From e2f80b18e279120ddfc3a90b21c5e9647915d58d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 11 Mar 2025 20:05:35 +0100
Subject: [PATCH] fix: rewrite questions (#2057)

Closes: gh-1178
---
 .../js/questions_sql_injection.json           | 88 ++++++++++---------
 .../js/questions_cross_site_scripting.json    | 28 +++---
 2 files changed, 61 insertions(+), 55 deletions(-)

diff --git a/src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json b/src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json
index 19bad9565..269abe21e 100644
--- a/src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json
+++ b/src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json
@@ -1,43 +1,49 @@
 {
-  "questions": [{
-    "text": "What is the difference between a prepared statement and a statement?",
-    "solutions": {
-      "1": "Prepared statements are statements with hard-coded parameters.",
-      "2": "Prepared statements are not stored in the database.",
-      "3": "A statement is faster.",
-      "4": "A statement has got values instead of a prepared statement"
-    }
-  }, {
-    "text": "Which one of the following characters is a placeholder for variables?",
-    "solutions": {
-      "1": "*",
-      "2": "=",
-      "3": "?",
-      "4": "!"
-    }
-  }, {
-    "text": "How can prepared statements be faster than statements?",
-    "solutions": {
-      "1": "They are not static so they can compile better written code than statements.",
-      "2": "Prepared statements are compiled once by the database management system waiting for input and are pre-compiled this way.",
-      "3": "Prepared statements are stored and wait for input it raises performance considerably.",
-      "4": "Oracle optimized prepared statements. Because of the minimal use of the databases resources it is faster."
-    }
-  }, {
-    "text": "How can a prepared statement prevent SQL-Injection?",
-    "solutions": {
-      "1": "Prepared statements have got an inner check to distinguish between input and logical errors.",
-      "2": "Prepared statements use the placeholders to make rules what input is allowed to use.",
-      "3": "Placeholders can prevent that the users input gets attached to the SQL query resulting in a seperation of code and data.",
-      "4": "Prepared statements always read inputs literally and never mixes it with its SQL commands."
-    }
-  }, {
-    "text": "What happens if a person with malicious intent writes into a register form :Robert); DROP TABLE Students;-- that has a prepared statement?",
-    "solutions": {
-      "1": "The table Students and all of its content will be deleted.",
-      "2": "The input deletes all students with the name Robert.",
-      "3": "The database registers 'Robert' and deletes the table afterwards.",
-      "4": "The database registers 'Robert' ); DROP TABLE Students;--'."
-    }
-  }]
+    "questions": [
+        {
+            "text": "What is the difference between a prepared statement and a statement?",
+            "solutions": {
+                "1": "Prepared statements are statements with hard-coded parameters.",
+                "2": "Prepared statements are not stored in the database.",
+                "3": "A statement is faster executes faster than a prepared statement.",
+                "4": "A statement includes actual values, whereas a prepared statement uses placeholders."
+            }
+        },
+        {
+            "text": "Which one of the following characters is a placeholder for variables?",
+            "solutions": {
+                "1": "*",
+                "2": "=",
+                "3": "?",
+                "4": "!"
+            }
+        },
+        {
+            "text": "How can prepared statements be faster than statements?",
+            "solutions": {
+                "1": "Prepared statements are not static, allowing them to be optimized more efficiently than regular statements.",
+                "2": "Prepared statements are compiled once by the database management system and then reused with different inputs, reducing compilation overhead.",
+                "3": "Since prepared statements are stored and wait for input, they improve performance significantly.",
+                "4": "Oracle optimizes prepared statements, making them faster by minimizing the use of database resources."
+            }
+        },
+        {
+            "text": "How do prepared statements help prevent SQL injection?",
+            "solutions": {
+                "1": "Prepared statements have built-in mechanisms to distinguish between user input and SQL logic, preventing malicious manipulation.",
+                "2": "Prepared statements use placeholders to enforce rules on allowed input, reducing the risk of SQL injection.",
+                "3": "Placeholders prevent user input from being directly appended to the SQL query, ensuring a clear separation between code and data.",
+                "4": "Prepared statements treat all user input as literal values, never mixing it with SQL commands."
+            }
+        },
+        {
+            "text": "What happens if a person with malicious intent enters the following input into a registration form that uses a prepared statement? Input: Robert); DROP TABLE Students;--",
+            "solutions": {
+                "1": "The Students table and all its data will be deleted.",
+                "2": "The input deletes all students named Robert.",
+                "3": "The database registers Robert and then deletes the table.",
+                "4": "The database treats the entire input as a plain string: Robert); DROP TABLE Students;-- without executing it as SQL."
+            }
+        }
+    ]
 }
diff --git a/src/main/resources/lessons/xss/js/questions_cross_site_scripting.json b/src/main/resources/lessons/xss/js/questions_cross_site_scripting.json
index c7775eb3c..3a6064759 100644
--- a/src/main/resources/lessons/xss/js/questions_cross_site_scripting.json
+++ b/src/main/resources/lessons/xss/js/questions_cross_site_scripting.json
@@ -1,19 +1,19 @@
 {
   "questions": [{
-    "text": "Are trusted websites immune to XSS attacks?",
+    "text": "Is a well known website, like Netflix, immune to XSS attacks?",
     "solutions": {
-      "1": "Yes they are safe because the browser checks the code before executing.",
-      "2": "Yes because Google has got an algorithm that blocks malicious code.",
-      "3": "No because the script that is executed will break through the defense algorithm of the browser.",
-      "4": "No because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
+      "1": "Yes, they are safe because the browser checks the code before executing.",
+      "2": "Yes, because Google has got an algorithm that blocks malicious code.",
+      "3": "No, because the script that is executed will break through the defense algorithm of the browser.",
+      "4": "No, because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
     }
   }, {
     "text": "When do XSS attacks occur?",
     "solutions": {
-      "1": "Data enters a web application through a trusted source.",
-      "2": "Data enters a browser application through the website.",
-      "3": "The data is included in dynamic content that is sent to a web user without being validated for malicious content.",
-      "4": "The data is excluded in static content that way it is sent without being validated."
+      "1": "When malicious scripts are injected into a website's server-side code.",
+      "2": "When a user submits sensitive information without encryption.",
+      "3": "When a website fails to validate or sanitize user input, allowing malicious scripts to be executed in a user's browser.",
+      "4": "When a website uses outdated SSL/TLS protocols."
     }
   }, {
     "text": "What are Stored XSS attacks?",
@@ -27,17 +27,17 @@
     "text": "What are Reflected XSS attacks?",
     "solutions": {
       "1": "Reflected attacks reflect malicious code from the database to the web server and then reflect it back to the user.",
-      "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.",
+      "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the response.",
       "3": "Reflected attacks reflect from the firewall off to the database where the user requests information from.",
       "4": "Reflected XSS is an attack where the injected script is reflected off the database and web server to the user."
     }
   }, {
     "text": "Is JavaScript the only way to perform XSS attacks?",
     "solutions": {
-      "1": "Yes you can only make use of tags through JavaScript.",
-      "2": "Yes otherwise you cannot steal cookies.",
-      "3": "No there is ECMAScript too.",
-      "4": "No there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
+      "1": "Yes, you can only make use of tags through JavaScript.",
+      "2": "Yes, otherwise you cannot steal cookies.",
+      "3": "No, there is ECMAScript too.",
+      "4": "No, there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
     }
   }]
 }