on your job description and requirements. However, here's a list of topics you can expect the questions for OWASP Online Test to be based on.

Injection

SQL Injection

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF)

Server-side Request Forgery (SSRF)

XML External Entities (XXE)

Broken Authentication

Password Hashing

Multi-factor Authentication (MFA)

Session Management

Sensitive Data Exposure

Encryption

Data Masking

Access Control

Role-Based Access Control (RBAC)

Privilege Escalation

Security Misconfiguration

Secure Configuration

Error Handling

Secure Coding Standards

Content Security Policy (CSP)

Content Delivery Networks (CDN)

Cross-Origin Resource Sharing (CORS)

Insecure Direct Object References (IDOR)

Server-Side Validation

Client-Side Validation

JSON Web Tokens (JWT)

Secure File Upload

Host Header Injection

Clickjacking

Secure Cookies

HTTP Security Headers

Content Spoofing

Insecure Deserialization

Using Components with Known Vulnerabilities

Open Web Application Security Project (OWASP)

OWASP Top 10

OWASP Testing Guide

OWASP ZAP (Zed Attack Proxy)

Web Application Firewalls (WAF)

Secure Software Development Life Cycle (SDLC)

Threat Modeling

Secure Code Review

Penetration Testing

Security Incident Response

Vulnerability Scanning

Log Analysis

Security Information and Event Management (SIEM)

Network Traffic Monitoring

Intrusion Detection System (IDS)

Intrusion Prevention System (IPS)

Security Awareness Training

Secure Development Frameworks

Secure Third-Party Libraries

What roles can I use the OWASP Online Test for?

Security Analyst
Penetration Tester
System Administrator
Network Engineer
IT Auditor
Security Consultant
IT Manager
Risk Manager

How is the OWASP Online Test customized for senior candidates?

For intermediate/ experienced candidates, we customize the assessment questions to include advanced topics and increase the difficulty level of the questions. This might include adding questions on topics like

Performing comprehensive security testing on web applications
Analyzing and securing network infrastructure to prevent cyber attacks
Understanding and implementing secure protocols and encryption algorithms
Configuring and maintaining firewalls and intrusion detection systems
Monitoring and mitigating threats to computer networks
Implementing secure wireless network protocols and access controls
Troubleshooting network connectivity and performance issues
Understanding and addressing vulnerabilities in network protocols
Securing cloud infrastructure and services from potential risks
Designing and implementing disaster recovery plans for network infrastructure

Preview this test

View sample scorecard

Try the most advanced candidate assessment platform

ChatGPT Protection

Non-googleable Questions

Web Proctoring

IP Proctoring

Webcam Proctoring

MCQ Questions

Coding Questions

Typing Questions

Personality Questions

Custom Questions

Ready-to-use Tests

Custom Tests

Custom Branding

Bulk Invites

Public Links

ATS Integrations

Multiple Question Sets

Custom API integrations

Role-based Access

Priority Support

GDPR Compliance

Screen candidates in 3 easy steps

Pick a test from over 500+ tests

The Adaface test library features 500+ tests to enable you to test candidates on all popular skills- everything from programming languages, software frameworks, devops, logical reasoning, abstract reasoning, critical thinking, fluid intelligence, content marketing, talent acquisition, customer service, accounting, product management, sales and more.

Invite your candidates with 2-clicks

Make informed hiring decisions

Get started for free

Preview questions

Have questions about the OWASP Hiring Test?

What is OWASP Online Test?

The OWASP Online Test assesses candidates on various security vulnerabilities and best practices for web applications. It is used by recruiters to evaluate candidates' knowledge in key OWASP security areas, ensuring they are adept at identifying and mitigating cyber threats.

Can I combine OWASP Online Test with Cyber Security questions?

Yes, recruiters can request a custom test that includes both OWASP and Cyber Security questions. For more details, you can check our Cyber Security Assessment Test.

What topics are evaluated in the OWASP Online Test?

The OWASP Online Test covers Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging and Monitoring.

How to use OWASP Online Test in my hiring process?

Use the OWASP Online Test as a pre-screening tool early in your recruitment process. Add a link to the assessment in your job post or invite candidates via email.

Can I test OWASP and Ethical Hacking together in a test?

Yes, you can combine OWASP and Ethical Hacking in a single test. This is recommended for a comprehensive security assessment. Check our Ethical Hacking Test.

What are the main security tests?

Here are some important security tests:

Can I combine multiple skills into one custom assessment?

Yes, absolutely. Custom assessments are set up based on your job description, and will include questions on all must-have skills you specify. Here's a quick guide on how you can request a custom test.

Do you have any anti-cheating or proctoring features in place?

We have the following anti-cheating features in place:

Non-googleable questions
IP proctoring
Screen proctoring
Web proctoring
Webcam proctoring
Plagiarism detection
Secure browser
Copy paste protection

Read more about the proctoring features.

How do I interpret test scores?

The primary thing to keep in mind is that an assessment is an elimination tool, not a selection tool. A skills assessment is optimized to help you eliminate candidates who are not technically qualified for the role, it is not optimized to help you find the best candidate for the role. So the ideal way to use an assessment is to decide a threshold score (typically 55%, we help you benchmark) and invite all candidates who score above the threshold for the next rounds of interview.

What experience level can I use this test for?

Each Adaface assessment is customized to your job description/ ideal candidate persona (our subject matter experts will pick the right questions for your assessment from our library of 10000+ questions). This assessment can be customized for any experience level.

Does every candidate get the same questions?

Yes, it makes it much easier for you to compare candidates. Options for MCQ questions and the order of questions are randomized. We have anti-cheating/ proctoring features in place. In our enterprise plan, we also have the option to create multiple versions of the same assessment with questions of similar difficulty levels.

I'm a candidate. Can I try a practice test?

No. Unfortunately, we do not support practice tests at the moment. However, you can use our sample questions for practice.

What is the cost of using this test?

You can check out our pricing plans.

Can I get a free trial?

Yes, you can sign up for free and preview this test.

I just moved to a paid plan. How can I request a custom assessment?

Here is a quick guide on how to request a custom assessment on Adaface.

View sample scorecard

Along with scorecards that report the performance of the candidate in detail, you also receive a comparative analysis against the company average and industry standards.

View sample scorecard