KeyTrain's Key Training — Application Security — free practice exam
16 original practice questions aligned to official exam domains. Run a timed, domain-weighted quiz in your browser — no login required.
Exam domains
| Domain | Weight |
|---|---|
| Vulnerable applications | 25% |
| Insecure coding | 25% |
| Software exploits | 25% |
| SAST findings | 25% |
Sample practice questions
- Browser zero-day is announced; no patch for 48 hours. Mitigation?
- Bug bounty reports IDOR on an API returning other users' orders by changing ?userId=. Fix?
- Code review finds user input concatenated into OS commands. Fix?
- Dependency scan shows log4j vulnerable library in three microservices. FIRST step?
- Developers complain SAST has 10,000 findings. Prioritization approach?
- JWTs are accepted with alg=none in a mobile API. Severity?
- Legacy PHP 5.6 internet app cannot be retired yet. Control?
- A Node service builds SQL with template literals including user search terms. Risk?
- Pen test achieves domain admin via PrintNightmare-style vuln. Lesson?
- SAST flags deserialization of untrusted data in a Java admin servlet. Why critical?
- SAST flags SSRF in a webhook feature. Why is this high risk?
- SAST pipeline fails build on hard-coded AWS keys in a feature branch. Correct outcome?
- Secrets are hard-coded in a mobile app binary. BEST remediation?
- Threat actors weaponize a Citrix ADC flaw within 24 hours of disclosure. Your edge uses ADC. Step?
- Threat intel lists active exploitation of a VPN appliance CVE. Action?
- WAF blocks SQLi on a public form; app team says 'WAF handles it.' Your concern?