Welcome to today’s practice test!
Today’s practice test is based on subdomain 2.3 (Explain various types of vulnerabilities) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A developer integrates an external library into a web application without validating its integrity. Later, the app begins making unauthorized external API calls. What vulnerability does this describe?
#2. An attacker exploits a race condition in a system’s file access check to gain elevated privileges. Which specific type of vulnerability is involved?
#3. A mobile user installs an app directly from a third-party website, bypassing the official app store. Which vulnerability type does this exemplify?
#4. Which of the following best describes a VM escape vulnerability?
#5. Which of the following most accurately describes a buffer overflow?
#6. Which condition is necessary for a zero-day vulnerability to occur?
#7. An attacker manipulates a firmware update on a router before it is applied. What type of vulnerability is this?
#8. An outdated web application fails to sanitize input fields, allowing an attacker to execute JavaScript in a user’s browser. What vulnerability is this?
#9. A legacy ERP system still in production receives no vendor updates and uses insecure protocols. This is an example of:
#10. What is the primary security risk of a jailbroken mobile device on an enterprise network?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | B | This scenario perfectly describes a supply chain attack vulnerability. The developer incorporated an external (third-party) component (the library) without proper validation, and that component contained malicious functionality (making unauthorized API calls). The vulnerability was introduced through the “supply chain” of software components. A buffer overflow is a type of software vulnerability where a program attempts to write data to a buffer beyond its allocated size, potentially leading to crashes or arbitrary code execution. It’s a specific coding flaw, not related to the source of the malicious behavior in this context. SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This is a specific type of web application vulnerability, not related to integrating an external, compromised library. A cryptographic flaw is an error in the design or implementation of a cryptographic system that weakens its security. This scenario describes malicious behavior originating from an external component, not a flaw in encryption itself. |
| 2 | A | A Time-of-Use (TOU) vulnerability is a specific type of race condition where an attacker exploits a difference in time between when a security check is performed (Time Of Check – TOC) and when the resource is actually used (Time Of Use – TOU). In this case, the file access check is performed (TOC), but the attacker exploits the small window before the file is actually accessed (TOU) to change its state or gain access, leading to elevated privileges. This is also often referred to as a TOC/TOU or TOCTOU vulnerability. A VM escape is a vulnerability that allows an attacker to break out of a virtual machine and interact with the host operating system. It’s related to virtualization security, not specifically race conditions in file access. A logic bomb is malicious code intentionally inserted into a software system that lies dormant until a specific condition (e.g., a certain date, a specific event) is met, at which point it executes. It’s not a race condition. XSS is a web application vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. It’s a web-based attack, unrelated to race conditions in file access. |
| 3 | B | Sideloading refers to the process of installing software applications onto a mobile device from sources other than the official app store (e.g., directly from a website). This is a common vulnerability type as apps obtained this way bypass security checks and can contain malware or be tampered with. Misconfiguration refers to security flaws due to incorrect settings in software, hardware, or networks. While sideloading might require a misconfiguration (like enabling “unknown sources”), the act of installing from a third-party source itself is called sideloading. An OS vulnerability is a flaw within the operating system itself. Sideloading is a method of app installation, not an inherent flaw in the OS. A cryptographic vulnerability is a weakness in encryption algorithms or their implementation. This is unrelated to how an app is installed. |
| 4 | B | A VM escape vulnerability allows an attacker to break out of the isolation of a virtual machine and gain unauthorized access to the underlying hypervisor (host) or other virtual machines running on the same host. This bypasses the intended security boundaries of virtualization. Data exfiltration is the unauthorized transfer of data out of a system. While a VM escape can enable data exfiltration from the host, exfiltration from the VM itself does not necessarily imply an escape. Unauthorized remote access to a VM is essentially a compromise of the VM itself (e.g., through a network vulnerability or weak credentials) but not a breach of the isolation boundary to the host or other VMs. Improper virtual switch configuration is a specific type of network configuration error that could lead to communication issues or unintended network access, but it’s not the definition of a VM escape vulnerability. |
| 5 | A | A buffer overflow (or buffer overrun) occurs when a program attempts to write more data into a fixed-size memory buffer than it was designed to hold. This excess data “overflows” into adjacent memory locations, potentially overwriting legitimate data or executable code, leading to program crashes, unpredictable behavior, or even arbitrary code execution by an attacker. ‘When input is not validated, leading to injection’ describes an injection vulnerability (like SQL injection or command injection), where unvalidated input is treated as executable code or commands. While also a critical vulnerability, it’s distinct from a buffer overflow. ‘When an OS service is improperly configured’ describes a misconfiguration vulnerability, which can lead to various security flaws but is not a buffer overflow. ‘When unpatched firmware is exploited’ describes exploiting a vulnerability in firmware that hasn’t been updated. The underlying vulnerability could be anything (including a buffer overflow), but this option describes the exploitation of an unpatched flaw, not the nature of a buffer overflow itself. |
| 6 | C | The defining characteristic of a zero-day vulnerability is that it is a software or hardware flaw that is unknown to the vendor (and thus not publicly known) and for which no patch or fix is available at the time it is exploited by attackers. The term “zero-day” refers to the fact that the vendor has “zero days” to fix it before it’s exploited in the wild. If a known patch is available, it’s no longer a zero-day vulnerability; it’s simply an unpatched vulnerability. While a zero-day could potentially be discovered during a penetration test, that’s not a necessary condition for it to be a zero-day. Many are discovered by threat actors first. A zero-day vulnerability can be any type of flaw (e.g., buffer overflow, injection, logic flaw), not exclusively encryption flaws. |
| 7 | C | Firmware-level vulnerabilities fall under hardware vulnerabilities. The other choices are software-related. |
| 8 | B | XSS allows attackers to inject client-side scripts. That is, they run on a client application, like a user’s browser. SQLi targets databases, and the others are unrelated. |
| 9 | C | An end-of-life (EOL) system is software or hardware that is no longer supported by its vendor. This means it receives no further updates, security patches, or technical assistance, often leading to the use of insecure protocols. The description perfectly matches an EOL system. A zero-day is a vulnerability that is unknown to the vendor and has no patch. The scenario describes a system that receives no vendor updates, implying that its state is known (it’s EOL), and any vulnerabilities it has are simply unaddressed due to lack of support, not necessarily being undiscovered. While the system might have cryptographic vulnerabilities due to using insecure protocols, the overarching issue described is the lack of vendor support and updates, which defines its end-of-life status, not specifically a cryptographic flaw. Virtualization risk relates to security issues within virtual environments (like VM escape). The scenario describes a legacy ERP system’s support status, not its virtualization deployment. |
| 10 | C | Jailbreaking (or rooting on Android) removes the security restrictions imposed by the device’s operating system, most notably the app sandboxing mechanism. Sandboxing isolates apps from each other and from critical system resources. When this is bypassed, malicious apps (or even legitimate apps with vulnerabilities) can gain elevated privileges, access data from other apps, modify system files, and potentially compromise the entire device and, by extension, the enterprise network it connects to. While jailbreaking can sometimes be associated with less secure backup practices if users aren’t careful, it’s not the primary security risk directly caused by the jailbreak itself to the enterprise network. The direct impact is on the device’s security model. This is the opposite of what happens. Jailbreaking makes app permissions less strict, allowing apps to request and be granted privileges they wouldn’t normally have. Modern mobile OSs often feature strong full-disk encryption. Jailbreaking doesn’t inherently limit this, though it might allow for easier access to decrypted data if the device is unlocked and compromised, or if a user disables encryption, but the primary risk of the jailbreak itself is the broken sandboxing and privilege escalation. |