Practice CEH Network and Web Application Attacks questions with full explanations on every answer.
Start practicing
Network and Web Application Attacks — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?
2As a network defender, you notice an unusually high number of incomplete TCP three-way handshakes from a single external IP to multiple internal hosts. What is the most likely attack taking place?
3A security analyst is configuring a web application firewall (WAF) to protect against SQL injection. Which HTTP parameter location should the analyst focus on to block malicious SQL queries?
4You are performing a web application security assessment and discover that the application uses a hidden form field named 'price' to store the product price. The price is submitted with the form and used to process payments. Which attack would allow you to purchase an item for a lower price?
5A network administrator wants to prevent an attacker from using a network sniffer to capture traffic between a client and a web server. Which protocol should be enforced to encrypt all communication?
6Which TWO of the following are common web application vulnerabilities that allow an attacker to inject malicious code? (Select exactly 2)
7Which THREE of the following are effective countermeasures against DNS poisoning attacks? (Select exactly 3)
8Refer to the exhibit. A security analyst captured the HTTP request and response shown. What type of vulnerability is present?
9You are the lead security engineer for a financial technology company that hosts a critical web application on three load-balanced servers behind a reverse proxy. The application uses a REST API to process transactions. Recently, the company has experienced intermittent service outages during peak hours. Upon reviewing logs, you find that the reverse proxy is returning HTTP 503 errors for legitimate API requests, and the application servers show high CPU usage but normal memory. The network team reports no bandwidth issues. The application team claims no code changes were made. You suspect a specific type of attack is causing the outages. Which action should you take first to confirm the attack type?
10A penetration tester is analyzing a captured TCP session that includes a successful SQL injection attack. Which TWO of the following indicators would most likely confirm that the attack was successful?
11Refer to the exhibit. A penetration tester executed the SQL injection payload and received the response shown. What is the most likely outcome of this attack?
12You are a security analyst for a medium-sized e-commerce company. The company hosts its web application on a single server running Apache on Ubuntu. Recently, the operations team noticed that the server's CPU usage spikes to 100% every few minutes, causing the website to become unresponsive. They have ruled out hardware issues. The web server logs show repeated requests to the same URL with varying parameters, such as /product?id=1, /product?id=2, etc., all originating from a single IP address. Each request returns a 200 OK response, but the server takes several seconds to generate the page. The application uses a relational database backend with an ORM. You suspect an attack is occurring. What is the most likely attack and the best immediate course of action?
13Drag and drop the steps to recover a forgotten Windows administrator password using a bootable Linux USB into the correct order.
14Match each encryption algorithm to its type.
15Refer to the exhibit. A security analyst notices multiple ESTABLISHED connections on port 443 from different external IPs to the same process ID. What type of attack is most likely occurring?
16Refer to the exhibit. A web server log shows requests from a single IP. Which vulnerability is being exploited?
17Refer to the exhibit. A user visits a malicious site that returns this HTML. Which attack is being executed?
18Refer to the exhibit. An analyst runs an Nmap scan and finds these services. Which known vulnerability is most likely to be successfully exploited?
19Refer to the exhibit. A penetration tester sends a SOAP request and receives multiple user records. Which vulnerability is present?
The Network and Web Application Attacks domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.
The Courseiva CEH question bank contains 19 questions in the Network and Web Application Attacks domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Network and Web Application Attacks domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included