alert(\"XSS\")' and the…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-web-application-penetration-test-a-tester-submits-ugc94"},{"@type":"ListItem","position":60,"name":"An attacker uses the following URL pattern to access files: http://example.com/../../etc/passwd. Which attack is being a…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-uses-the-following-url-pattern-to-access-files-a4r3c"},{"@type":"ListItem","position":61,"name":"An application allows users to upload XML files for processing. A tester uploads the following payload:
CCNA Ceh Web Injection Questions
75 of 172 questions · Page 1/3 · Ceh Web Injection topic · Answers revealed
An attacker crafts a link that, when clicked by an authenticated user, performs an unintended action on a web application where the user is logged in, such as changing their email address. The application uses a session cookie for authentication but does not include any anti-forgery tokens in forms. Which attack is this?
A.Cross-Site Request Forgery (CSRF)
B.Cross-Site Scripting (XSS)
C.Clickjacking
D.Server-Side Request Forgery (SSRF)
AnswerA
CSRF exploits the user's authenticated session to perform unauthorized actions.
Why this answer
The description matches Cross-Site Request Forgery (CSRF), where a malicious link triggers actions on a site where the victim is authenticated.
A penetration tester identifies a web page that reflects user input in the response without proper encoding. The input is submitted via a GET parameter. Which type of cross-site scripting (XSS) is MOST likely present?
A.Blind XSS
B.Reflected XSS
C.DOM-based XSS
D.Stored XSS
AnswerB
The input is reflected immediately in the response, characteristic of reflected XSS.
Why this answer
Reflected XSS occurs when user input is immediately returned by the server in the response without proper sanitization, typically via GET parameters.
During a penetration test, a tester finds a web application that reflects user input in the page without sanitization. Which TWO types of XSS are potentially exploitable in this scenario?
Select 2 answers
A.DOM-based XSS
B.Blind XSS
C.Self-XSS
D.Stored (persistent) XSS
E.Reflected XSS
AnswersA, E
DOM-based XSS occurs if client-side JavaScript processes the input unsafely.
Why this answer
Reflected XSS occurs when input is immediately returned in the response. DOM-based XSS occurs when client-side scripts process input unsafely. Stored XSS requires persistence on the server, which is not indicated.
During a penetration test, you find a web application that includes files using a parameter like /index.php?page=about. When you change the parameter to /etc/passwd, the application returns the contents of the password file. Which vulnerability is present?
A.Local File Inclusion (LFI)
B.Remote File Inclusion (RFI)
C.Command Injection
D.Directory Traversal
AnswerA
The application includes a local file based on user input.
Why this answer
Local File Inclusion (LFI) allows an attacker to include local files on the server through path traversal or direct inclusion.
An attacker is attempting to perform an Insecure Direct Object Reference (IDOR) attack on a web application. Which TWO conditions are necessary for this attack to succeed?
Select 2 answers
A.The application uses indirect object references (e.g., random tokens)
B.The application exposes direct references to internal objects (e.g., user IDs in URLs)
C.The application fails to validate the user's authorization for the requested object
D.The application has a CSRF vulnerability
E.The application implements strong access controls on every object
AnswersB, C
Direct references are necessary for IDOR.
Why this answer
IDOR exploits direct references to objects without proper authorization checks. The application must expose direct references (e.g., IDs in URLs) and fail to verify the user's permission to access the object.
An attacker discovers that a web application's login form allows unlimited login attempts. The attacker uses a list of usernames and passwords obtained from a previous breach to gain access. This attack is known as:
A.Password spraying
B.Brute force attack
C.Dictionary attack
D.Credential stuffing
AnswerD
Using breached credentials to gain access.
Why this answer
Credential stuffing (option D) is correct because the attacker uses a list of known username/password pairs from a previous breach to automate login attempts against the web application. This attack exploits password reuse across services, not the weakness of the passwords themselves, and relies on the application's lack of rate limiting or account lockout mechanisms.
Exam trap
The trap here is that candidates confuse credential stuffing with a dictionary attack, but credential stuffing specifically uses known username-password pairs from a prior breach, not a generic wordlist of passwords.
How to eliminate wrong answers
Option A is wrong because password spraying involves trying a single common password (e.g., 'Password123') against many usernames, not using a list of known credential pairs. Option B is wrong because a brute force attack systematically tries all possible password combinations for a single username, which is computationally expensive and not based on a pre-compromised list. Option C is wrong because a dictionary attack uses a wordlist of potential passwords against a single username, but does not pair specific usernames with their previously compromised passwords.
A web application allows users to access files using parameters like 'file=report.pdf'. A tester changes the parameter to '../../etc/passwd' and retrieves the system password file. This is an example of which attack?
A.Local file inclusion (LFI)
B.Remote file inclusion (RFI)
C.Command injection
D.Directory traversal
AnswerD
The use of '../' to escape the intended directory and read arbitrary files is classic directory traversal.
Why this answer
Directory traversal attacks exploit insufficient input validation to access files outside the intended directory by using '../' sequences.
Which TWO of the following are effective defenses against CSRF attacks? (Choose 2.)
Select 2 answers
A.Setting the Secure flag on cookies
B.Using input validation to block special characters
C.Using anti-CSRF tokens that are validated on the server
D.Implementing SameSite cookie attribute (Lax or Strict)
E.Enabling the HttpOnly flag on session cookies
AnswersC, D
CSRF tokens are unique per request and verified by the server, ensuring the request originated from the legitimate site.
Why this answer
CSRF tokens and SameSite cookies both prevent cross-site request forgery. Double Submit Cookie is also a method but not listed. Custom headers are not a standard defense; the primary ones are CSRF tokens and SameSite cookies.
A web server is found to have directory listing enabled for the /uploads folder. An attacker discovers a shell.php file uploaded earlier. Which attack is the attacker MOST likely to perform next?
A.File inclusion
B.Cross-site scripting
C.Remote code execution via uploaded shell
D.SQL injection
AnswerC
The attacker can locate the shell via directory listing and then access it to execute commands.
Why this answer
With directory listing, the attacker can find the path to the uploaded shell and then access it to execute commands on the server.
An application is vulnerable to server-side request forgery (SSRF). An attacker exploits this to access internal services. Which of the following is a common indicator of SSRF?
A.The application uses user input in file inclusion functions like include()
B.The application includes a parameter like 'url=' that fetches remote resources
C.The application reflects user input in HTTP headers
D.The application stores user input in a database without sanitization
AnswerB
A 'url=' parameter that the server fetches is a classic SSRF vector.
Why this answer
SSRF vulnerabilities often appear where the application fetches URLs based on user input, such as 'url=' parameters, allowing the attacker to make the server request internal resources.
A penetration tester finds that a web application allows uploading a file with the name '../../var/www/html/shell.php'. The file is successfully written to the server. Which combination of vulnerabilities does this exploit?
A.Cross-Site Scripting (XSS) and CSRF
B.Local File Inclusion (LFI) and Remote File Inclusion (RFI)
C.Directory traversal and unrestricted file upload
D.SQL injection and command injection
AnswerC
The traversal path in the filename exploits directory traversal, and the ability to upload a PHP file indicates unrestricted file upload.
Why this answer
Directory traversal allows moving up directories, and unrestricted file upload allows writing a PHP shell, leading to remote code execution.
During a web application penetration test, a security analyst intercepts a request using Burp Suite and notices the following parameter in the URL: /profile?user_id=123. By changing the user_id to 124, the analyst is able to view another user's profile. Which vulnerability is being exploited?
A.SQL Injection
B.Cross-Site Scripting (XSS)
C.Insecure Direct Object Reference (IDOR)
D.Cross-Site Request Forgery (CSRF)
AnswerC
The user_id parameter is manipulated to access another user's profile without authorization.
Why this answer
IDOR occurs when an application exposes a direct reference to an internal object (like a user ID) without proper authorization checks, allowing unauthorized access.
A security analyst discovers that a web application's search box reflects user input without proper sanitization. However, the attacker must trick a victim into clicking a crafted link containing the malicious script. This vulnerability is classified as which type?
A.Blind XSS
B.Stored XSS
C.DOM-based XSS
D.Reflected XSS
AnswerD
Reflected XSS is non-persistent and requires the victim to click a crafted link containing the payload.
Why this answer
Reflected XSS requires user interaction (clicking a link) to execute the script in the victim's browser. The payload is not stored on the server, distinguishing it from stored XSS. DOM-based XSS does not involve server reflection.
An attacker exploits an application by uploading a file that contains server-side script code, leading to arbitrary command execution on the web server. Which best describes this attack?
A.File inclusion (LFI)
B.Command injection
C.XSS
D.Directory traversal
AnswerB
Command injection occurs when an attacker can execute arbitrary commands on the server, often through file uploads that are executed.
Why this answer
File upload vulnerability allowing arbitrary code execution is a form of command injection or remote code execution (RCE).
During a penetration test, a tester uses the following payload in a search field: <script>alert(document.cookie)</script>. The payload is reflected in the response without sanitization. However, the tester notices that the attack only works when the payload is submitted via a POST request, not GET. Which type of XSS is this?
A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.Self-XSS
AnswerB
The payload is reflected immediately, making it reflected XSS.
Why this answer
Reflected XSS occurs when the payload is reflected immediately in the response. The fact that it works via POST but not GET does not change the classification; it is still reflected XSS because the payload is not stored on the server. Some reflected XSS may be triggered only via POST parameters.
A web application is vulnerable to SQL injection. Which THREE of the following techniques can be used to extract data from the database using blind SQL injection?
Select 3 answers
A.Time-based
B.Error-based
C.Boolean-based
D.Out-of-band
E.Union-based
AnswersA, C, D
Time-based uses delays to infer true/false conditions.
Why this answer
Boolean-based, time-based, and out-of-band are all types of blind SQL injection. Error-based and union-based are in-band techniques, not blind.
Which of the following Burp Suite tools is used to automatically fuzz web application inputs and identify common vulnerabilities like SQL injection and XSS?
A.Proxy
B.Repeater
C.Intruder
D.Scanner
AnswerC
Intruder allows automated fuzzing with payloads.
Why this answer
Burp Intruder is a tool for automating customized attacks against web applications, including fuzzing for vulnerabilities.
A security analyst observes the following in Apache access logs: 'GET /cgi-bin/test.cgi?cmd=id HTTP/1.1' 200. This is most likely an attempt at which attack?
A.Command injection
B.Local File Inclusion (LFI)
C.SQL injection
D.Directory traversal
AnswerA
The parameter 'cmd' suggests the CGI script passes input to a shell, allowing command injection.
Why this answer
The 'cmd' parameter in a CGI script is a common indicator of command injection, where the attacker tries to execute system commands.
A security analyst wants to check if a web application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions would be most effective?
A.Submit a base64-encoded payload in a cookie
B.Use SQLMap with a time-based payload
C.Modify the Host header to point to localhost
D.Send a request with a URL parameter pointing to an internal IP address
AnswerD
SSRF occurs when the server fetches a URL provided by the attacker; pointing to an internal IP tests for SSRF.
Why this answer
Crafting a request that makes the server fetch an internal IP address (like 127.0.0.1) and observing if the response includes data from that internal resource is a good test for SSRF.
An analyst reviews the following HTTP response: HTTP/1.1 200 OK
Set-Cookie: sessionid=abc123; SameSite=None; Secure
...
<html><body><p>Welcome back!</p></body></html>. What possible vulnerability exists if the application does not use CSRF tokens?
A.Cross-site request forgery (CSRF)
B.Clickjacking
C.Cross-site scripting (XSS)
D.Session fixation
AnswerA
With SameSite=None, cookies are sent on cross-site requests, and without CSRF tokens, the application is vulnerable to CSRF.
Why this answer
SameSite=None allows cross-site requests to include cookies, making CSRF possible if no CSRF tokens are used. SameSite=Lax or Strict would block some CSRF attacks.
A security analyst notices that a web application's search functionality returns database error messages in the response. The analyst suspects SQL injection. Which TWO techniques should the analyst use to confirm and exploit this vulnerability? (Choose TWO.)
Select 2 answers
A.Use out-of-band SQL injection with DNS exfiltration
B.Use a time-based blind SQL injection with SLEEP() function
C.Leverage error-based SQL injection with CONVERT() or double query
D.Use SQLMap with --union-col and --union-from flags
E.Implement parameterized queries in the application code
AnswersC, D
Error-based injection exploits verbose error messages to extract data.
Why this answer
Union-based SQL injection uses UNION SELECT to retrieve data from other tables. Error-based SQL injection leverages database error messages to extract information. Both are common in-band techniques suitable when errors are displayed.
While analyzing web server logs, an analyst finds the following entry: GET /../../../../etc/passwd HTTP/1.1 with a 200 OK response. Which vulnerability is indicated, and what is the MOST likely impact?
The '../' patterns and the file path indicate directory traversal, resulting in file disclosure.
Why this answer
The path contains '../' sequences indicating directory traversal. A 200 response suggests the attacker successfully read the /etc/passwd file, leading to disclosure of system user accounts. This can aid further attacks like password cracking.
Which TWO of the following are effective mitigations against Cross-Site Request Forgery (CSRF)?
Select 2 answers
A.Using SameSite cookies
B.Input validation
C.Using anti-CSRF tokens
D.Using HTTPOnly cookies
E.Using CSRF tokens
AnswersA, E
SameSite cookies restrict cookie sending on cross-site requests, mitigating CSRF.
Why this answer
CSRF tokens and SameSite cookies are standard defenses. The other options do not prevent CSRF: input validation does not; anti-CSRF tokens are synonymous; referer header validation is weak.
A web application uses a URL parameter to fetch a file from the server, e.g., 'download.php?file=report.pdf'. An attacker changes the parameter to '../../etc/passwd' and retrieves the password file. This attack is known as:
A.Command injection
B.Local File Inclusion (LFI)
C.Directory traversal
D.Server-Side Request Forgery (SSRF)
AnswerC
The use of '../' to navigate directories is characteristic of directory traversal.
Why this answer
Directory traversal (also known as path traversal) allows an attacker to access files outside the intended directory by using '../' sequences.
E.Strict - Cookie is sent only for same-site requests
AnswersA, E
Lax allows cookies for top-level GET requests from other sites.
Why this answer
SameSite can be set to 'Lax' (default) which allows cookies for top-level navigations, or 'Strict' which prevents cookies on cross-site requests. 'None' requires Secure flag but is used for cross-site.
Which TWO of the following attacks can be prevented by properly validating and sanitizing user input? (Select 2)
Select 2 answers
A.Cross-Site Request Forgery (CSRF)
B.SQL injection
C.Man-in-the-Middle (MitM) attack
D.Clickjacking
E.Cross-Site Scripting (XSS)
AnswersB, E
Input validation/sanitization can prevent SQL injection (e.g., parameterized queries).
Why this answer
SQL injection and XSS are both injection attacks that can be prevented by input validation and sanitization. CSRF requires tokens, and clickjacking requires frame-busting headers.
Which TWO of the following are common types of SQL injection attacks?
Select 2 answers
A.Blind SQL injection (boolean-based)
B.Out-of-band SQL injection
C.In-band SQL injection (union-based)
D.Heap-based SQL injection
E.NoSQL injection
AnswersA, C
Blind SQL injection does not return data directly; it infers information from server responses.
Why this answer
In-band SQLi (union-based) uses the same channel to inject and retrieve data. Blind SQLi (boolean-based or time-based) does not return data directly but infers information from behavior. NoSQL injection is a separate category.
Heap-based is not a recognized SQLi type. Out-of-band is a third type but not listed among the options; the question asks for common types.
A penetration tester is using SQLMap to automate exploitation of a SQL injection vulnerability found in a login form. The tester wants to retrieve the names of all databases on the backend MySQL server. Which SQLMap flag should be used?
A.--dbs
B.--current-db
C.--schema
D.--tables
AnswerA
--dbs lists all databases on the server.
Why this answer
The --dbs flag in SQLMap enumerates all databases on the database server.
An attacker intercepts a request and notices that the server reflects the value of the 'User-Agent' header in the response without sanitization. The attacker crafts a payload that triggers an alert box. This is an example of:
During a web application penetration test, a tester uses Burp Suite's Intruder tool to automate a series of login attempts using a list of common passwords. Which attack type is being performed?
A.Credential stuffing
B.Brute force attack
C.Dictionary attack
D.Password spraying
AnswerA
Credential stuffing involves using lists of known passwords (often from data breaches) to gain unauthorized access.
Why this answer
Credential stuffing uses a list of known passwords, while password spraying uses a few passwords against many accounts. Brute force is typically many passwords per account. The description best matches credential stuffing.
Which Burp Suite tool is most appropriate for modifying and re-sending a single HTTP request multiple times with different payloads to test for SQL injection?
A.Repeater
B.Intruder
C.Proxy
D.Scanner
AnswerB
Intruder allows sending multiple requests with different payloads to test for vulnerabilities like SQL injection.
Why this answer
Burp Intruder is designed for automated customized attacks, allowing you to send many requests with varying payloads to a single target endpoint.
A penetration tester uses Burp Suite to intercept and modify web traffic. Which TWO features in Burp Suite would be MOST useful for performing a brute-force attack on a login form? (Choose TWO.)
Select 2 answers
A.Burp Scanner
B.Burp Proxy
C.Burp Decoder
D.Burp Intruder
E.Burp Repeater
AnswersB, D
Proxy captures the login request, which can then be sent to Intruder.
Why this answer
Intruder is designed for automated brute-forcing with payloads. Proxy allows interception and manipulation of requests before sending to Intruder. Repeater is for manual requests, not automated attacks.
Scanner is for vulnerability scanning, not brute-forcing.
During a web application test, the tester finds that the application includes user-supplied file names in include() statements. Which TWO of the following are indicators of a Remote File Inclusion (RFI) vulnerability? (Choose TWO.)
Select 2 answers
A.The application includes files from http://attacker.com/shell.txt
B.The application includes files with '..' and '/' sequences
C.The application includes /etc/passwd in the response
D.The application includes files with .inc extension
E.The application allows inclusion of files from external FTP servers
AnswersA, E
Inclusion of a remote URL indicates RFI.
Why this answer
RFI allows inclusion of remote files via HTTP/HTTPS URLs. Directory traversal with ../ is more typical of LFI. Inclusion of local files like /etc/passwd indicates LFI, not RFI.
A web application allows users to upload profile pictures. An attacker uploads a file named "profile.php" containing malicious PHP code. When the attacker visits the uploaded file's URL, the code executes. Which vulnerability is being exploited?
A.Directory traversal
B.Command injection
C.File upload vulnerability
D.Stored XSS
AnswerC
The attacker uploaded a malicious PHP file that executes, indicating a file upload vulnerability.
Why this answer
The application fails to validate the file type or restrict execution, allowing a malicious PHP file to be uploaded and executed on the server, which is a classic file upload vulnerability leading to remote code execution.
A web server is configured with WebDAV and allows PUT requests. An attacker uploads a .asp file and accesses it to execute code. Which tool or method is most directly associated with exploiting this misconfiguration?
A.SQL injection
B.File upload vulnerability
C.Directory brute forcing
D.Cross-site scripting (XSS)
AnswerB
The ability to upload and execute arbitrary files via WebDAV PUT is a file upload vulnerability.
Why this answer
WebDAV with PUT enabled allows attackers to upload arbitrary files, including web shells, leading to remote code execution.
A web application allows users to upload profile pictures. The application uses the filename provided by the user to save the file on the server. An attacker uploads a file named 'malicious.php%00.png' and the server saves it as 'malicious.php'. Which vulnerability is being exploited?
A.Directory traversal
B.Command injection
C.Null byte injection
D.Cross-Site Scripting (XSS)
AnswerC
Null byte injection exploits the null byte character to truncate strings, bypassing file extension filters.
Why this answer
This is a null byte injection attack, where the %00 (null byte) terminates the string, bypassing extension checks to upload a PHP file.
A web application has an endpoint that takes a URL parameter and fetches content from that URL, returning it to the user. An attacker supplies 'file:///etc/passwd' and reads the server's passwd file. Which vulnerability is this?
A.Command injection
B.Remote File Inclusion (RFI)
C.Server-Side Request Forgery (SSRF)
D.Directory traversal
AnswerC
The server is tricked into making requests to internal resources via file:// protocol.
Why this answer
This is SSRF because the server is making requests to internal resources based on user input; file:// is a protocol that can be used for local file access.
A penetration tester finds that a web application accepts XML input and returns the parsed data in the response. The tester submits the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which vulnerability is being exploited?
A.SSRF
B.Command injection
C.XXE injection
D.XPath injection
AnswerC
The payload uses an external entity to read a file, which is XXE.
Why this answer
The payload defines an external entity (XXE) that reads a local file, indicating an XML External Entity (XXE) injection vulnerability.
Which THREE of the following are common types of SQL injection attacks? (Select three)
Select 3 answers
A.Reflected SQL injection
B.Stored SQL injection
C.Out-of-band SQL injection
D.Blind SQL injection
E.In-band SQL injection
AnswersC, D, E
Out-of-band uses a different channel (e.g., DNS) to exfiltrate data.
Why this answer
In-band SQL injection (including error-based and union-based) are classic types. Blind SQL injection (boolean-based and time-based) are also common. Out-of-band is less common but still a type.
Which of the following is a primary defense mechanism against Cross-Site Request Forgery (CSRF) attacks?
A.Input validation and output encoding
B.Enforcing CAPTCHA on all forms
C.Using SameSite cookies
D.Implementing CSRF tokens
AnswerD
CSRF tokens are the most common and effective defense against CSRF attacks.
Why this answer
CSRF tokens are unique, unpredictable values included in requests that the server validates to ensure the request is intentional. SameSite cookies help but are not the primary defense; CAPTCHA and input validation are not standard CSRF mitigations.
A web application uses an XML parser to process user-supplied XML documents. An attacker submits the following payload: <?xml version='1.0'?><!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><root>&xxe;</root>. Which vulnerability is being exploited?
A.Server-Side Request Forgery (SSRF)
B.XPath injection
C.XML External Entity (XXE) injection
D.SQL injection
AnswerC
The attacker defines an external entity to read a local file, which is XXE.
Why this answer
The payload defines an external entity that reads a local file, which is classic XXE (XML External Entity) injection.
During a web application penetration test, a tester uses Burp Suite's Repeater tool to manually manipulate a request and observe the response. After sending the same request multiple times, the application returns a 302 redirect pointing to a login page. What is the MOST likely cause?
C.The session token has expired and the user must re-authenticate
D.The server detected the use of a proxy and blocked the request
AnswerC
After repeated requests without refreshing the session, the token may expire, causing a redirect to the login page.
Why this answer
A 302 redirect to a login page typically indicates that the session has expired or the tester's session is no longer valid. The application is redirecting to enforce authentication.
A security team wants to test their web application for vulnerabilities. Which Burp Suite tool is BEST suited for automating attacks like brute-force or fuzzing?
A.Proxy
B.Repeater
C.Intruder
D.Scanner
AnswerC
Intruder automates payload delivery for brute-force, fuzzing, etc.
Why this answer
Intruder is designed for automated customized attacks including brute-force, fuzzing, and credential stuffing.
Which TWO of the following are valid techniques used in password spraying attacks? (Choose 2.)
Select 2 answers
A.Using previously compromised username/password pairs from a breach
B.Capturing keystrokes to obtain a user's password
C.Trying every possible password from a dictionary against a single username
D.Using a list of common passwords (e.g., 'Password123', 'Welcome1') against a large set of usernames
E.Attempting a single common password across multiple users, then trying the next common password
AnswersD, E
This is the essence of password spraying: try a few weak passwords on many accounts to avoid lockout.
Why this answer
Password spraying uses a few common passwords against many accounts to avoid lockouts. Credential stuffing uses known username/password pairs from breaches. Dictionary attack uses a list of words.
Brute force tries many passwords on one account. Keylogging is passive.
During a penetration test, the tester finds that the Apache server is configured with directory listing enabled on the /uploads directory. The tester navigates to http://example.com/uploads/ and sees a list of files. Which of the following is the MOST immediate security concern?
A.Sensitive files may be exposed to unauthorized users
B.The server is running an outdated version of Apache
C.The server is vulnerable to cross-site scripting (XSS) attacks
D.An attacker can upload malicious files to the directory
AnswerA
Directory listing can expose file names and allow access to sensitive files if they are not protected.
Why this answer
Directory listing exposes file names that may reveal sensitive information (e.g., backup files, config files). Attackers can then attempt to access these files directly, potentially leading to data disclosure.
A security analyst observes a web application returning database error messages containing table names and column names in the HTTP response. Which type of SQL injection is MOST likely being exploited?
A.Blind SQL injection (boolean-based)
B.Union-based SQL injection
C.Error-based SQL injection
D.Out-of-band SQL injection
AnswerC
Error-based SQL injection uses database error messages to extract information.
Why this answer
Error-based SQL injection (in-band) relies on error messages from the database to extract information. The presence of database details in errors indicates error-based injection.
During a web application penetration test, a tester submits a comment containing '<script>alert("XSS")</script>' and the script executes for all users who view the comment. Which type of cross-site scripting (XSS) vulnerability is present?
A.Blind XSS
B.Reflected XSS
C.DOM-based XSS
D.Stored (persistent) XSS
AnswerD
The script is stored and executed for all users, indicating stored XSS.
Why this answer
Stored (persistent) XSS occurs when the injected script is permanently stored on the server (e.g., in a database) and executed for every user who accesses that content.
An application allows users to upload XML files for processing. A tester uploads the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which attack is being performed?
A.XML External Entity (XXE) injection
B.SQL injection
C.Cross-Site Scripting (XSS)
D.Server-Side Request Forgery (SSRF)
AnswerA
The DOCTYPE and entity declaration are classic XXE, and the file read confirms it.
Why this answer
This is an XML External Entity (XXE) injection attack, where an external entity is defined to read a local file. The server's XML parser processes the entity and reflects the file content, confirming the vulnerability.
During a web application test, a penetration tester intercepts a request using Burp Suite Proxy, modifies the 'Referer' header, and resends the request. The application processes the request despite the modified header. Which attack is the tester attempting to validate?
A.Server-Side Request Forgery (SSRF)
B.Cross-Site Scripting (XSS)
C.Cross-Site Request Forgery (CSRF)
D.SQL injection
AnswerC
CSRF defenses sometimes check the Referer header; modifying it tests this defense.
Why this answer
CSRF (Cross-Site Request Forgery) attacks often rely on the Referer header for validation. By modifying it, the tester checks if the application validates the header. If the request is processed, the application is vulnerable to CSRF.
A security team is implementing measures to prevent cross-site request forgery (CSRF) attacks. Which of the following is the most effective mitigation technique?
CSRF tokens are the standard defense against CSRF attacks.
Why this answer
CSRF tokens are unique, unpredictable values that must be included in state-changing requests, ensuring the request originated from the legitimate site.
An attacker attempts to log into a web application by trying many common passwords for a list of known usernames. Which type of authentication attack is this?
A.Dictionary attack
B.Credential stuffing
C.Password spraying
D.Brute force attack
AnswerC
Password spraying uses a few common passwords across many accounts.
Why this answer
Password spraying involves using a few common passwords against many usernames to avoid account lockouts, as opposed to brute force (many passwords on one account) or credential stuffing (using known username/password pairs).
During an assessment, a tester discovers that the web application accepts XML input and returns the parsed data. The tester submits the following payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The response contains the contents of /etc/passwd. This vulnerability is known as:
A.Local File Inclusion (LFI)
B.Server-Side Request Forgery (SSRF)
C.XML External Entity (XXE) Injection
D.SQL injection
AnswerC
XXE exploits XML parsers to read files or perform SSRF.
Why this answer
The payload defines an external entity that reads a local file, a classic XXE (XML External Entity) injection.
Which HTTP method is commonly used by WebDAV to upload files to a web server, and if misconfigured, could allow an attacker to upload malicious scripts?
A.DELETE
B.GET
C.POST
D.PUT
AnswerD
PUT is the HTTP method used to upload files in WebDAV.
Why this answer
The PUT method allows uploading resources to the server, and if enabled without proper controls, can be exploited to upload malicious files.
A security team deployed a web application firewall (WAF) that blocks requests containing SQL keywords like 'SELECT', 'UNION', and 'DROP'. An attacker bypasses the WAF by encoding the payload in base64 and using a SQL injection tool that decodes it server-side. Which mitigation would be MOST effective against this?
A.Increase WAF sensitivity to block base64-encoded strings
B.Implement prepared statements with parameterized queries
C.Disable error messages to hide database errors
D.Use a more restrictive input validation regex
AnswerB
Prepared statements eliminate SQL injection by using placeholders for user input.
Why this answer
Prepared statements (parameterized queries) prevent SQL injection by separating query structure from data, regardless of encoding. WAF bypasses are mitigated by using proper coding practices.
A web server running IIS 8.5 is found to have WebDAV enabled with write permissions. Which attack is MOST likely to be successful against this configuration?
Which of the following is a primary purpose of the SameSite cookie attribute in mitigating CSRF attacks?
A.To limit the cookie to a specific path
B.To encrypt the cookie value
C.To prevent the cookie from being sent in cross-origin requests, mitigating CSRF
D.To restrict the cookie to HTTPS connections only (Secure flag)
AnswerC
SameSite prevents cookies from being sent in cross-site requests, which is a key defense against CSRF.
Why this answer
SameSite cookie attribute (Strict, Lax, or None) controls when cookies are sent in cross-site requests. Setting SameSite to Lax or Strict prevents the browser from sending cookies on cross-site POST requests, thus mitigating CSRF.
A web application takes a URL from user input and fetches the content to display on the page. An attacker submits a URL pointing to an internal service like http://localhost:8080/admin. The server retrieves the internal resource and returns it. What is this attack?
A.Cross-Site Scripting (XSS)
B.Server-Side Request Forgery (SSRF)
C.Directory Traversal
D.Remote File Inclusion (RFI)
AnswerB
The server is tricked into making a request to an internal resource.
Why this answer
Server-Side Request Forgery (SSRF) occurs when a server makes requests to internal resources based on user-supplied URLs.
Which THREE of the following are common indicators of an ongoing brute-force attack against a web application?
Select 3 answers
A.A single user account being locked out repeatedly
B.Login requests arriving at an unusually high frequency
C.Many different usernames being targeted from the same IP
D.Successful logins from unusual geographic locations
E.A high number of failed login attempts from a single IP address
AnswersB, C, E
High frequency suggests automated tool.
Why this answer
Multiple failed logins from the same IP, high frequency of login requests, and many different usernames tried from one source are typical signs of brute-force.
A tester sends the following payload to a web application: %3Cscript%3Ealert('XSS')%3C/script%3E. The application echoes back the decoded payload in the response without sanitization. This behavior is typical of which type of vulnerability?
A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?
A.Time-based SQL injection
B.Reflected XSS
C.Blind boolean-based SQL injection
D.CSRF
AnswerA
Time-based SQL injection uses database delay functions (e.g., SLEEP()) to infer information based on response times.
Why this answer
Time-based SQL injection involves injecting SQL code that causes the database to pause if a condition is true, allowing an attacker to infer information based on response times. The observed difference in response times for valid vs. invalid usernames is characteristic of this technique.
An attacker wants to perform a CSRF attack against a banking application. The application uses SameSite cookies set to 'Strict'. The attacker hosts a malicious page on their own domain. When the victim visits the malicious page, which of the following statements is TRUE regarding the CSRF attack?
A.The attack will succeed because cookies are sent regardless of SameSite settings.
B.The attack will succeed because the attacker can bypass SameSite using GET requests.
C.The attack will fail because CSRF requires POST requests and the malicious page only uses GET.
D.The attack will fail because the browser will not include the session cookie with the cross-origin request.
AnswerD
SameSite=Strict prevents cookie inclusion on cross-origin requests, defeating CSRF.
Why this answer
SameSite=Strict prevents cookies from being sent on cross-site requests, effectively blocking CSRF attacks if the attacker cannot control the origin.