My Courses Resources Automated API Scanner Search

My Library Settings Logout

 Search for something... 
APIsec Certified Practitioner
/
Modules
/
APIsec Certified Practitioner
/
The ACP Exam

Quiz
The ACP Exam
100 questions
Start now
4
APIsec Certified Practitioner Lessons
1 Introduction to the ACP 
2 ACP - Rules and Requirements 
3 The ACP Exam
4 What's Next
 Back Lesson 3 of 4 Next 
Mark As Complete
Great Job! Keep Going! What's Next
Next Lesson 

The ACP Exam

APIsec Certified Practitioner
© 2025 Kajabi
𝕏

The ACP Exam

Submit

Close
Loading...
Question 1
What is the primary difference between authentication and authorization?

Authentication is a part of token issuance, while authorization is independent of tokens

Authentication determines permissions, while authorization confirms identity

Authentication is used for user logins, while authorization is used exclusively for APIs

Authentication verifies the identity, while authorization controls data/function access

Question 2
What is a typical vulnerability described by "Broken Function Level Authorization"?

API endpoints that are too exposed, allowing unauthorized access to business-critical workflows

Failure to properly manage API inventory and documentation, exposing Admin endpoints

Attackers exploiting weak encryption algorithms to decrypt Admin functions

Complex access control policies that allow attackers to gain unauthorized access to user
resources or administrative functions
Question 3
Which tool was mentioned as useful for enforcing writing style guidelines in technical
documentation?

BurpSuite

Vale

GitHub Pages

mitmweb2proxy
Question 4
Why is it important to define allowed parameters in your API specification regarding file paths?

To ensure easier debugging during development

To allow directory listings for troubleshooting

To filter and restrict inputs early, preventing invalid file access

To increase the flexibility of file access

Question 5
When was the first edition of the OWASP API Security Top 10 released?

2017

2019

2021
2023
Question 6
CORS stands for:

Content-Origin Restriction System

Cross-Origin Resource Sharing

Centralized Object Resource Sharing

Cookie-Oriented Resource Security

Question 7
The Capital One breach was primarily caused by which type of vulnerability?

Broken Authentication due to missing credentials

Broken Function Level Authorization

Improper Inventory Management of APIs

SSRF, which exploited misconfigured WAF

Question 8
What is the “phantom token flow” as described in the course?

Where the gateway converts an opaque token into a JWT

A technique for embedding multiple tokens in one request

A process for refreshing tokens without user interaction

A method to bypass token validation

Question 9
Which HTTP status code is commonly used to indicate that too many requests have been
made?

200

404
429

500
Question 10
Why is it important for API documentation to cater to a broad audience?

So that all levels of technical developers can use the API

To ensure both technical and non-technical stakeholders can understand the API

To make the API more difficult to hack

So potential customers can understand your product without help

Question 11
Why should cookies be treated as untrusted user data?

Because they are stored on a secure server

Because attackers can modify, forge, or harvest cookie data

Because they are always encrypted and safe

Because they cannot be parsed by the server

Question 12
What does the phrase “Developers try, and business buys” imply?

Only technical documentation matters, not business documentation

Developers are the ones who ultimately decide on purchasing the product

A great developer experience through clear docs can drive overall business adoption

Business leaders are responsible for testing the API

Question 13
How do proof-of-possession (POP) tokens differ from bearer tokens?

POP tokens require the sender to prove possession, making them bound to a specific client
Bearer tokens always require an additional PIN code

Bearer tokens use asymmetric signing, while POP tokens use symmetric signing

POP tokens are inherently unencrypted

Question 14
How does TLS (Transport Layer Security) contribute to API security?

It automatically issues tokens to users

It proves the server’s and client’s identities over an encrypted channel

It sends the private key over the network for verification

It replaces the need for any token-based authentication

Question 15
How can multimedia elements (e.g., videos, diagrams) enhance API documentation?

By making complex concepts clearer

By automatically updating the API specs

By completely replacing written content

By reducing the need for error handling details

Question 16
Which of the following is NOT a common cause of a path traversal vulnerability?

Allowing user input to specify a file path without proper sanitization

Using relative paths instead of absolute paths to access files

Implementing strict input validation

Failure to properly validate file extensions or types before processing them

Question 17
Unsafe Consumption of APIs focuses primarily on which of the following?

Mitigating risks from third-party API data

Strengthening API provider defenses

Enhancing performance of API endpoints

Documenting API endpoints more clearly

Question 18
Which programming construct, if misused, can lead to unintentional error disclosure?

Switch-case statements

Try-catch blocks

Conditional statements

For loops
Question 19
What is the primary purpose of implementing rate limiting on an API?

To increase the number of allowed simultaneous connections

To reduce server latency by caching all responses

To block all unauthorized users from accessing the API

To prevent overloading the server and mitigate DoS attacks

Question 20
What is the primary risk associated with Broken Authentication (OWASP Top 10, A2)?

Users' passwords are stored in plaintext, making them vulnerable to exposure

Attackers may gain access to sensitive data through misconfigured permissions

API endpoints can be accessed without verifying the identity of the user

Attackers can bypass authentication mechanisms to impersonate users and steal sensitive
information
Question 21
The Instagram password reset flaw is an example of which vulnerability?
Unrestricted Access to Sensitive Business Flows

Broken Object Level Authorization

Security Misconfiguration

Broken Authentication
Question 22
Which is NOT a use case for API Documentation?

To examine logs from a previous version of the API

To provide pen-testers with information necessary to craft attack scenarios

To provide a guide for integrating with third-party services

To explain the security features and protections of an API

Question 23
The Peloton breach example demonstrated which API vulnerability?

SSRF (Server Side Request Forgery)

Broken Function Level Authorization

Broken Authentication due to unsecured endpoints

Unsafe Security Misconfiguration in server settings of APIs

Question 24
What is recommended when consuming data from third-party APIs?

Trust the third-party API data implicitly

Treat third-party APIs with same security as internally-developed

Use unsecured connections to speed up data transfer

Avoid validating third-party data to reduce latency

Question 25
Which API security risk involves a lack of safeguards to prevent excessive resource use,
potentially leading to denial of service or high operational costs?

Unrestricted Resource Consumption

Security Misconfiguration

Broken Object Level Authorization

Improper Inventory Management

Question 26
What is a key benefit of using a spec-driven approach (e.g., OpenAPI) for API documentation?

It helps keep the documentation in sync with the actual API

It makes it easier to connect to automated scanning tools

It allows new engineers to understand the API more quickly

It removes the need for any developer reviews

Question 27
Which organization is responsible for publishing the API Security Top 10?

PortSwigger

ISO (International Organization for Standardization)

OWASP (Open Worldwide Application Security Project)

NIST (National Institute of Standards and Technology)

Question 28
Which of the following tools is mentioned as useful for detecting security misconfigurations in
APIs?

Man In The Middle Web

OWASP ZAP

HTTPX
Burp Decoder
Question 29
In the context of API documentation, what does “governance” refer to?

A government regulation for API usage

The process of writing code for the API endpoints

The enforcement of standards and processes to ensure consistency and security

A tool used to generate code samples

Question 30
What does the Secure flag on a cookie ensure?

It encrypts the cookie’s contents on the client machine

It ensures the cookie is only sent over HTTPS connections

It makes the cookie accessible across all protocols

It prevents the cookie from being modified by the server

Question 31
Which of the following correctly lists the three parts of a JSON Web Token (JWT)?

Header, Payload, Signature

Key, Payload, Algorithm

Identity, Claims, Metadata

Header, Body, Footer

Question 32
What is a common example of Improper Inventory Management in API security?

Outdated or retired API versions in production

API endpoints exposing excessive data in responses

API endpoints using predictable identifiers

API endpoints with missing token validation

Question 33
Which HTTP status code is typically used to indicate a client error?

200

302

400

500
Question 34
When an API needs to call another API using the received token, which of the following
strategies can be employed?

By generating a completely new token from scratch without any relation to the original

Only by performing a token exchange every time

By exchanging the token, embedding a nested token, or sharing the original token

Only by directly sharing the same token across APIs

Question 35
What does "Unrestricted Resource Consumption" refer to in the context of API security?

APIs exposing sensitive data in responses that can be accessed by unauthorized users

Failure to implement proper API versioning, leading to compatibility issues

Weak authentication mechanisms allowing attackers to impersonate users

Attackers exploiting APIs to consume bandwidth, CPU, and memory, leading to DoS or increased
costs
Question 36
Why might traditional web application scanners miss many API vulnerabilities?

They focus common vulnerabilities, not logic flaws

They primarily scan for encryption issues

They do not check for the existence of APIs

They primarily test for network connectivity issues

Question 37
Rate limiting is important for controlling resource consumption because it:

Prevents unauthorized access to sensitive endpoints

Helps control server load and reduces costs by preventing abuse

Automatically adjusts server capacity to handle traffic spikes

Ensures that all requests are processed in the order they are received
Question 38
Broken Object Property Level Authorization (sometimes called BOPLA) deals with which of the
following issues?

APIs lacking any authentication

APIs using weak encryption protocols

APIs returning excessive data

APIs with no rate limiting in place

Question 39
Why is CORS ineffective against direct API attacks?

Because it is enforced by browsers, not when an API is accessed directly

Because it requires additional encryption to work

Because it only blocks HTTP methods like GET and POST

Because it only applies to mobile applications

Question 40
What vulnerability is illustrated by the Trello example?
Security Misconfiguration in user credential checks

Broken Object Property Level Authorization

Unrestricted Resource Consumption

Broken Authentication
Question 41
What type of vulnerability is characterized by an API allowing users to perform functions (such
as transferring funds) that should be restricted to higher-privileged roles?

Broken Function Level Authorization

Unrestricted Resource Consumption

Server Side Request Forgery

Broken Authentication
Question 42
Why should error messages sent to end users be generic?

To ensure error messages are logged in detail

To avoid revealing sensitive internal information that attackers could exploit

To confuse legitimate users

To allow easier debugging by external parties

Question 43
What is one major risk associated with outdated API documentation?

Authentication flows can be left exposed

API keys can potentially be left exposed in the old documentation

It will fail to automatically update with the latest API changes

It can lead to confusion and errors when the docs do not match the API’s actual behavior
Question 44
What issue does “Improper Inventory Management” refer to in API security?

APIs that are too difficult to test

Organizations having incomplete view of all APIs

APIs that return too much data

APIs that lack proper authentication controls

Question 45
Which three high-level types of API documentation were highlighted in the course?

Tutorials, white papers, and academic articles

API reference material, conceptual overviews, and workflow guides

API Example Documents, specified deep dives, and performance metrics

API reference guidelines, best practice frameworks, and OAS blueprints

Question 46
What does the vulnerability “Broken Object Level Authorization (BOLA)” primarily refer to?

Exposing too much data in API responses

Lack of proper rate limiting

User A ability to access a User B resource

Failure to authenticate users

Question 47
The Experian example highlighted a failure in which area?

Broken Object Level Authorization among users

Security Misconfiguration that allowed unauthorized API access

Unrestricted Resource Consumption through excessive requests

Broken Authentication due to weak passwords
Question 48
Which mitigation is recommended to prevent Broken Object Level Authorization
vulnerabilities?

Using sequential and predictable resource IDs

Implementing server-side authorization controls with unpredictable identifiers

Relying on client-side authorization checks

Enabling input checks in the application UI

Question 49
How does CORS enhance security in web applications?

By blocking all external API requests

By disabling client-side scripting

By encrypting all data sent between client and server

By allowing browsers to restrict requests from unauthorized origins

Question 50
Documenting an API early in the development process primarily helps with which of the
following?

Guaranteeing that the final product is bug-free

Enabling early feedback, security reviews, and identifying issues before production

Preventing any future changes to the API

Eliminating the need for developer testing

Question 51
Which answer best describes how Basic Authentication is achieved?

It uses digital certificates to authenticate the user

It sends a username and password (encoded in base64) in the HTTP authorization header

It relies on a third-party token issuer

It sends an encrypted token in the HTTP header

Question 52
Which HTTP header is most commonly exploited to reveal the underlying web server
technology?

Date

Content-Type

Cache-Control

Server
Question 53
In OAuth, what is the main function of the Authorization Server?

It directly hosts the API resources

It stores client credentials permanently

It issues tokens to clients

It acts as a proxy for TLS connections

Question 54
What is one primary benefit of including interactive “Try it!” features in API docs?

It gives ethical hackers ways to verify their attacks

It allows developers to see how an API interacts with their organization

It helps developers connect the front end to the API

It allows developers to simulate API calls and see live responses

Question 55
Which of the following are identified as the three pillars of API Security?
Testing, Development, Documentation

Authentication, Authorization, Encryption

Governance, Monitoring, Testing

Identification, Authentication, Accountability

Question 56
What is the primary role of an API key in API authentication?

To serve as both the username and password in one string for identification

To identify the application (machine identity) making the request

To provide end-to-end encryption for API requests

To verify the user’s identity and role

Question 57
During the API design phase, what best practice is recommended to help prevent security
vulnerabilities?

Address documentation after code complete to speed up deployment

Focus primarily on performance testing

Utilize the user interface to filter data

Involve security teams early

Question 58
What is the primary security risk of a Server-Side Request Forgery (SSRF) attack?

It enables unauthorized requests to internal services and networks

It injects malicious JavaScript into web pages

It allows an attacker to force a user to reset their password

It corrupts database entries by altering API responses

Question 59
What is a key advantage of token‐based authentication over basic authentication in API
security?

Tokens can expire and carry additional authorization details

It requires users to enter their credentials on every request

It uses a simpler mechanism that always relies on API keys

Tokens eliminate the need for TLS encryption

Question 60
Which string pattern is most commonly used by attackers in path traversal exploits?

""

"../"

“HTTP/1.1"

“SELECT *”
Question 61
Which of the following is an example of an Injection vulnerability as described in the OWASP
Top 10?

A mobile app using weak password hashing algorithms

A web application failing to check input for SQL commands, allowing an attacker to manipulate
database queries

An application accepting API requests without proper authentication checks

A user logging in without any encryption, exposing login credentials

Question 62
In the Venmo example, what mistake led to excessive data exposure?

The API endpoint used incremental IDs

The API employed outdated encryption methods

The API had incorrect URL mappings

The API did not limit the fields returned
Question 63
What is the main difference between a “by reference” token and a “by value” token?

By value tokens are only used for client credentials

By value tokens are self contained, while by reference tokens require an introspection call

By reference tokens are always encrypted; by value tokens are not

By reference tokens are self-contained, while by value tokens require an introspection call
Question 64
Unsafe Consumption of APIs is mostly associated with risks from:

APIs with no rate limiting controls

APIs with outdated documentation

Over permissioned internal APIs

Third-party APIs that are insecure or improperly integrated

Question 65
How does a Server-Side Request Forgery (SSRF) attack typically exploit an application?

By tricking the server into making requests to unintended URLs, such as internal services

By injecting malicious SQL queries into API requests

By forcing the client to download a malicious script

By redirecting users to a phishing website through a spoofed domain

Question 66
What is a potential drawback of using hand-curated documentation instead of a spec-driven
approach?

It won’t include the correct parameters for all of the listed endpoints

It’s more likely to have an out-dated API removed on re-release

It requires no technical knowledge to maintain

It may not easily integrate with automated tools or remain in sync with the API
Question 67
What does “error disclosure” refer to in API security?

Providing overly detailed error information that may aid attackers

Logging errors solely for internal use

Using error messages to assist in user authentication

Hiding all error messages from users

Question 68
What is the purpose of PKCE (Proof Key for Code Exchange) in the OAuth authorization code
flow?

To authenticate the resource owner directly

To replace the need for a client secret

To bind the authorization request and token request together

To encrypt the token payload

Question 69
Which of the following professions would benefit most from understanding the OWASP API
Top 10?

Developers, to help them write cleaner, more organized code

UI/UX designers, to understand how security issues may impact the user experience

Business leaders, to support strategic decision making

Penetration testers, to identify and exploit vulnerabilities in APIs

Question 70
What is a characteristic of Broken Object Level Authorization (BOLA) vulnerabilities?
Objects within an API are not properly authenticated, allowing any user to access them

API endpoints fail to validate data inputs, leading to potential data breaches

Authentication credentials are stored insecurely, making them vulnerable to theft

Attackers can manipulate object identifiers to access unauthorized resources or perform actions
outside their authorization level
Question 71
In the Coinbase example, what was the primary issue that allowed a hacker to sell Ethereum as
Bitcoin?

A missing logic validation check on the asset ID

Overly strict rate limiting

The absence of authentication on the API

Exposing the API documentation publicly

Question 72
What role does a gateway play in API security?

It replaces the authorization server

It generates new tokens for every API call

It inspects requests, validates tokens, and enforces authorization

It stores all user credentials

Question 73
In a BOLA vulnerability, what is the main security issue?

Excessive logging of API requests

Inadequate authorization checks on API resource access

Weak password policies

Overly strict input sanitization

Question 74
Which statement best describes the primary role of APIs in modern applications?

They enforce security protocols on all traffic generated by users

They allow the user to communicate with the UI of an application

They serve as a bridge for communication between systems and devices

They safely transport secure data to end users

Question 75
Which role is particularly valuable for producing high-quality API documentation?

Product marketing team

Product Engineers

Technical writers who understand APIs

Only the original API developers

Question 76
How does comprehensive API documentation contribute to improved security?

By speeding up pen testers' ability to attack your application

By decreasing room for error when a developer is connecting to an API

By allowing developers to see the source code of the API

By defining consistent authentication and authorization practices

Question 77
How can you reduce the risk of server information leaks?

Remove or customize server response headers to hide sensitive details

Enable verbose error messages

Allow directory listings to mask true server details

Display server version numbers for transparency
Question 78
Which of the following is NOT one of the four primary actors in the OAuth protocol?

Resource Owner

Authorization Server

Client

Encryption Server
Question 79
Which risk category in the 2023 update is a combination of Excessive Data Exposure and Mass
Assignment?

Broken Function Level Authorization

Broken Object Property Level Authorization

Broken Authentication

Unsafe Consumption of APIs

Question 80
How does an API facilitate communication between software applications?

By compiling code into machine-readable instructions

By storing and retrieving user credentials for authentication

By defining a set of rules and protocols for data exchange

By converting frontend code into backend logic automatically

Question 81
Which of the following is an example of Security Misconfiguration according to the OWASP Top
10?

Using default configurations in a cloud environment, exposing sensitive data to unauthorized

access
Allowing cross-origin resource sharing (CORS) without restrictions

Failing to use encryption for sensitive data storage

All of the above

Question 82
In the Bumble example, which vulnerability allowed users to upgrade their account without
proper payment?

Broken Object Level Authorization

Broken Function Level Authorization

Broken Authentication

Unrestricted Access to Sensitive Business Flows

Question 83
What is one major benefit of using an API gateway as mentioned in the course?

It centralizes API management and allows consistent policies

It eliminates the need for API documentation

It removes the need for manual testing entirely

It automates the entire API development process

Question 84
What are claims within the context of OAuth tokens?

They provide detailed user identity information for fine-grained authorization

They represent the token’s encryption algorithm

They are alternative names for scopes

They are metadata used only for logging purposes encryption in API communication
Question 85
Which is most commonly responsible for authentication breaches?
Unsecured endpoints

Overly complex authentication

Lack of captcha

Lack of 2-factor authentication

Question 86
What is the purpose of the ‘kid’ (Key ID) or ‘x5t’ field in a JWT header?

To reference the key or certificate used to sign the token

To define the token format (by value or by reference)

To list the token’s scopes

To indicate the expiration time of the token

Question 87
What is the primary purpose of the HTTP Only flag on a cookie?

To prevent JavaScript from reading the cookie data

To improve cookie encryption on the client side

To increase the cookie’s storage size

To allow JavaScript access for dynamic content

Question 88
What is meant by a server information leak?

A header that advertises the server’s uptime

Any unintended exposure of details about the server’s configuration and technology stack

A feature that displays server logs publicly

A vulnerability that exposes the server’s file system structure

Question 89
Why is a refresh token used in OAuth?

To allow the client to obtain new access tokens without re-prompting the user for credentials

To provide the client with a token that never expires

To be sent to the resource server along with the access token

To encrypt the access token

Question 90
Which technical tip can help implement effective rate limiting?

Rely solely on disk-based SQL operations to track requests

Ignore client signatures when setting rate limits

Use in-memory solutions like caching to manage throttle counters

Increase rate limits during peak hours to accommodate all users

Question 91
In the course, what does “API sprawl” refer to?

The growth of API documentation in multiple formats

The expansion of an API’s functionality over time

The existence of undocumented APIs leading to duplication

The use of too many programming languages in one API

Question 92
In OAuth, what purpose do scopes serve?

They define the access privileges granted an application level

They identify the resource server for the token

They specify the lifetime of a token

They determine which encryption method is used for the token

Question 93
Why is it generally discouraged for clients to decode and rely on the contents of access tokens
(e.g., JWTs)?

Because decoding tokens is computationally prohibitive

Because the tokens are encrypted and cannot be read

Because access tokens do not contain any useful information

Because the token’s internal structure may change over time

Question 94
How should developers use API documentation when integrating an API?

Rely on sample code from the documentation and modify it for your integration

Read through the endpoints, request formats, and authentication methods before starting
integration

Only reference the documentation when encountering errors

Use the documentation only to check for error codes

Question 95
What is a path traversal vulnerability?

It encrypts sensitive data on the server

It allows unintended access to files and directories

It allows attackers to modify server configurations

It enables injection of malicious scripts

Question 96
What is the purpose of having a “security style guide” as part of API documentation?

To provide syntax when replacing verbose error messages

To list how discovered vulnerabilities should be remedied

To standardize the visual design of the documentation pages

To enforce consistent security practices across the API

Question 97
What is the primary focus of the “OWASP API Security Top 10 and Beyond” course?

Updates on API security vulnerabilities

Fundamentals of network infrastructure security

Best practices for writing API documentation

How to design RESTful APIs from scratch

Question 98
What is the primary security risk associated with bearer tokens?

They are incompatible with JSON Web Tokens

They can only be used with mutual TLS

They require multiple headers for transmission

They can be used by anyone in possession of the token

Question 99
Why is it important to document error responses in API documentation?

To stay accountable with government regulations and requirements

To help developers understand and handle failures

To confuse non-technical stakeholders

To help pen testers have a better understanding of their attack progress

Question 100
Which specification format is commonly used to create machine- and human-readable API
documentation?

OpenAPI
XML Schema

HTML5

JSON Web Tokens