CCNA Network and Web Application Attacks Questions

19 questions · Network and Web Application Attacks · All types, answers revealed

1
MCQhard

You are performing a web application security assessment and discover that the application uses a hidden form field named 'price' to store the product price. The price is submitted with the form and used to process payments. Which attack would allow you to purchase an item for a lower price?

A.Directory traversal
B.Parameter tampering
C.Cross-Site Scripting (XSS)
D.Cross-Site Request Forgery (CSRF)
AnswerB

Parameter tampering modifies hidden fields or URL parameters.

Why this answer

Parameter tampering is the correct answer because the 'price' field is stored in a hidden form field, which is client-side data that can be modified before submission. By intercepting the HTTP request (e.g., using a proxy like Burp Suite) and changing the 'price' value to a lower amount, the attacker can purchase the item at a reduced cost. This exploits the lack of server-side validation of the price parameter.

Exam trap

The trap here is that candidates often confuse parameter tampering with CSRF, but CSRF does not allow modifying the request body; it only reuses existing parameters from a forged request, whereas parameter tampering directly alters the parameter value.

How to eliminate wrong answers

Option A is wrong because directory traversal targets file system paths (e.g., ../../../etc/passwd) to access unauthorized files, not form field values. Option C is wrong because Cross-Site Scripting (XSS) injects malicious scripts into web pages to steal cookies or execute client-side code, not to modify form data during submission. Option D is wrong because Cross-Site Request Forgery (CSRF) forces a user to perform unintended actions on a trusted site using their session, but it does not allow the attacker to directly alter the price value in the request; it only replays existing parameters.

2
MCQhard

Refer to the exhibit. A security analyst notices multiple ESTABLISHED connections on port 443 from different external IPs to the same process ID. What type of attack is most likely occurring?

A.Distributed denial-of-service (DDoS) attack
B.SSL/TLS renegotiation DoS
C.Slowloris attack
D.Man-in-the-middle attack
AnswerA

Multiple external IPs establishing connections to the same server process on port 443 indicates a volumetric DDoS attack, especially if the server is overwhelmed.

3
MCQhard

Refer to the exhibit. A user visits a malicious site that returns this HTML. Which attack is being executed?

A.Cross-site scripting (XSS)
B.Session hijacking
C.Phishing attack
D.Cross-site request forgery (CSRF)
AnswerD

The malicious site auto-submits a form to a legitimate bank's transfer endpoint, performing an unauthorized action using the user's session.

4
MCQhard

Refer to the exhibit. A penetration tester sends a SOAP request and receives multiple user records. Which vulnerability is present?

A.SQL injection in SOAP service
B.XML External Entity (XXE) injection
C.Cross-site scripting (XSS)
D.Command injection
AnswerA

The userId parameter contains '1 OR 1=1', which results in returning all users, indicating SQL injection.

5
MCQeasy

You are a security analyst for a medium-sized e-commerce company. The company hosts its web application on a single server running Apache on Ubuntu. Recently, the operations team noticed that the server's CPU usage spikes to 100% every few minutes, causing the website to become unresponsive. They have ruled out hardware issues. The web server logs show repeated requests to the same URL with varying parameters, such as /product?id=1, /product?id=2, etc., all originating from a single IP address. Each request returns a 200 OK response, but the server takes several seconds to generate the page. The application uses a relational database backend with an ORM. You suspect an attack is occurring. What is the most likely attack and the best immediate course of action?

A.Implement rate limiting on the /product endpoint
B.Block the IP address of the attacker at the firewall
C.Install a web application firewall (WAF) to detect and block malicious requests
D.Apply input validation to ensure product IDs are positive integers
AnswerB

Blocking the single source IP immediately stops the attack; further analysis can be done later.

Why this answer

The attack is a resource exhaustion or application-layer DoS attack, where repeated requests to a database-backed endpoint (e.g., /product?id=1, /product?id=2) cause high CPU usage due to expensive ORM queries. The immediate best course is to block the single attacking IP at the firewall, as it stops the malicious traffic at the network perimeter with minimal overhead, preserving server resources for legitimate users.

Exam trap

EC-Council often tests the distinction between immediate containment (blocking the IP) and long-term hardening (WAF, rate limiting, input validation), and the trap here is that candidates choose a more 'secure' but slower solution like a WAF or input validation, missing the urgency of stopping the active attack first.

How to eliminate wrong answers

Option A is wrong because rate limiting on the /product endpoint would still allow the attacker to consume resources before being throttled, and it does not address the immediate CPU spike; it is a longer-term mitigation. Option C is wrong because installing a WAF is a proactive measure that requires configuration and tuning, not an immediate action to stop an ongoing attack; it also may not block a simple repeated-request pattern without specific rules. Option D is wrong because input validation to ensure product IDs are positive integers would not prevent the attack—the requests already use valid positive integers (1, 2, etc.)—and the issue is the volume of requests, not the parameter values.

6
MCQhard

You are the lead security engineer for a financial technology company that hosts a critical web application on three load-balanced servers behind a reverse proxy. The application uses a REST API to process transactions. Recently, the company has experienced intermittent service outages during peak hours. Upon reviewing logs, you find that the reverse proxy is returning HTTP 503 errors for legitimate API requests, and the application servers show high CPU usage but normal memory. The network team reports no bandwidth issues. The application team claims no code changes were made. You suspect a specific type of attack is causing the outages. Which action should you take first to confirm the attack type?

A.Configure the firewall to block all incoming traffic from the IPs that appear most frequently in logs.
B.Analyze the incoming request patterns in the reverse proxy logs to identify if there is a high volume of requests to a specific API endpoint.
C.Increase the number of application servers to handle the load.
D.Run a SQL injection scanner on the application.
AnswerB

This can confirm a Layer 7 DDoS attack targeting a specific endpoint.

Why this answer

Option B is correct because the symptoms—HTTP 503 errors, high CPU usage on application servers, normal memory, and no bandwidth issues—strongly suggest a Layer 7 DDoS attack, specifically an HTTP flood targeting a resource-intensive API endpoint. By analyzing reverse proxy logs for a high volume of requests to a specific endpoint, you can confirm the attack type (e.g., a slow loris or GET flood) before taking mitigation steps. This aligns with the CEH methodology of first identifying the attack vector through log analysis.

Exam trap

The trap here is that candidates often jump to blocking IPs (Option A) or scaling horizontally (Option C) as immediate fixes, but the CEH exam emphasizes first confirming the attack vector through log analysis rather than taking reactive or misdirected actions.

How to eliminate wrong answers

Option A is wrong because blocking IPs from logs without analyzing request patterns may block legitimate users behind NAT or proxies, and it does not confirm the attack type—it's a reactive measure that could worsen outages. Option C is wrong because increasing servers treats the symptom (high CPU) without confirming the attack; it may be ineffective if the attack is a slow-rate DDoS or application-layer flaw, and it doesn't help identify the root cause. Option D is wrong because SQL injection scanners test for injection vulnerabilities, but the symptoms (503 errors, high CPU, no code changes) point to a volumetric or resource-exhaustion attack, not a database injection.

7
MCQmedium

A network administrator wants to prevent an attacker from using a network sniffer to capture traffic between a client and a web server. Which protocol should be enforced to encrypt all communication?

A.SNMP
B.FTP
C.HTTPS
D.HTTP
AnswerC

HTTPS encrypts data with TLS.

Why this answer

HTTPS (HTTP over TLS, RFC 2818) encrypts all communication between a client and a web server using TLS/SSL, preventing a network sniffer from capturing plaintext data such as cookies, URLs, or form submissions. This ensures confidentiality and integrity of the web traffic, directly countering passive eavesdropping attacks.

Exam trap

The trap here is that candidates often confuse encryption with authentication or assume that any protocol with 'secure' in its name (like SNMPv3) is suitable for web traffic, when the question specifically requires a protocol that encrypts client-to-web-server communication — only HTTPS directly fulfills that role.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for managing and monitoring network devices, not for encrypting web traffic; its default versions (v1/v2c) send community strings in plaintext, and even SNMPv3 with encryption is irrelevant to client-server web communication. Option B is wrong because FTP (File Transfer Protocol) transmits data and credentials in cleartext, making it vulnerable to sniffing; it does not encrypt web traffic and is designed for file transfers, not web browsing. Option D is wrong because HTTP transmits data in plaintext, allowing any network sniffer to capture the entire request/response payload, including sensitive information like passwords and session tokens.

8
MCQmedium

Refer to the exhibit. A web server log shows requests from a single IP. Which vulnerability is being exploited?

A.Directory traversal
B.Cross-site scripting (XSS)
C.Remote file inclusion (RFI)
D.SQL injection
AnswerA

The requests use '../' to traverse directories and access files like /etc/passwd and SAM, which is classic directory traversal.

9
Multi-Selectmedium

A penetration tester is analyzing a captured TCP session that includes a successful SQL injection attack. Which TWO of the following indicators would most likely confirm that the attack was successful?

Select 2 answers
A.The server redirects to a login page (302)
B.The server returns a 500 Internal Server Error
C.The response contains database error messages or unexpected data
D.The server returns a 200 OK status code
E.The client receives no response (timeout)
AnswersC, D

Database error messages or extra data in the response are strong indicators of successful injection.

Why this answer

Option C is correct because a successful SQL injection often results in the database returning error messages or unexpected data directly in the HTTP response, confirming that the attacker's injected SQL statements were executed and returned results. This is a direct indicator of a successful attack, as the server processes the malicious input and includes database output in the response body.

Exam trap

The trap here is that candidates often mistake a 500 Internal Server Error (Option B) as a sign of success, but in CEH and real-world analysis, a 500 error usually indicates a failed or crashing injection, not a successful data extraction.

10
Multi-Selecthard

Which THREE of the following are effective countermeasures against DNS poisoning attacks? (Select exactly 3)

Select 3 answers
A.Use a single DNS server for all queries
B.Restrict recursive queries to trusted sources
C.Disable DNS caching
D.Use a split DNS architecture
E.Implement DNSSEC
AnswersB, D, E

Limiting recursion prevents unauthorized use.

Why this answer

Option B is correct because restricting recursive queries to trusted sources prevents attackers from using your DNS server as an open resolver to cache forged responses. By limiting recursion to authorized clients only, the server will not accept and cache DNS data from external, potentially malicious queries, which is a primary vector for DNS cache poisoning.

Exam trap

The trap here is that candidates may think disabling DNS caching (Option C) is a valid countermeasure, but CEH expects you to recognize that it is not a security best practice and that DNSSEC, split DNS, and restricting recursion are the standard, effective defenses.

11
MCQmedium

Refer to the exhibit. A security analyst captured the HTTP request and response shown. What type of vulnerability is present?

A.Cross-Site Request Forgery (CSRF)
B.SQL Injection
C.Reflected Cross-Site Scripting (XSS)
D.Directory Traversal
AnswerC

The input is reflected in the response and executed as script.

Why this answer

The HTTP response contains the search query parameter directly reflected in the HTML body without proper sanitization or encoding. Specifically, the request includes `?search=<script>alert('XSS')</script>` and the response echoes this payload verbatim in the page content, allowing the browser to execute the injected JavaScript. This is the classic signature of a reflected cross-site scripting (XSS) vulnerability, where the malicious script is immediately reflected off the web server and executed in the user's browser.

Exam trap

EC-Council often tests the distinction between reflected XSS and stored XSS, but the trap here is confusing reflected XSS with CSRF because both involve crafted URLs, but CSRF does not execute JavaScript in the response—it forges a state-changing request using the victim's session.

How to eliminate wrong answers

Option A is wrong because Cross-Site Request Forgery (CSRF) requires a forged request that changes state (e.g., a POST to transfer funds) and relies on the victim's authenticated session, not on reflected script execution in the response body. Option B is wrong because SQL Injection involves manipulating SQL queries via input fields (e.g., `' OR 1=1--`), but the exhibited payload is a JavaScript alert, not a SQL syntax-breaking string, and the response shows no database error or data leakage. Option D is wrong because Directory Traversal exploits path traversal sequences (e.g., `../etc/passwd`) to access files outside the web root, but the request parameter is `search` and the response contains HTML with the injected script, not file contents or directory listings.

12
Multi-Selecteasy

Which TWO of the following are common web application vulnerabilities that allow an attacker to inject malicious code? (Select exactly 2)

Select 2 answers
A.Brute Force
B.Cross-Site Scripting (XSS)
C.Path Traversal
D.SQL Injection
E.Cross-Site Request Forgery (CSRF)
AnswersB, D

XSS injects client-side scripts.

Why this answer

Cross-Site Scripting (XSS) is a common web application vulnerability that allows an attacker to inject malicious client-side scripts (typically JavaScript) into web pages viewed by other users. This occurs when an application includes untrusted data in a web page without proper validation or escaping, enabling the attacker to execute arbitrary code in the victim's browser within the context of the trusted site.

Exam trap

The trap here is that candidates often confuse Cross-Site Request Forgery (CSRF) with an injection vulnerability, but CSRF does not inject code into the application; it forges requests using the victim's authenticated session, whereas XSS and SQL Injection directly inject malicious code (scripts or SQL commands) into the application's execution context.

13
MCQhard

Refer to the exhibit. A penetration tester executed the SQL injection payload and received the response shown. What is the most likely outcome of this attack?

A.The attacker extracted hashed passwords that can be cracked offline
B.The attacker successfully performed a blind SQL injection to enumerate the database structure
C.The attacker caused a denial of service by sending an invalid query
D.The attacker modified the database records to update user passwords
AnswerA

The response contains username:hash pairs; the hash appears to be MD5, which is crackable.

Why this answer

The response shows a successful SQL injection that returned password hashes (likely from the `password` column) in the output. This indicates the attacker exploited a vulnerable parameter to extract hashed credentials from the database, which can then be cracked offline using tools like Hashcat or John the Ripper. The presence of hash strings in the response confirms data extraction, not modification or denial of service.

Exam trap

EC-Council often tests the distinction between in-band (error-based/UNION) SQL injection, which returns data directly, and blind SQL injection, which does not return visible data; candidates mistakenly choose blind when the response clearly shows extracted values.

How to eliminate wrong answers

Option B is wrong because blind SQL injection does not return visible data in the response; it relies on true/false or time-based inferences, whereas the exhibit shows actual hash values. Option C is wrong because a denial of service would result in an error, timeout, or empty response, not a structured output containing hashes. Option D is wrong because modifying database records (e.g., UPDATE statements) would not return the existing password hashes in the response; the attacker would see confirmation of modification or no data at all.

14
Drag & Dropmedium

Drag and drop the steps to recover a forgotten Windows administrator password using a bootable Linux USB into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Boot, mount, navigate, replace file, reboot to exploit.

15
MCQmedium

During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?

A.SQL Injection
B.Cross-Site Request Forgery (CSRF)
C.Cross-Site Scripting (XSS)
D.Command Injection
AnswerC

Reflected XSS is the direct result of unsanitized input displayed in the browser.

Why this answer

Option C is correct because the scenario describes a classic reflected Cross-Site Scripting (XSS) vulnerability. The application accepts user input and displays it directly in the browser without sanitization, allowing an attacker to inject malicious JavaScript that executes in the victim's browser. This is the defining characteristic of XSS, not SQL injection or command injection, which target server-side interpreters.

Exam trap

EC-Council often tests the distinction between reflected XSS and stored XSS; the trap here is that candidates may assume any unsanitized input is SQL injection, but the key clue is direct display in the browser without server-side processing like database queries or command execution.

How to eliminate wrong answers

Option A is wrong because SQL Injection requires the user input to be included in a database query, not simply displayed in the browser; the scenario does not mention any database interaction. Option B is wrong because Cross-Site Request Forgery (CSRF) exploits the trust a site has in a user's browser to perform unauthorized actions, but it does not involve displaying unsanitized user input directly; it requires a forged request, not reflected output. Option D is wrong because Command Injection requires the input to be passed to a system shell or command interpreter, not merely rendered in HTML; the scenario lacks any indication of server-side command execution.

16
MCQhard

As a network defender, you notice an unusually high number of incomplete TCP three-way handshakes from a single external IP to multiple internal hosts. What is the most likely attack taking place?

A.UDP flood
B.SYN flood
C.ARP spoofing
D.ICMP flood
AnswerB

SYN flood sends many SYN packets without completing handshake.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to target hosts without completing the handshake (i.e., not sending the final ACK). This leaves the target with half-open connections, exhausting its connection table and denying service to legitimate traffic. The observation of incomplete handshakes from a single external IP to multiple internal hosts is a classic signature of a SYN flood.

Exam trap

EC-Council often tests the distinction between a SYN flood and a UDP flood, where candidates mistakenly choose UDP flood because they associate 'flood' with any high-volume attack, but the key clue is the incomplete TCP three-way handshake, which is specific to SYN floods.

How to eliminate wrong answers

Option A (UDP flood) is wrong because a UDP flood targets UDP ports with a high volume of datagrams, not TCP handshake packets, and would not produce incomplete TCP three-way handshakes. Option C (ARP spoofing) is wrong because ARP spoofing operates at Layer 2 by poisoning ARP caches to intercept traffic on a local network, not by sending incomplete TCP handshakes from an external IP. Option D (ICMP flood) is wrong because an ICMP flood uses ICMP echo request packets (pings) to overwhelm a target, not TCP SYN packets, and would not result in incomplete TCP handshakes.

17
MCQmedium

Refer to the exhibit. An analyst runs an Nmap scan and finds these services. Which known vulnerability is most likely to be successfully exploited?

A.CVE-2021-41773 (Apache Path Traversal)
B.CVE-2017-5638 (Struts2 RCE)
C.CVE-2014-0160 (Heartbleed)
D.CVE-2020-1472 (Zerologon)
AnswerA

Apache 2.4.49 is vulnerable to CVE-2021-41773, a path traversal and remote code execution vulnerability.

18
Matchingmedium

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric encryption

Asymmetric encryption

Hash function (broken)

Hash function (secure)

Symmetric encryption (deprecated)

Why these pairings

These are common cryptographic algorithms tested in CEH.

19
MCQeasy

A security analyst is configuring a web application firewall (WAF) to protect against SQL injection. Which HTTP parameter location should the analyst focus on to block malicious SQL queries?

A.Query string parameters
B.Request body (POST data)
C.Cookie headers
D.User-Agent header
AnswerA

Query string parameters are a common vector for SQL injection.

Why this answer

SQL injection attacks commonly target query string parameters because user input in URLs is often directly concatenated into SQL queries without proper sanitization. A WAF configured to inspect and filter query string parameters can block malicious SQL payloads before they reach the database server, as these parameters are the most frequent vector for such attacks.

Exam trap

The trap here is that candidates may think POST data is the only vector for SQL injection, but the CEH exam emphasizes that query string parameters are the most common and should be the first focus for WAF configuration.

How to eliminate wrong answers

Option B is wrong because while POST data can also carry SQL injection payloads, the question asks for the primary focus, and query strings are the most common and easily exploitable vector. Option C is wrong because cookie headers are less frequently used for SQL injection, as they are typically not parsed into SQL queries unless the application explicitly reads them. Option D is wrong because the User-Agent header is rarely incorporated into SQL queries and is more commonly associated with other attack types like log injection or client-side attacks.

Ready to test yourself?

Try a timed practice session using only Network and Web Application Attacks questions.