Why you should use OWASP Online Test?

The Teste online OWASP makes use of scenario-based questions to test for on-the-job skills as opposed to theoretical knowledge, ensuring that candidates who do well on this screening test have the relavant skills. The questions are designed to covered following on-the-job aspects: Teste de vulnerabilidades de injeção em aplicativos da Web Entendendo e implementando mecanismos de autenticação seguros Identificando e resolvendo problemas relacionados à exposição aos dados sensíveis Detectar e atenuar ataques de entidade externa XML (XXE) Projetando e implementando fortes medidas de controle de acesso Abordando a segurança comum de segurança para garantir a segurança do aplicativo Prevenção de ataques de scripts entre sites (XSS) em aplicativos da web Lidar com a deseralização segura dos dados para evitar a exploração Identificando e abordando vulnerabilidades decorrentes do uso de componentes com falhas de segurança conhecidas Implementando registro e monitoramento suficientes para obter uma resposta eficaz de incidentes

OWASP Online Test

Q: What topics are covered in the OWASP Online Test?

Injeção Autenticação quebrada Exposição de dados sensíveis Entidades externas XML (XXE) Controle de acesso quebrado Segurança equivocada Scripts de sites cruzados (XSS) Deserialização insegura Usando componentes com vulnerabilidades conhecidas Montagem e monitoramento insuficientes

About the test:

O teste on -line OWASP avalia a compreensão de um candidato das 10 principais vulnerabilidades e riscos na segurança dos aplicativos da Web. Ele abrange tópicos como injeção, autenticação quebrada, exposição aos dados sensíveis e muito mais. O teste avalia o conhecimento por meio de perguntas de múltipla escolha, oferecendo informações sobre a capacidade de um candidato de identificar e mitigar essas vulnerabilidades de segurança.

Covered skills:

Injeção
Exposição de dados sensíveis
Controle de acesso quebrado
Scripts de sites cruzados (XSS)
Usando componentes com vulnerabilidades conhecidas

Autenticação quebrada
Entidades externas XML (XXE)
Segurança equivocada
Deserialização insegura
Montagem e monitoramento insuficientes

Preview this test

Ver Scorecard de amostra

9 reasons why

Adaface OWASP Test is the most accurate way to shortlist Analista de seguranças

Reason #1

Tests for on-the-job skills

The OWASP Online Test helps recruiters and hiring managers identify qualified candidates from a pool of resumes, and helps in taking objective hiring decisions. It reduces the administrative overhead of interviewing too many candidates and saves time by filtering out unqualified candidates at the first step of the hiring process.

The test screens for the following skills that hiring managers look for in candidates:

Capaz de identificar e explorar efetivamente as vulnerabilidades de injeção
Conhecedor de práticas recomendadas para autenticação e prevenção de autenticação quebrada
Compreensão do manuseio seguro e proteção de dados sensíveis
Familiaridade com entidades externas XML (XXE) e como evitar ataques
Proficiente na implementação e manutenção de controles de acesso seguro
Capacidade de identificar e lidar com as equívocas de segurança
Conhecedável na prevenção e mitigação de ataques de scripts entre sites (XSS)
Entendimento de desserialização segura e prevenção de deserialização insegura
Consciência dos componentes com vulnerabilidades conhecidas e como lidar com eles
Compreensão da importância de extração e monitoramento suficientes e eficazes

Reason #2

No trick questions

Traditional assessment tools use trick questions and puzzles for the screening, which creates a lot of frustration among candidates about having to go through irrelevant screening assessments.

View sample questions

The main reason we started Adaface is that traditional pre-employment assessment platforms are not a fair way for companies to evaluate candidates. At Adaface, our mission is to help companies find great candidates by assessing on-the-job skills required for a role.

Why we started Adaface

Preview this test

Ver Scorecard de amostra

Reason #3

Non-googleable questions

We have a very high focus on the quality of questions that test for on-the-job skills. Every question is non-googleable and we have a very high bar for the level of subject matter experts we onboard to create these questions. We have crawlers to check if any of the questions are leaked online. If/ when a question gets leaked, we get an alert. We change the question for you & let you know.

How we design questions

Estes são apenas uma pequena amostra da nossa biblioteca de mais de 10.000 perguntas. As perguntas reais sobre isso Teste online OWASP será não-googleable.

🧐 Question
Medium Database testcase Regression Testing	Solve
Adaface is developing a new database system called “Helen”. The tester at Adaface developed the following testcase for regression testing: 1. Open Helen 2. Open “Students” database 3. Enter data for “Sid” 4. Set checkpoint 5. Store “Sid” data in “Students” 6. Restart Helen 7. Read “Sid” data from “Students” 8. Compare checkpoint with the contents When the tester ran the testcase the first time, it worked as expected. Pick the correct statements: A: When the test case is ran the second time, the data entry for “Sid” already exists in the database. B: When the test case is ran the second time, it performs exactly as it did the first time C: The testcase is a good example for regression testing “Helen” D: The testcase is not a good example for regression testing “Helen” since the system behaves differently when the testcase is ran the second time
Medium Decision Table	Solve
Check the following decision table: What are the expected actions for following testcases? I: Joey's age is 22. He is a smoker residing in India II: Jennifer's age is 62. She is a non-smoker not residing in India A) I - Insure, 10% discount. II - Insure, no discount B) I - Don't insure. II - Don't insure C) I - Insure, no discount. II - Don't insure D) I - Insure, no discount. II - Insure, 10% discount
Easy Cart Checkout Incident Report	Solve
Review the following incident report written QA team of LWB, Little White Book (an e-commerce app): 1. Place any items in the cart (Say “Nike FST Men”). 2. Place any other (different) item in the shopping cart (Say “Nike Air Max”). 3. Remove “Nike FST Men” from the shopping cart, but leave “Nike Air Max” in the cart. 4. Click on “Check out” button. 5. Expect the app to display the check out screen, instead ‘No items in the shopping cart. Click continue to go back to shopping.’ error message is shown as a popup. 6. Click “Continue”. 7. Expect the app to go to shopping screen to add/remove items from the cart. Instead the app crashes. 8. The error in steps 5 and 7 occurred in every attempt of 5 attempts (1 2 3 4 and 6). Which of the following information is missing from the incident report?
Medium Cookie Security Analysis Web Application Security HTTP Cookies Cross-Domain Communication	Solve
You are a cybersecurity officer and a new third-party payment gateway is integrated into your company's e-commerce website. The payment gateway API is hosted on a different domain (pay-gateway.com) than your e-commerce site (my-ecommerce.com). You receive some reports that users are unable to complete their transactions intermittently. You obtain the following set of HTTP cookies from an affected user: 1. user_session=1; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly 2. payment_session=xyz123; Domain=pay-gateway.com; Path=/; Secure; HttpOnly 3. cart_id=abcd1234; Domain=my-ecommerce.com; Path=/; Secure 4. csrf_token=efgh5678; Domain=my-ecommerce.com; Path=/; Secure 5. currency=USD; Domain=my-ecommerce.com; Path=/; 6. same_site_test=1; Domain=my-ecommerce.com; Path=/; Secure; SameSite=None 7. payment_verification=; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly Which of the following configuration modifications would likely solve the intermittent transaction failure issue? A: Set SameSite=Strict attribute on all cookies. B: Set "SameSite=None; Secure" attribute on the payment_session cookie. C: Change the Domain attribute of payment_session cookie to my-ecommerce.com. D: Set HttpOnly attribute on cart_id and csrf_token cookies. E: Remove Secure attribute from user_session cookie.
Medium Security Incident Log Analysis	Solve
You are the security analyst for a company and are currently investigating a security incident. You found the following log entries in your HTTP server logs, which appear to be linked to the incident: 1. 192.0.2.4 - - [24/May/2023:13:15:30 +0000] "GET /wp-login.php HTTP/1.1" 200 167 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 2. 192.0.2.4 - - [24/May/2023:13:15:31 +0000] "POST /wp-login.php HTTP/1.1" 302 152 "http://www.example.com/wp-login.php" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 3. 192.0.2.4 - - [24/May/2023:13:15:32 +0000] "GET /wp-admin/install.php HTTP/1.1" 200 125 "http://www.example.com/wp-admin/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" Based on this information, which of the following statements are correct? A: The attacker was unable to compromise the Wordpress login page but was successful in accessing the installation page. B: The attacker attempted to login to a Wordpress site and, despite the login failing, was able to access the Wordpress installation page. C: The attacker was attempting a dictionary attack on the Wordpress site and accessed the Wordpress installation page. D: The logs indicate that the attacker was able to compromise the Wordpress login and directly access the installation page. E: The attacker attempted to login to a Wordpress site, succeeded, and then tried to access the Wordpress installation page.
Medium Network Traffic Anomaly Network Traffic Analysis Network Protocols	Solve
You are a cybersecurity engineer working on a network traffic analysis case. You have been given the following set of observations from network logs of the past 24 hours: - Observation 1: 1,000,000 DNS requests were recorded, 50% more than the usual daily traffic. - Observation 2: 85% of these DNS requests have the same subdomain but different domain names. - Observation 3: For each of these DNS requests, an HTTP POST request follows immediately. - Observation 4: No other significant anomalies were detected in the system logs. Given these observations, what would you suspect is happening? A: The network is experiencing a DNS amplification attack B: There is a misconfiguration in the DNS settings C: The system is the source of a SYN flood attack D: A fast-flux DNS network is in operation E: The system is infected with a DNS tunneling based malware
Medium SQL Log Analysis SQL Injection Log Analysis	Solve
You are investigating a possible SQL injection attack on your company's web application. You found the following entries in the HTTP server logs: Note that each log line contains the following information: IP Address - Timestamp - Request URI - Request Status - Response Size Based on the log entries, which of the following statements are correct? A: The attacker logged in successfully but failed to execute the SQL injection. B: The attacker failed in the SQL injection attack. C: The attacker failed to login but successfully accessed the admin page. D: The attacker performed a successful SQL injection attack that dumped all product information. E: The attacker was unsuccessful in both the SQL injection attack and the login attempt.
Medium Misappropriation Post-Migration DNS Management Infrastructure Migration Subdomain Hijacking	Solve
A software company decided to move some of their web services from one cloud provider (Vendor A) to another (Vendor B) for better cost optimization. Initially, their main web application "webapp.company.com" was hosted at IP 192.0.2.1 on Vendor A's infrastructure. As part of this transition, it was moved to IP 203.0.113.1 on Vendor B's setup. Subsequently, a secondary web service previously hosted on "serviceA.company.com" at IP 192.0.2.2 (Vendor A), was migrated and re-hosted at "serviceB.company.com" at IP 203.0.113.2 (Vendor B). A month post-migration, the SEO team reported an unexpected spike in organic traffic to the "company.com" domain. Upon investigating, the IT team noticed unusual activity related to "serviceA.company.com" in the server access logs, including successful HTTP 200 responses from several requests. A suspicious HTTPS GET request, `GET /explicit-content.html HTTP/1.1`, was also recorded. Running `dig +short serviceA.company.com` returned IP address 198.51.100.1. Cross-checking this information with the company's DNS records revealed: Based on the details provided, identify the probable cause for the unexpected increase in organic traffic: A: The company failed to delete the DNS "A" record for "serviceB.company.com" before migration on vendor A. B: The company failed to delete the DNS "A" record for "serviceA.company.com" after migration. C: The company did not configure DNS record for webapp.company.com properly on Vendor B's platform. D: The DNS configuration for serviceB.company.com is incorrect post migration
Medium Mac address and IP on router hop Routers Switches	Solve
Refer to the following exhibit: Host A is sending a packet to Host B. 1. What is the source and destination MAC address at point PA? 2. What is the source and destination IP address at point PB? // Option A PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1 // Option B PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option C PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option D PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1
Easy MX Record, DMARC and Email Authentication DNS MX Records DMARC SPF DKIM	Solve
You work as a network administrator for a company, "example.com", that recently started experiencing issues with email spoofing. To mitigate the problem, you decide to implement DMARC (Domain-based Message Authentication, Reporting & Conformance) in addition to existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. Your current DNS records for example.com include the following: - MX 10 mail.example.com (IP address 203.0.113.10) - TXT "v=spf1 ip4:203.0.113.10 -all" - TXT "v=DKIM1; k=rsa; p=public-key-here" You add the following DMARC record: - TXT "_dmarc.example.com" "v=DMARC1; p=quarantine; pct=100; rua=mailto:report@example.com" After implementing the DMARC record, an external mail server sends an email to your domain. The email passes the SPF and DKIM checks but fails the DMARC check. What will likely happen to the email? A: The email will be accepted and delivered to the recipient's inbox. B: The email will be rejected and returned to the sender as undeliverable. C: The email might be delivered to the recipient's spam or junk folder. D: The email will be accepted, but a report will be sent to the sender. E: The email will be silently discarded, and the sender will not be notified.
Medium Remote network resources Gateway Routing protocols	Solve
Review the following exhibit: Angelina noticed that the computers on 192.168.10.0/24 network can ping their default gateway. But they found that these computers cannot connect to any remote network resources. Which of the following is the most likely reason for this?
Medium SSL Certificate Expiry SSL/TLS Network Security	Solve
You are a network administrator for an e-commerce company. The company's online store allows customers to browse products and make purchases securely over the internet. The online store uses SSL/TLS for secure communication. You receive reports that some customers are seeing a security warning in their web browsers when trying to access the online store. Upon investigation, you discover the following information: - The SSL certificate used by the online store's web server is valid for one year and is due to expire in two days. - The web server is configured to automatically redirect HTTP traffic to HTTPS. - The SSL certificate was issued by a trusted certificate authority (CA), and all major web browsers have the CA's root certificate in their trusted certificate stores. - The SSL certificate includes the correct domain name for the online store. Given the above information, which of the following steps should be taken to resolve the issue and prevent customers from seeing the security warning? A: Extend the validity of the current SSL certificate by one year. B: Obtain a new SSL certificate from the same CA and install it on the web server before the current certificate expires. C: Remove the automatic redirect from HTTP to HTTPS on the web server. D: Ask customers to ignore the security warning and proceed to the online store. E: Replace the SSL certificate with a self-signed certificate.

	🧐 Question	🔧 Skill
	Medium Database testcase Regression Testing	2 mins Testing	Solve
Adaface is developing a new database system called “Helen”. The tester at Adaface developed the following testcase for regression testing: 1. Open Helen 2. Open “Students” database 3. Enter data for “Sid” 4. Set checkpoint 5. Store “Sid” data in “Students” 6. Restart Helen 7. Read “Sid” data from “Students” 8. Compare checkpoint with the contents When the tester ran the testcase the first time, it worked as expected. Pick the correct statements: A: When the test case is ran the second time, the data entry for “Sid” already exists in the database. B: When the test case is ran the second time, it performs exactly as it did the first time C: The testcase is a good example for regression testing “Helen” D: The testcase is not a good example for regression testing “Helen” since the system behaves differently when the testcase is ran the second time
	Medium Decision Table	3 mins Testing	Solve
Check the following decision table: What are the expected actions for following testcases? I: Joey's age is 22. He is a smoker residing in India II: Jennifer's age is 62. She is a non-smoker not residing in India A) I - Insure, 10% discount. II - Insure, no discount B) I - Don't insure. II - Don't insure C) I - Insure, no discount. II - Don't insure D) I - Insure, no discount. II - Insure, 10% discount
	Easy Cart Checkout Incident Report	2 mins Testing	Solve
Review the following incident report written QA team of LWB, Little White Book (an e-commerce app): 1. Place any items in the cart (Say “Nike FST Men”). 2. Place any other (different) item in the shopping cart (Say “Nike Air Max”). 3. Remove “Nike FST Men” from the shopping cart, but leave “Nike Air Max” in the cart. 4. Click on “Check out” button. 5. Expect the app to display the check out screen, instead ‘No items in the shopping cart. Click continue to go back to shopping.’ error message is shown as a popup. 6. Click “Continue”. 7. Expect the app to go to shopping screen to add/remove items from the cart. Instead the app crashes. 8. The error in steps 5 and 7 occurred in every attempt of 5 attempts (1 2 3 4 and 6). Which of the following information is missing from the incident report?
	Medium Cookie Security Analysis Web Application Security HTTP Cookies Cross-Domain Communication	2 mins Cyber Security	Solve
You are a cybersecurity officer and a new third-party payment gateway is integrated into your company's e-commerce website. The payment gateway API is hosted on a different domain (pay-gateway.com) than your e-commerce site (my-ecommerce.com). You receive some reports that users are unable to complete their transactions intermittently. You obtain the following set of HTTP cookies from an affected user: 1. user_session=1; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly 2. payment_session=xyz123; Domain=pay-gateway.com; Path=/; Secure; HttpOnly 3. cart_id=abcd1234; Domain=my-ecommerce.com; Path=/; Secure 4. csrf_token=efgh5678; Domain=my-ecommerce.com; Path=/; Secure 5. currency=USD; Domain=my-ecommerce.com; Path=/; 6. same_site_test=1; Domain=my-ecommerce.com; Path=/; Secure; SameSite=None 7. payment_verification=; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly Which of the following configuration modifications would likely solve the intermittent transaction failure issue? A: Set SameSite=Strict attribute on all cookies. B: Set "SameSite=None; Secure" attribute on the payment_session cookie. C: Change the Domain attribute of payment_session cookie to my-ecommerce.com. D: Set HttpOnly attribute on cart_id and csrf_token cookies. E: Remove Secure attribute from user_session cookie.
	Medium Security Incident Log Analysis	2 mins Cyber Security	Solve
You are the security analyst for a company and are currently investigating a security incident. You found the following log entries in your HTTP server logs, which appear to be linked to the incident: 1. 192.0.2.4 - - [24/May/2023:13:15:30 +0000] "GET /wp-login.php HTTP/1.1" 200 167 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 2. 192.0.2.4 - - [24/May/2023:13:15:31 +0000] "POST /wp-login.php HTTP/1.1" 302 152 "http://www.example.com/wp-login.php" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 3. 192.0.2.4 - - [24/May/2023:13:15:32 +0000] "GET /wp-admin/install.php HTTP/1.1" 200 125 "http://www.example.com/wp-admin/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" Based on this information, which of the following statements are correct? A: The attacker was unable to compromise the Wordpress login page but was successful in accessing the installation page. B: The attacker attempted to login to a Wordpress site and, despite the login failing, was able to access the Wordpress installation page. C: The attacker was attempting a dictionary attack on the Wordpress site and accessed the Wordpress installation page. D: The logs indicate that the attacker was able to compromise the Wordpress login and directly access the installation page. E: The attacker attempted to login to a Wordpress site, succeeded, and then tried to access the Wordpress installation page.
	Medium Network Traffic Anomaly Network Traffic Analysis Network Protocols	2 mins Cyber Security	Solve
You are a cybersecurity engineer working on a network traffic analysis case. You have been given the following set of observations from network logs of the past 24 hours: - Observation 1: 1,000,000 DNS requests were recorded, 50% more than the usual daily traffic. - Observation 2: 85% of these DNS requests have the same subdomain but different domain names. - Observation 3: For each of these DNS requests, an HTTP POST request follows immediately. - Observation 4: No other significant anomalies were detected in the system logs. Given these observations, what would you suspect is happening? A: The network is experiencing a DNS amplification attack B: There is a misconfiguration in the DNS settings C: The system is the source of a SYN flood attack D: A fast-flux DNS network is in operation E: The system is infected with a DNS tunneling based malware
	Medium SQL Log Analysis SQL Injection Log Analysis	2 mins Cyber Security	Solve
You are investigating a possible SQL injection attack on your company's web application. You found the following entries in the HTTP server logs: Note that each log line contains the following information: IP Address - Timestamp - Request URI - Request Status - Response Size Based on the log entries, which of the following statements are correct? A: The attacker logged in successfully but failed to execute the SQL injection. B: The attacker failed in the SQL injection attack. C: The attacker failed to login but successfully accessed the admin page. D: The attacker performed a successful SQL injection attack that dumped all product information. E: The attacker was unsuccessful in both the SQL injection attack and the login attempt.
	Medium Misappropriation Post-Migration DNS Management Infrastructure Migration Subdomain Hijacking	3 mins Cyber Security	Solve
A software company decided to move some of their web services from one cloud provider (Vendor A) to another (Vendor B) for better cost optimization. Initially, their main web application "webapp.company.com" was hosted at IP 192.0.2.1 on Vendor A's infrastructure. As part of this transition, it was moved to IP 203.0.113.1 on Vendor B's setup. Subsequently, a secondary web service previously hosted on "serviceA.company.com" at IP 192.0.2.2 (Vendor A), was migrated and re-hosted at "serviceB.company.com" at IP 203.0.113.2 (Vendor B). A month post-migration, the SEO team reported an unexpected spike in organic traffic to the "company.com" domain. Upon investigating, the IT team noticed unusual activity related to "serviceA.company.com" in the server access logs, including successful HTTP 200 responses from several requests. A suspicious HTTPS GET request, `GET /explicit-content.html HTTP/1.1`, was also recorded. Running `dig +short serviceA.company.com` returned IP address 198.51.100.1. Cross-checking this information with the company's DNS records revealed: Based on the details provided, identify the probable cause for the unexpected increase in organic traffic: A: The company failed to delete the DNS "A" record for "serviceB.company.com" before migration on vendor A. B: The company failed to delete the DNS "A" record for "serviceA.company.com" after migration. C: The company did not configure DNS record for webapp.company.com properly on Vendor B's platform. D: The DNS configuration for serviceB.company.com is incorrect post migration
	Medium Mac address and IP on router hop Routers Switches	2 mins Computer Networks	Solve
Refer to the following exhibit: Host A is sending a packet to Host B. 1. What is the source and destination MAC address at point PA? 2. What is the source and destination IP address at point PB? // Option A PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1 // Option B PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option C PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option D PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1
	Easy MX Record, DMARC and Email Authentication DNS MX Records DMARC SPF DKIM	2 mins Computer Networks	Solve
You work as a network administrator for a company, "example.com", that recently started experiencing issues with email spoofing. To mitigate the problem, you decide to implement DMARC (Domain-based Message Authentication, Reporting & Conformance) in addition to existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. Your current DNS records for example.com include the following: - MX 10 mail.example.com (IP address 203.0.113.10) - TXT "v=spf1 ip4:203.0.113.10 -all" - TXT "v=DKIM1; k=rsa; p=public-key-here" You add the following DMARC record: - TXT "_dmarc.example.com" "v=DMARC1; p=quarantine; pct=100; rua=mailto:report@example.com" After implementing the DMARC record, an external mail server sends an email to your domain. The email passes the SPF and DKIM checks but fails the DMARC check. What will likely happen to the email? A: The email will be accepted and delivered to the recipient's inbox. B: The email will be rejected and returned to the sender as undeliverable. C: The email might be delivered to the recipient's spam or junk folder. D: The email will be accepted, but a report will be sent to the sender. E: The email will be silently discarded, and the sender will not be notified.
	Medium Remote network resources Gateway Routing protocols	3 mins Computer Networks	Solve
Review the following exhibit: Angelina noticed that the computers on 192.168.10.0/24 network can ping their default gateway. But they found that these computers cannot connect to any remote network resources. Which of the following is the most likely reason for this?
	Medium SSL Certificate Expiry SSL/TLS Network Security	2 mins Computer Networks	Solve
You are a network administrator for an e-commerce company. The company's online store allows customers to browse products and make purchases securely over the internet. The online store uses SSL/TLS for secure communication. You receive reports that some customers are seeing a security warning in their web browsers when trying to access the online store. Upon investigation, you discover the following information: - The SSL certificate used by the online store's web server is valid for one year and is due to expire in two days. - The web server is configured to automatically redirect HTTP traffic to HTTPS. - The SSL certificate was issued by a trusted certificate authority (CA), and all major web browsers have the CA's root certificate in their trusted certificate stores. - The SSL certificate includes the correct domain name for the online store. Given the above information, which of the following steps should be taken to resolve the issue and prevent customers from seeing the security warning? A: Extend the validity of the current SSL certificate by one year. B: Obtain a new SSL certificate from the same CA and install it on the web server before the current certificate expires. C: Remove the automatic redirect from HTTP to HTTPS on the web server. D: Ask customers to ignore the security warning and proceed to the online store. E: Replace the SSL certificate with a self-signed certificate.

	🧐 Question	🔧 Skill	💪 Difficulty	⌛ Time
	Database testcase Regression Testing	Testing	Medium	2 mins	Solve
Adaface is developing a new database system called “Helen”. The tester at Adaface developed the following testcase for regression testing: 1. Open Helen 2. Open “Students” database 3. Enter data for “Sid” 4. Set checkpoint 5. Store “Sid” data in “Students” 6. Restart Helen 7. Read “Sid” data from “Students” 8. Compare checkpoint with the contents When the tester ran the testcase the first time, it worked as expected. Pick the correct statements: A: When the test case is ran the second time, the data entry for “Sid” already exists in the database. B: When the test case is ran the second time, it performs exactly as it did the first time C: The testcase is a good example for regression testing “Helen” D: The testcase is not a good example for regression testing “Helen” since the system behaves differently when the testcase is ran the second time
	Decision Table	Testing	Medium	3 mins	Solve
Check the following decision table: What are the expected actions for following testcases? I: Joey's age is 22. He is a smoker residing in India II: Jennifer's age is 62. She is a non-smoker not residing in India A) I - Insure, 10% discount. II - Insure, no discount B) I - Don't insure. II - Don't insure C) I - Insure, no discount. II - Don't insure D) I - Insure, no discount. II - Insure, 10% discount
	Cart Checkout Incident Report	Testing	Easy	2 mins	Solve
Review the following incident report written QA team of LWB, Little White Book (an e-commerce app): 1. Place any items in the cart (Say “Nike FST Men”). 2. Place any other (different) item in the shopping cart (Say “Nike Air Max”). 3. Remove “Nike FST Men” from the shopping cart, but leave “Nike Air Max” in the cart. 4. Click on “Check out” button. 5. Expect the app to display the check out screen, instead ‘No items in the shopping cart. Click continue to go back to shopping.’ error message is shown as a popup. 6. Click “Continue”. 7. Expect the app to go to shopping screen to add/remove items from the cart. Instead the app crashes. 8. The error in steps 5 and 7 occurred in every attempt of 5 attempts (1 2 3 4 and 6). Which of the following information is missing from the incident report?
	Cookie Security Analysis Web Application Security HTTP Cookies Cross-Domain Communication	Cyber Security	Medium	2 mins	Solve
You are a cybersecurity officer and a new third-party payment gateway is integrated into your company's e-commerce website. The payment gateway API is hosted on a different domain (pay-gateway.com) than your e-commerce site (my-ecommerce.com). You receive some reports that users are unable to complete their transactions intermittently. You obtain the following set of HTTP cookies from an affected user: 1. user_session=1; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly 2. payment_session=xyz123; Domain=pay-gateway.com; Path=/; Secure; HttpOnly 3. cart_id=abcd1234; Domain=my-ecommerce.com; Path=/; Secure 4. csrf_token=efgh5678; Domain=my-ecommerce.com; Path=/; Secure 5. currency=USD; Domain=my-ecommerce.com; Path=/; 6. same_site_test=1; Domain=my-ecommerce.com; Path=/; Secure; SameSite=None 7. payment_verification=; Domain=my-ecommerce.com; Path=/; Secure; HttpOnly Which of the following configuration modifications would likely solve the intermittent transaction failure issue? A: Set SameSite=Strict attribute on all cookies. B: Set "SameSite=None; Secure" attribute on the payment_session cookie. C: Change the Domain attribute of payment_session cookie to my-ecommerce.com. D: Set HttpOnly attribute on cart_id and csrf_token cookies. E: Remove Secure attribute from user_session cookie.
	Security Incident Log Analysis	Cyber Security	Medium	2 mins	Solve
You are the security analyst for a company and are currently investigating a security incident. You found the following log entries in your HTTP server logs, which appear to be linked to the incident: 1. 192.0.2.4 - - [24/May/2023:13:15:30 +0000] "GET /wp-login.php HTTP/1.1" 200 167 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 2. 192.0.2.4 - - [24/May/2023:13:15:31 +0000] "POST /wp-login.php HTTP/1.1" 302 152 "http://www.example.com/wp-login.php" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" 3. 192.0.2.4 - - [24/May/2023:13:15:32 +0000] "GET /wp-admin/install.php HTTP/1.1" 200 125 "http://www.example.com/wp-admin/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)" Based on this information, which of the following statements are correct? A: The attacker was unable to compromise the Wordpress login page but was successful in accessing the installation page. B: The attacker attempted to login to a Wordpress site and, despite the login failing, was able to access the Wordpress installation page. C: The attacker was attempting a dictionary attack on the Wordpress site and accessed the Wordpress installation page. D: The logs indicate that the attacker was able to compromise the Wordpress login and directly access the installation page. E: The attacker attempted to login to a Wordpress site, succeeded, and then tried to access the Wordpress installation page.
	Network Traffic Anomaly Network Traffic Analysis Network Protocols	Cyber Security	Medium	2 mins	Solve
You are a cybersecurity engineer working on a network traffic analysis case. You have been given the following set of observations from network logs of the past 24 hours: - Observation 1: 1,000,000 DNS requests were recorded, 50% more than the usual daily traffic. - Observation 2: 85% of these DNS requests have the same subdomain but different domain names. - Observation 3: For each of these DNS requests, an HTTP POST request follows immediately. - Observation 4: No other significant anomalies were detected in the system logs. Given these observations, what would you suspect is happening? A: The network is experiencing a DNS amplification attack B: There is a misconfiguration in the DNS settings C: The system is the source of a SYN flood attack D: A fast-flux DNS network is in operation E: The system is infected with a DNS tunneling based malware
	SQL Log Analysis SQL Injection Log Analysis	Cyber Security	Medium	2 mins	Solve
You are investigating a possible SQL injection attack on your company's web application. You found the following entries in the HTTP server logs: Note that each log line contains the following information: IP Address - Timestamp - Request URI - Request Status - Response Size Based on the log entries, which of the following statements are correct? A: The attacker logged in successfully but failed to execute the SQL injection. B: The attacker failed in the SQL injection attack. C: The attacker failed to login but successfully accessed the admin page. D: The attacker performed a successful SQL injection attack that dumped all product information. E: The attacker was unsuccessful in both the SQL injection attack and the login attempt.
	Misappropriation Post-Migration DNS Management Infrastructure Migration Subdomain Hijacking	Cyber Security	Medium	3 mins	Solve
A software company decided to move some of their web services from one cloud provider (Vendor A) to another (Vendor B) for better cost optimization. Initially, their main web application "webapp.company.com" was hosted at IP 192.0.2.1 on Vendor A's infrastructure. As part of this transition, it was moved to IP 203.0.113.1 on Vendor B's setup. Subsequently, a secondary web service previously hosted on "serviceA.company.com" at IP 192.0.2.2 (Vendor A), was migrated and re-hosted at "serviceB.company.com" at IP 203.0.113.2 (Vendor B). A month post-migration, the SEO team reported an unexpected spike in organic traffic to the "company.com" domain. Upon investigating, the IT team noticed unusual activity related to "serviceA.company.com" in the server access logs, including successful HTTP 200 responses from several requests. A suspicious HTTPS GET request, `GET /explicit-content.html HTTP/1.1`, was also recorded. Running `dig +short serviceA.company.com` returned IP address 198.51.100.1. Cross-checking this information with the company's DNS records revealed: Based on the details provided, identify the probable cause for the unexpected increase in organic traffic: A: The company failed to delete the DNS "A" record for "serviceB.company.com" before migration on vendor A. B: The company failed to delete the DNS "A" record for "serviceA.company.com" after migration. C: The company did not configure DNS record for webapp.company.com properly on Vendor B's platform. D: The DNS configuration for serviceB.company.com is incorrect post migration
	Mac address and IP on router hop Routers Switches	Computer Networks	Medium	2 mins	Solve
Refer to the following exhibit: Host A is sending a packet to Host B. 1. What is the source and destination MAC address at point PA? 2. What is the source and destination IP address at point PB? // Option A PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1 // Option B PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option C PA: source MAC - Mac-A PA: destination MAC - Mac-B PB: source IP - 192.168.3.3 PB: destination IP - 192.168.3.1 // Option D PA: source MAC - Mac-A PA: destination MAC - Mac-RA PB: source IP - 192.168.1.1 PB: destination IP - 192.168.3.1
	MX Record, DMARC and Email Authentication DNS MX Records DMARC SPF DKIM	Computer Networks	Easy	2 mins	Solve
You work as a network administrator for a company, "example.com", that recently started experiencing issues with email spoofing. To mitigate the problem, you decide to implement DMARC (Domain-based Message Authentication, Reporting & Conformance) in addition to existing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. Your current DNS records for example.com include the following: - MX 10 mail.example.com (IP address 203.0.113.10) - TXT "v=spf1 ip4:203.0.113.10 -all" - TXT "v=DKIM1; k=rsa; p=public-key-here" You add the following DMARC record: - TXT "_dmarc.example.com" "v=DMARC1; p=quarantine; pct=100; rua=mailto:report@example.com" After implementing the DMARC record, an external mail server sends an email to your domain. The email passes the SPF and DKIM checks but fails the DMARC check. What will likely happen to the email? A: The email will be accepted and delivered to the recipient's inbox. B: The email will be rejected and returned to the sender as undeliverable. C: The email might be delivered to the recipient's spam or junk folder. D: The email will be accepted, but a report will be sent to the sender. E: The email will be silently discarded, and the sender will not be notified.
	Remote network resources Gateway Routing protocols	Computer Networks	Medium	3 mins	Solve
Review the following exhibit: Angelina noticed that the computers on 192.168.10.0/24 network can ping their default gateway. But they found that these computers cannot connect to any remote network resources. Which of the following is the most likely reason for this?
	SSL Certificate Expiry SSL/TLS Network Security	Computer Networks	Medium	2 mins	Solve
You are a network administrator for an e-commerce company. The company's online store allows customers to browse products and make purchases securely over the internet. The online store uses SSL/TLS for secure communication. You receive reports that some customers are seeing a security warning in their web browsers when trying to access the online store. Upon investigation, you discover the following information: - The SSL certificate used by the online store's web server is valid for one year and is due to expire in two days. - The web server is configured to automatically redirect HTTP traffic to HTTPS. - The SSL certificate was issued by a trusted certificate authority (CA), and all major web browsers have the CA's root certificate in their trusted certificate stores. - The SSL certificate includes the correct domain name for the online store. Given the above information, which of the following steps should be taken to resolve the issue and prevent customers from seeing the security warning? A: Extend the validity of the current SSL certificate by one year. B: Obtain a new SSL certificate from the same CA and install it on the web server before the current certificate expires. C: Remove the automatic redirect from HTTP to HTTPS on the web server. D: Ask customers to ignore the security warning and proceed to the online store. E: Replace the SSL certificate with a self-signed certificate.

Reason #4

1200+ customers in 75 countries

Com o Adaface, conseguimos otimizar nosso processo de seleção inicial em mais de 75%, liberando um tempo precioso tanto para os gerentes de contratação quanto para nossa equipe de aquisição de talentos!

Brandon Lee, Chefe de Pessoas, Love, Bonito

Preview this test

Ver Scorecard de amostra

Reason #5

Designed for elimination, not selection

The most important thing while implementing the pre-employment Teste online OWASP in your hiring process is that it is an elimination tool, not a selection tool. In other words: you want to use the test to eliminate the candidates who do poorly on the test, not to select the candidates who come out at the top. While they are super valuable, pre-employment tests do not paint the entire picture of a candidate’s abilities, knowledge, and motivations. Multiple easy questions are more predictive of a candidate's ability than fewer hard questions. Harder questions are often "trick" based questions, which do not provide any meaningful signal about the candidate's skillset.

Science behind Adaface tests

Reason #6

1 click candidate invites

Email invites: You can send candidates an email invite to the Teste online OWASP from your dashboard by entering their email address.

Public link: You can create a public link for each test that you can share with candidates.

API or integrations: You can invite candidates directly from your ATS by using our pre-built integrations with popular ATS systems or building a custom integration with your in-house ATS.

Reason #7

Detailed scorecards & benchmarks

Ver Scorecard de amostra

Preview this test

Ver Scorecard de amostra

Reason #8

High completion rate

Adaface tests are conversational, low-stress, and take just 25-40 mins to complete.

This is why Adaface has the highest test-completion rate (86%), which is more than 2x better than traditional assessments.

Reason #9

Advanced Proctoring

Learn more

Preview this test

Ver Scorecard de amostra

About the OWASP Assessment Test

Why you should use Pre-employment OWASP Online Test?

The Teste online OWASP makes use of scenario-based questions to test for on-the-job skills as opposed to theoretical knowledge, ensuring that candidates who do well on this screening test have the relavant skills. The questions are designed to covered following on-the-job aspects:

Teste de vulnerabilidades de injeção em aplicativos da Web
Entendendo e implementando mecanismos de autenticação seguros
Identificando e resolvendo problemas relacionados à exposição aos dados sensíveis
Detectar e atenuar ataques de entidade externa XML (XXE)
Projetando e implementando fortes medidas de controle de acesso
Abordando a segurança comum de segurança para garantir a segurança do aplicativo
Prevenção de ataques de scripts entre sites (XSS) em aplicativos da web
Lidar com a deseralização segura dos dados para evitar a exploração
Identificando e abordando vulnerabilidades decorrentes do uso de componentes com falhas de segurança conhecidas
Implementando registro e monitoramento suficientes para obter uma resposta eficaz de incidentes

Once the test is sent to a candidate, the candidate receives a link in email to take the test. For each candidate, you will receive a detailed report with skills breakdown and benchmarks to shortlist the top candidates from your pool.

What topics are covered in the OWASP Online Test?

Full list of covered topics
The actual topics of the questions in the final test will depend on your job description and requirements. However, here's a list of topics you can expect the questions for Teste online OWASP to be based on.
Injeção
Injeção SQL
Scripts de sites cruzados (XSS)
Falsificação de solicitação entre sites (CSRF)
Falsificação de solicitação do lado do servidor (SSRF)
Entidades externas XML (XXE)
Autenticação quebrada
Hash de senha
Autenticação multifatorial (MFA)
Gerenciamento de sessão
Exposição de dados sensíveis
Criptografia
Mascaramento de dados
Controle de acesso
Controle de acesso baseado em função (RBAC)
Escalada de privilégios
Segurança equivocada
Configuração segura
Manipulação de erros
Padrões de codificação seguros
Política de Segurança de Conteúdo (CSP)
Redes de entrega de conteúdo (CDN)
Compartilhamento de Recursos Cross-Origin (CORS)
Referências de objeto direto inseguro (IDOR)
Validação do lado do servidor
Validação do lado do cliente
JSON Web Tokens (JWT)
Upload seguro de arquivo
Injeção de cabeçalho do hospedeiro
Clickjacking
Cookies seguros
Cabeçalhos de segurança HTTP
Falsificação de conteúdo
Deserialização insegura
Usando componentes com vulnerabilidades conhecidas
Open Web Application Security Project (OWASP)
OWASP Top 10
Guia de teste OWASP
OWASP ZAP (proxy de ataque Zed)
Firewalls de aplicativos da web (WAF)
Ciclo de vida de desenvolvimento de software seguro (SDLC)
Modelagem de ameaças
Revisão de código seguro
Teste de penetração
Resposta de incidentes de segurança
Varredura de vulnerabilidade
Análise de log
Informações de segurança e gerenciamento de eventos (SIEM)
Monitoramento de tráfego de rede
Sistema de detecção de intrusões (IDs)
Sistema de Prevenção de Intrusão (IPS)
Treinamento de conscientização sobre segurança
Estruturas de desenvolvimento seguras
Bibliotecas seguras de terceiros

Preview this test

Ver Scorecard de amostra

What roles can I use the OWASP Online Test for?

Analista de segurança
Testador de penetração
Administrador do sistema
Engenheiro de rede
Auditor de TI
Consultor de segurança
Gerente de TI
Gerente de risco

How is the OWASP Online Test customized for senior candidates?

For intermediate/ experienced candidates, we customize the assessment questions to include advanced topics and increase the difficulty level of the questions. This might include adding questions on topics like

Realizando testes abrangentes de segurança em aplicativos da Web
Analisando e protegendo a infraestrutura de rede para evitar ataques cibernéticos
Entendendo e implementando protocolos e algoritmos de criptografia seguros
Configurando e mantendo firewalls e sistemas de detecção de intrusões
Monitoramento e atenuação de ameaças às redes de computadores
Implementando protocolos de rede sem fio seguros e controles de acesso
Solução de problemas de conectividade de rede e problemas de desempenho
Entendendo e abordando vulnerabilidades em protocolos de rede
Proteger a infraestrutura e os serviços em nuvem de riscos potenciais
Projetando e implementando planos de recuperação de desastres para infraestrutura de rede

Preview this test

Ver Scorecard de amostra

Os gerentes de contratação sentiram que, por meio das perguntas técnicas feitas durante as entrevistas do painel, foram capazes de dizer quais candidatos tiveram melhores pontuações e diferenciaram aqueles que não tiveram pontuações tão boas. Eles são altamente satisfeito com a qualidade dos candidatos selecionados na triagem Adaface.

85%

Redução no tempo de triagem

Veja o estudo de caso completo

OWASP Hiring Test Perguntas frequentes

Posso combinar várias habilidades em uma avaliação personalizada?

Sim absolutamente. As avaliações personalizadas são configuradas com base na descrição do seu trabalho e incluirão perguntas sobre todas as habilidades obrigatórias que você especificar.

Você tem algum recurso anti-trapaça ou procurador?

Temos os seguintes recursos anti-trapaça:

Perguntas não-goleadas
IP Proctoring
Web Proctoring
Proctoring da webcam
Detecção de plágio
navegador seguro

Leia mais sobre os Recursos de Proctoring.

Como interpreto as pontuações dos testes?

O principal a ter em mente é que uma avaliação é uma ferramenta de eliminação, não uma ferramenta de seleção. Uma avaliação de habilidades é otimizada para ajudá -lo a eliminar os candidatos que não são tecnicamente qualificados para o papel, não é otimizado para ajudá -lo a encontrar o melhor candidato para o papel. Portanto, a maneira ideal de usar uma avaliação é decidir uma pontuação limite (normalmente 55%, ajudamos você a comparar) e convidar todos os candidatos que pontuam acima do limiar para as próximas rodadas da entrevista.

Para que nível de experiência posso usar este teste?

Cada avaliação do Adaface é personalizada para a descrição do seu trabalho/ persona do candidato ideal (nossos especialistas no assunto escolherão as perguntas certas para sua avaliação de nossa biblioteca de mais de 10000 perguntas). Esta avaliação pode ser personalizada para qualquer nível de experiência.

Todo candidato recebe as mesmas perguntas?

Sim, facilita muito a comparação de candidatos. As opções para perguntas do MCQ e a ordem das perguntas são randomizadas. Recursos anti-traking/proctoring no local. Em nosso plano corporativo, também temos a opção de criar várias versões da mesma avaliação com questões de níveis de dificuldade semelhantes.