' and the…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-web-application-penetration-test-a-tester-submits-ugc94"},{"@type":"ListItem","position":60,"name":"An attacker uses the following URL pattern to access files: http://example.com/../../etc/passwd. Which attack is being a…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-uses-the-following-url-pattern-to-access-files-a4r3c"},{"@type":"ListItem","position":61,"name":"An application allows users to upload XML files for processing. A tester uploads the following payload:

CCNA Ceh Web Injection Questions

75 of 172 questions · Page 1/3 · Ceh Web Injection topic · Answers revealed

1
MCQeasy

An attacker crafts a link that, when clicked by an authenticated user, performs an unintended action on a web application where the user is logged in, such as changing their email address. The application uses a session cookie for authentication but does not include any anti-forgery tokens in forms. Which attack is this?

A.Cross-Site Request Forgery (CSRF)
B.Cross-Site Scripting (XSS)
C.Clickjacking
D.Server-Side Request Forgery (SSRF)
AnswerA

CSRF exploits the user's authenticated session to perform unauthorized actions.

Why this answer

The description matches Cross-Site Request Forgery (CSRF), where a malicious link triggers actions on a site where the victim is authenticated.

2
MCQmedium

A penetration tester identifies a web page that reflects user input in the response without proper encoding. The input is submitted via a GET parameter. Which type of cross-site scripting (XSS) is MOST likely present?

A.Blind XSS
B.Reflected XSS
C.DOM-based XSS
D.Stored XSS
AnswerB

The input is reflected immediately in the response, characteristic of reflected XSS.

Why this answer

Reflected XSS occurs when user input is immediately returned by the server in the response without proper sanitization, typically via GET parameters.

3
Multi-Selectmedium

During a penetration test, a tester finds a web application that reflects user input in the page without sanitization. Which TWO types of XSS are potentially exploitable in this scenario?

Select 2 answers
A.DOM-based XSS
B.Blind XSS
C.Self-XSS
D.Stored (persistent) XSS
E.Reflected XSS
AnswersA, E

DOM-based XSS occurs if client-side JavaScript processes the input unsafely.

Why this answer

Reflected XSS occurs when input is immediately returned in the response. DOM-based XSS occurs when client-side scripts process input unsafely. Stored XSS requires persistence on the server, which is not indicated.

4
MCQmedium

During a penetration test, you find a web application that includes files using a parameter like /index.php?page=about. When you change the parameter to /etc/passwd, the application returns the contents of the password file. Which vulnerability is present?

A.Local File Inclusion (LFI)
B.Remote File Inclusion (RFI)
C.Command Injection
D.Directory Traversal
AnswerA

The application includes a local file based on user input.

Why this answer

Local File Inclusion (LFI) allows an attacker to include local files on the server through path traversal or direct inclusion.

5
Multi-Selectmedium

An attacker is attempting to perform an Insecure Direct Object Reference (IDOR) attack on a web application. Which TWO conditions are necessary for this attack to succeed?

Select 2 answers
A.The application uses indirect object references (e.g., random tokens)
B.The application exposes direct references to internal objects (e.g., user IDs in URLs)
C.The application fails to validate the user's authorization for the requested object
D.The application has a CSRF vulnerability
E.The application implements strong access controls on every object
AnswersB, C

Direct references are necessary for IDOR.

Why this answer

IDOR exploits direct references to objects without proper authorization checks. The application must expose direct references (e.g., IDs in URLs) and fail to verify the user's permission to access the object.

6
MCQeasy

An attacker discovers that a web application's login form allows unlimited login attempts. The attacker uses a list of usernames and passwords obtained from a previous breach to gain access. This attack is known as:

A.Password spraying
B.Brute force attack
C.Dictionary attack
D.Credential stuffing
AnswerD

Using breached credentials to gain access.

Why this answer

Credential stuffing (option D) is correct because the attacker uses a list of known username/password pairs from a previous breach to automate login attempts against the web application. This attack exploits password reuse across services, not the weakness of the passwords themselves, and relies on the application's lack of rate limiting or account lockout mechanisms.

Exam trap

The trap here is that candidates confuse credential stuffing with a dictionary attack, but credential stuffing specifically uses known username-password pairs from a prior breach, not a generic wordlist of passwords.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a single common password (e.g., 'Password123') against many usernames, not using a list of known credential pairs. Option B is wrong because a brute force attack systematically tries all possible password combinations for a single username, which is computationally expensive and not based on a pre-compromised list. Option C is wrong because a dictionary attack uses a wordlist of potential passwords against a single username, but does not pair specific usernames with their previously compromised passwords.

7
MCQmedium

A web application allows users to access files using parameters like 'file=report.pdf'. A tester changes the parameter to '../../etc/passwd' and retrieves the system password file. This is an example of which attack?

A.Local file inclusion (LFI)
B.Remote file inclusion (RFI)
C.Command injection
D.Directory traversal
AnswerD

The use of '../' to escape the intended directory and read arbitrary files is classic directory traversal.

Why this answer

Directory traversal attacks exploit insufficient input validation to access files outside the intended directory by using '../' sequences.

8
Multi-Selectmedium

Which TWO of the following are effective defenses against CSRF attacks? (Choose 2.)

Select 2 answers
A.Setting the Secure flag on cookies
B.Using input validation to block special characters
C.Using anti-CSRF tokens that are validated on the server
D.Implementing SameSite cookie attribute (Lax or Strict)
E.Enabling the HttpOnly flag on session cookies
AnswersC, D

CSRF tokens are unique per request and verified by the server, ensuring the request originated from the legitimate site.

Why this answer

CSRF tokens and SameSite cookies both prevent cross-site request forgery. Double Submit Cookie is also a method but not listed. Custom headers are not a standard defense; the primary ones are CSRF tokens and SameSite cookies.

9
MCQmedium

A web server is found to have directory listing enabled for the /uploads folder. An attacker discovers a shell.php file uploaded earlier. Which attack is the attacker MOST likely to perform next?

A.File inclusion
B.Cross-site scripting
C.Remote code execution via uploaded shell
D.SQL injection
AnswerC

The attacker can locate the shell via directory listing and then access it to execute commands.

Why this answer

With directory listing, the attacker can find the path to the uploaded shell and then access it to execute commands on the server.

10
MCQmedium

An application is vulnerable to server-side request forgery (SSRF). An attacker exploits this to access internal services. Which of the following is a common indicator of SSRF?

A.The application uses user input in file inclusion functions like include()
B.The application includes a parameter like 'url=' that fetches remote resources
C.The application reflects user input in HTTP headers
D.The application stores user input in a database without sanitization
AnswerB

A 'url=' parameter that the server fetches is a classic SSRF vector.

Why this answer

SSRF vulnerabilities often appear where the application fetches URLs based on user input, such as 'url=' parameters, allowing the attacker to make the server request internal resources.

11
Multi-Selecteasy

Which TWO of the following are common tools used for web application security testing? (Choose 2)

Select 2 answers
A.Burp Suite
B.Wireshark
C.Nessus
D.OWASP ZAP
E.Metasploit
AnswersA, D

Burp Suite is a comprehensive platform for web application security testing.

Why this answer

Burp Suite and OWASP ZAP are both widely used web application security testing tools.

12
MCQhard

A penetration tester finds that a web application allows uploading a file with the name '../../var/www/html/shell.php'. The file is successfully written to the server. Which combination of vulnerabilities does this exploit?

A.Cross-Site Scripting (XSS) and CSRF
B.Local File Inclusion (LFI) and Remote File Inclusion (RFI)
C.Directory traversal and unrestricted file upload
D.SQL injection and command injection
AnswerC

The traversal path in the filename exploits directory traversal, and the ability to upload a PHP file indicates unrestricted file upload.

Why this answer

Directory traversal allows moving up directories, and unrestricted file upload allows writing a PHP shell, leading to remote code execution.

13
MCQmedium

During a web application penetration test, a security analyst intercepts a request using Burp Suite and notices the following parameter in the URL: /profile?user_id=123. By changing the user_id to 124, the analyst is able to view another user's profile. Which vulnerability is being exploited?

A.SQL Injection
B.Cross-Site Scripting (XSS)
C.Insecure Direct Object Reference (IDOR)
D.Cross-Site Request Forgery (CSRF)
AnswerC

The user_id parameter is manipulated to access another user's profile without authorization.

Why this answer

IDOR occurs when an application exposes a direct reference to an internal object (like a user ID) without proper authorization checks, allowing unauthorized access.

14
MCQmedium

A security analyst discovers that a web application's search box reflects user input without proper sanitization. However, the attacker must trick a victim into clicking a crafted link containing the malicious script. This vulnerability is classified as which type?

A.Blind XSS
B.Stored XSS
C.DOM-based XSS
D.Reflected XSS
AnswerD

Reflected XSS is non-persistent and requires the victim to click a crafted link containing the payload.

Why this answer

Reflected XSS requires user interaction (clicking a link) to execute the script in the victim's browser. The payload is not stored on the server, distinguishing it from stored XSS. DOM-based XSS does not involve server reflection.

15
MCQeasy

An attacker exploits an application by uploading a file that contains server-side script code, leading to arbitrary command execution on the web server. Which best describes this attack?

A.File inclusion (LFI)
B.Command injection
C.XSS
D.Directory traversal
AnswerB

Command injection occurs when an attacker can execute arbitrary commands on the server, often through file uploads that are executed.

Why this answer

File upload vulnerability allowing arbitrary code execution is a form of command injection or remote code execution (RCE).

16
MCQhard

During a penetration test, a tester uses the following payload in a search field: <script>alert(document.cookie)</script>. The payload is reflected in the response without sanitization. However, the tester notices that the attack only works when the payload is submitted via a POST request, not GET. Which type of XSS is this?

A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.Self-XSS
AnswerB

The payload is reflected immediately, making it reflected XSS.

Why this answer

Reflected XSS occurs when the payload is reflected immediately in the response. The fact that it works via POST but not GET does not change the classification; it is still reflected XSS because the payload is not stored on the server. Some reflected XSS may be triggered only via POST parameters.

17
Multi-Selecthard

A web application is vulnerable to SQL injection. Which THREE of the following techniques can be used to extract data from the database using blind SQL injection?

Select 3 answers
A.Time-based
B.Error-based
C.Boolean-based
D.Out-of-band
E.Union-based
AnswersA, C, D

Time-based uses delays to infer true/false conditions.

Why this answer

Boolean-based, time-based, and out-of-band are all types of blind SQL injection. Error-based and union-based are in-band techniques, not blind.

18
Multi-Selectmedium

Which TWO of the following are types of SQL injection? (Select 2)

Select 2 answers
A.Stored
B.DOM-based
C.Union-based
D.Blind boolean-based
E.Reflected
AnswersC, D

Union-based is an in-band technique.

Why this answer

In-band SQL injection includes union-based and error-based. Blind SQL injection includes boolean-based and time-based. Out-of-band is another type.

19
MCQeasy

Which of the following Burp Suite tools is used to automatically fuzz web application inputs and identify common vulnerabilities like SQL injection and XSS?

A.Proxy
B.Repeater
C.Intruder
D.Scanner
AnswerC

Intruder allows automated fuzzing with payloads.

Why this answer

Burp Intruder is a tool for automating customized attacks against web applications, including fuzzing for vulnerabilities.

20
MCQmedium

A security analyst observes the following in Apache access logs: 'GET /cgi-bin/test.cgi?cmd=id HTTP/1.1' 200. This is most likely an attempt at which attack?

A.Command injection
B.Local File Inclusion (LFI)
C.SQL injection
D.Directory traversal
AnswerA

The parameter 'cmd' suggests the CGI script passes input to a shell, allowing command injection.

Why this answer

The 'cmd' parameter in a CGI script is a common indicator of command injection, where the attacker tries to execute system commands.

21
MCQmedium

A security analyst wants to check if a web application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions would be most effective?

A.Submit a base64-encoded payload in a cookie
B.Use SQLMap with a time-based payload
C.Modify the Host header to point to localhost
D.Send a request with a URL parameter pointing to an internal IP address
AnswerD

SSRF occurs when the server fetches a URL provided by the attacker; pointing to an internal IP tests for SSRF.

Why this answer

Crafting a request that makes the server fetch an internal IP address (like 127.0.0.1) and observing if the response includes data from that internal resource is a good test for SSRF.

22
MCQhard

An analyst reviews the following HTTP response: HTTP/1.1 200 OK Set-Cookie: sessionid=abc123; SameSite=None; Secure ... <html><body><p>Welcome back!</p></body></html>. What possible vulnerability exists if the application does not use CSRF tokens?

A.Cross-site request forgery (CSRF)
B.Clickjacking
C.Cross-site scripting (XSS)
D.Session fixation
AnswerA

With SameSite=None, cookies are sent on cross-site requests, and without CSRF tokens, the application is vulnerable to CSRF.

Why this answer

SameSite=None allows cross-site requests to include cookies, making CSRF possible if no CSRF tokens are used. SameSite=Lax or Strict would block some CSRF attacks.

23
Multi-Selectmedium

A security analyst notices that a web application's search functionality returns database error messages in the response. The analyst suspects SQL injection. Which TWO techniques should the analyst use to confirm and exploit this vulnerability? (Choose TWO.)

Select 2 answers
A.Use out-of-band SQL injection with DNS exfiltration
B.Use a time-based blind SQL injection with SLEEP() function
C.Leverage error-based SQL injection with CONVERT() or double query
D.Use SQLMap with --union-col and --union-from flags
E.Implement parameterized queries in the application code
AnswersC, D

Error-based injection exploits verbose error messages to extract data.

Why this answer

Union-based SQL injection uses UNION SELECT to retrieve data from other tables. Error-based SQL injection leverages database error messages to extract information. Both are common in-band techniques suitable when errors are displayed.

24
MCQhard

While analyzing web server logs, an analyst finds the following entry: GET /../../../../etc/passwd HTTP/1.1 with a 200 OK response. Which vulnerability is indicated, and what is the MOST likely impact?

A.Command injection; remote shell access
B.Directory traversal; reading sensitive files
C.SQL injection; data exfiltration
D.Remote File Inclusion (RFI); arbitrary code execution
AnswerB

The '../' patterns and the file path indicate directory traversal, resulting in file disclosure.

Why this answer

The path contains '../' sequences indicating directory traversal. A 200 response suggests the attacker successfully read the /etc/passwd file, leading to disclosure of system user accounts. This can aid further attacks like password cracking.

25
Multi-Selectmedium

Which TWO of the following are effective mitigations against Cross-Site Request Forgery (CSRF)?

Select 2 answers
A.Using SameSite cookies
B.Input validation
C.Using anti-CSRF tokens
D.Using HTTPOnly cookies
E.Using CSRF tokens
AnswersA, E

SameSite cookies restrict cookie sending on cross-site requests, mitigating CSRF.

Why this answer

CSRF tokens and SameSite cookies are standard defenses. The other options do not prevent CSRF: input validation does not; anti-CSRF tokens are synonymous; referer header validation is weak.

26
MCQeasy

Which of the following best describes the attack where an attacker uses a valid session token to impersonate a user without needing to authenticate?

A.Cross-site scripting
B.Session hijacking
C.Phishing
D.Brute-force attack
AnswerB

Session hijacking uses a valid session token to take over a user's session.

Why this answer

Session hijacking involves stealing or using a valid session token to impersonate a user, bypassing authentication.

27
MCQeasy

Which of the following tools is commonly used to automate the detection and exploitation of SQL injection vulnerabilities?

A.SQLMap
B.Metasploit
C.Nmap
D.Burp Suite
AnswerA

SQLMap is designed to automate SQL injection detection and exploitation.

Why this answer

SQLMap is a widely used open-source tool that automates the process of detecting and exploiting SQL injection flaws in web applications.

28
MCQmedium

A web application uses a URL parameter to fetch a file from the server, e.g., 'download.php?file=report.pdf'. An attacker changes the parameter to '../../etc/passwd' and retrieves the password file. This attack is known as:

A.Command injection
B.Local File Inclusion (LFI)
C.Directory traversal
D.Server-Side Request Forgery (SSRF)
AnswerC

The use of '../' to navigate directories is characteristic of directory traversal.

Why this answer

Directory traversal (also known as path traversal) allows an attacker to access files outside the intended directory by using '../' sequences.

29
Multi-Selectmedium

An application uses the SameSite cookie attribute. Which TWO of the following are valid values for this attribute and their purposes? (Select two)

Select 2 answers
A.Lax - Cookie is sent for top-level navigations with safe methods
B.None - Cookie is sent on all cross-site requests
C.Secure - Cookie is sent only over HTTPS
D.HttpOnly - Cookie is inaccessible to JavaScript
E.Strict - Cookie is sent only for same-site requests
AnswersA, E

Lax allows cookies for top-level GET requests from other sites.

Why this answer

SameSite can be set to 'Lax' (default) which allows cookies for top-level navigations, or 'Strict' which prevents cookies on cross-site requests. 'None' requires Secure flag but is used for cross-site.

30
Multi-Selectmedium

Which TWO of the following attacks can be prevented by properly validating and sanitizing user input? (Select 2)

Select 2 answers
A.Cross-Site Request Forgery (CSRF)
B.SQL injection
C.Man-in-the-Middle (MitM) attack
D.Clickjacking
E.Cross-Site Scripting (XSS)
AnswersB, E

Input validation/sanitization can prevent SQL injection (e.g., parameterized queries).

Why this answer

SQL injection and XSS are both injection attacks that can be prevented by input validation and sanitization. CSRF requires tokens, and clickjacking requires frame-busting headers.

31
Multi-Selectmedium

Which TWO of the following are effective mitigations against Clickjacking attacks? (Choose 2)

Select 2 answers
A.Enable HTTP Strict-Transport-Security (HSTS)
B.Set Content-Security-Policy: frame-ancestors 'none'
C.Use CSRF tokens
D.Set X-Frame-Options: DENY
E.Set SameSite cookies to Strict
AnswersB, D

CSP frame-ancestors controls which domains can embed the page.

Why this answer

X-Frame-Options header and Content-Security-Policy frame-ancestors directive are both effective against clickjacking.

32
Multi-Selecteasy

Which TWO of the following are common types of SQL injection attacks?

Select 2 answers
A.Blind SQL injection (boolean-based)
B.Out-of-band SQL injection
C.In-band SQL injection (union-based)
D.Heap-based SQL injection
E.NoSQL injection
AnswersA, C

Blind SQL injection does not return data directly; it infers information from server responses.

Why this answer

In-band SQLi (union-based) uses the same channel to inject and retrieve data. Blind SQLi (boolean-based or time-based) does not return data directly but infers information from behavior. NoSQL injection is a separate category.

Heap-based is not a recognized SQLi type. Out-of-band is a third type but not listed among the options; the question asks for common types.

33
MCQeasy

Which of the following is a symptom of a successful command injection attack?

A.The server returns a 404 error
B.The output of the 'id' command appears in the response
C.The HTTP response header contains 'Server: Apache'
D.The page loads slower than usual
AnswerB

If the command executes, its output may be reflected.

Why this answer

Command injection allows execution of system commands; using 'id' is a common test to confirm.

34
MCQmedium

A penetration tester is using SQLMap to automate exploitation of a SQL injection vulnerability found in a login form. The tester wants to retrieve the names of all databases on the backend MySQL server. Which SQLMap flag should be used?

A.--dbs
B.--current-db
C.--schema
D.--tables
AnswerA

--dbs lists all databases on the server.

Why this answer

The --dbs flag in SQLMap enumerates all databases on the database server.

35
MCQhard

An attacker intercepts a request and notices that the server reflects the value of the 'User-Agent' header in the response without sanitization. The attacker crafts a payload that triggers an alert box. This is an example of:

A.HTTP header injection
B.DOM-based XSS
C.Stored XSS
D.Reflected XSS
AnswerD

The server reflects the header value unsanitized, leading to reflected XSS.

Why this answer

Reflected XSS occurs when the application immediately returns the user input in the response; here, the User-Agent header is reflected.

36
MCQmedium

During a web application penetration test, a tester uses Burp Suite's Intruder tool to automate a series of login attempts using a list of common passwords. Which attack type is being performed?

A.Credential stuffing
B.Brute force attack
C.Dictionary attack
D.Password spraying
AnswerA

Credential stuffing involves using lists of known passwords (often from data breaches) to gain unauthorized access.

Why this answer

Credential stuffing uses a list of known passwords, while password spraying uses a few passwords against many accounts. Brute force is typically many passwords per account. The description best matches credential stuffing.

37
MCQeasy

Which of the following tools is specifically designed to automate the detection and exploitation of SQL injection vulnerabilities?

A.Metasploit
B.Nmap
C.SQLMap
D.Burp Suite
AnswerC

SQLMap is the standard tool for automated SQL injection detection and exploitation.

Why this answer

SQLMap is a well-known open-source tool that automates the process of detecting and exploiting SQL injection flaws.

38
Multi-Selecteasy

Which TWO of the following are common indicators of a command injection vulnerability? (Select 2)

Select 2 answers
A.The application allows input of shell metacharacters like ;, &&, or |
B.The application reflects user input in the page without encoding
C.The application returns database error messages
D.The application uses parameterized queries for database access
E.The application executes system commands and returns output
AnswersA, E

These metacharacters can be used to chain commands.

Why this answer

Command injection typically involves injecting shell metacharacters (;, &&, |) and can be confirmed by observing time delays with sleep commands.

39
MCQmedium

Which Burp Suite tool is most appropriate for modifying and re-sending a single HTTP request multiple times with different payloads to test for SQL injection?

A.Repeater
B.Intruder
C.Proxy
D.Scanner
AnswerB

Intruder allows sending multiple requests with different payloads to test for vulnerabilities like SQL injection.

Why this answer

Burp Intruder is designed for automated customized attacks, allowing you to send many requests with varying payloads to a single target endpoint.

40
Multi-Selectmedium

Which TWO of the following are effective mitigations against Cross-Site Request Forgery (CSRF) attacks? (Select 2)

Select 2 answers
A.Setting SameSite cookies to Lax or Strict
B.Input validation
C.Implementing CSRF tokens in forms
D.Using CAPTCHA
E.Using HTTPS only
AnswersA, C

SameSite cookies restrict when cookies are sent with cross-site requests, mitigating CSRF.

Why this answer

CSRF tokens ensure the request originates from the legitimate site; SameSite cookies prevent the browser from sending cookies on cross-site requests.

41
Multi-Selectmedium

A penetration tester uses Burp Suite to intercept and modify web traffic. Which TWO features in Burp Suite would be MOST useful for performing a brute-force attack on a login form? (Choose TWO.)

Select 2 answers
A.Burp Scanner
B.Burp Proxy
C.Burp Decoder
D.Burp Intruder
E.Burp Repeater
AnswersB, D

Proxy captures the login request, which can then be sent to Intruder.

Why this answer

Intruder is designed for automated brute-forcing with payloads. Proxy allows interception and manipulation of requests before sending to Intruder. Repeater is for manual requests, not automated attacks.

Scanner is for vulnerability scanning, not brute-forcing.

42
Multi-Selectmedium

During a web application test, the tester finds that the application includes user-supplied file names in include() statements. Which TWO of the following are indicators of a Remote File Inclusion (RFI) vulnerability? (Choose TWO.)

Select 2 answers
A.The application includes files from http://attacker.com/shell.txt
B.The application includes files with '..' and '/' sequences
C.The application includes /etc/passwd in the response
D.The application includes files with .inc extension
E.The application allows inclusion of files from external FTP servers
AnswersA, E

Inclusion of a remote URL indicates RFI.

Why this answer

RFI allows inclusion of remote files via HTTP/HTTPS URLs. Directory traversal with ../ is more typical of LFI. Inclusion of local files like /etc/passwd indicates LFI, not RFI.

43
MCQmedium

A web application allows users to upload profile pictures. An attacker uploads a file named "profile.php" containing malicious PHP code. When the attacker visits the uploaded file's URL, the code executes. Which vulnerability is being exploited?

A.Directory traversal
B.Command injection
C.File upload vulnerability
D.Stored XSS
AnswerC

The attacker uploaded a malicious PHP file that executes, indicating a file upload vulnerability.

Why this answer

The application fails to validate the file type or restrict execution, allowing a malicious PHP file to be uploaded and executed on the server, which is a classic file upload vulnerability leading to remote code execution.

44
MCQhard

A web server is configured with WebDAV and allows PUT requests. An attacker uploads a .asp file and accesses it to execute code. Which tool or method is most directly associated with exploiting this misconfiguration?

A.SQL injection
B.File upload vulnerability
C.Directory brute forcing
D.Cross-site scripting (XSS)
AnswerB

The ability to upload and execute arbitrary files via WebDAV PUT is a file upload vulnerability.

Why this answer

WebDAV with PUT enabled allows attackers to upload arbitrary files, including web shells, leading to remote code execution.

45
MCQmedium

A web application allows users to upload profile pictures. The application uses the filename provided by the user to save the file on the server. An attacker uploads a file named 'malicious.php%00.png' and the server saves it as 'malicious.php'. Which vulnerability is being exploited?

A.Directory traversal
B.Command injection
C.Null byte injection
D.Cross-Site Scripting (XSS)
AnswerC

Null byte injection exploits the null byte character to truncate strings, bypassing file extension filters.

Why this answer

This is a null byte injection attack, where the %00 (null byte) terminates the string, bypassing extension checks to upload a PHP file.

46
MCQhard

A web application has an endpoint that takes a URL parameter and fetches content from that URL, returning it to the user. An attacker supplies 'file:///etc/passwd' and reads the server's passwd file. Which vulnerability is this?

A.Command injection
B.Remote File Inclusion (RFI)
C.Server-Side Request Forgery (SSRF)
D.Directory traversal
AnswerC

The server is tricked into making requests to internal resources via file:// protocol.

Why this answer

This is SSRF because the server is making requests to internal resources based on user input; file:// is a protocol that can be used for local file access.

47
MCQhard

A penetration tester finds that a web application accepts XML input and returns the parsed data in the response. The tester submits the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which vulnerability is being exploited?

A.SSRF
B.Command injection
C.XXE injection
D.XPath injection
AnswerC

The payload uses an external entity to read a file, which is XXE.

Why this answer

The payload defines an external entity (XXE) that reads a local file, indicating an XML External Entity (XXE) injection vulnerability.

48
Multi-Selectmedium

Which THREE of the following are common types of SQL injection attacks? (Select three)

Select 3 answers
A.Reflected SQL injection
B.Stored SQL injection
C.Out-of-band SQL injection
D.Blind SQL injection
E.In-band SQL injection
AnswersC, D, E

Out-of-band uses a different channel (e.g., DNS) to exfiltrate data.

Why this answer

In-band SQL injection (including error-based and union-based) are classic types. Blind SQL injection (boolean-based and time-based) are also common. Out-of-band is less common but still a type.

49
MCQeasy

Which of the following is a primary defense mechanism against Cross-Site Request Forgery (CSRF) attacks?

A.Input validation and output encoding
B.Enforcing CAPTCHA on all forms
C.Using SameSite cookies
D.Implementing CSRF tokens
AnswerD

CSRF tokens are the most common and effective defense against CSRF attacks.

Why this answer

CSRF tokens are unique, unpredictable values included in requests that the server validates to ensure the request is intentional. SameSite cookies help but are not the primary defense; CAPTCHA and input validation are not standard CSRF mitigations.

50
MCQhard

A web application uses an XML parser to process user-supplied XML documents. An attacker submits the following payload: <?xml version='1.0'?><!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><root>&xxe;</root>. Which vulnerability is being exploited?

A.Server-Side Request Forgery (SSRF)
B.XPath injection
C.XML External Entity (XXE) injection
D.SQL injection
AnswerC

The attacker defines an external entity to read a local file, which is XXE.

Why this answer

The payload defines an external entity that reads a local file, which is classic XXE (XML External Entity) injection.

51
MCQmedium

During a web application penetration test, a tester uses Burp Suite's Repeater tool to manually manipulate a request and observe the response. After sending the same request multiple times, the application returns a 302 redirect pointing to a login page. What is the MOST likely cause?

A.The server is rate-limiting the requests
B.A cross-site request forgery (CSRF) token mismatch occurred
C.The session token has expired and the user must re-authenticate
D.The server detected the use of a proxy and blocked the request
AnswerC

After repeated requests without refreshing the session, the token may expire, causing a redirect to the login page.

Why this answer

A 302 redirect to a login page typically indicates that the session has expired or the tester's session is no longer valid. The application is redirecting to enforce authentication.

52
MCQmedium

A security team wants to test their web application for vulnerabilities. Which Burp Suite tool is BEST suited for automating attacks like brute-force or fuzzing?

A.Proxy
B.Repeater
C.Intruder
D.Scanner
AnswerC

Intruder automates payload delivery for brute-force, fuzzing, etc.

Why this answer

Intruder is designed for automated customized attacks including brute-force, fuzzing, and credential stuffing.

53
Multi-Selectmedium

Which TWO of the following are valid techniques used in password spraying attacks? (Choose 2.)

Select 2 answers
A.Using previously compromised username/password pairs from a breach
B.Capturing keystrokes to obtain a user's password
C.Trying every possible password from a dictionary against a single username
D.Using a list of common passwords (e.g., 'Password123', 'Welcome1') against a large set of usernames
E.Attempting a single common password across multiple users, then trying the next common password
AnswersD, E

This is the essence of password spraying: try a few weak passwords on many accounts to avoid lockout.

Why this answer

Password spraying uses a few common passwords against many accounts to avoid lockouts. Credential stuffing uses known username/password pairs from breaches. Dictionary attack uses a list of words.

Brute force tries many passwords on one account. Keylogging is passive.

54
MCQhard

During a penetration test, the tester finds that the Apache server is configured with directory listing enabled on the /uploads directory. The tester navigates to http://example.com/uploads/ and sees a list of files. Which of the following is the MOST immediate security concern?

A.Sensitive files may be exposed to unauthorized users
B.The server is running an outdated version of Apache
C.The server is vulnerable to cross-site scripting (XSS) attacks
D.An attacker can upload malicious files to the directory
AnswerA

Directory listing can expose file names and allow access to sensitive files if they are not protected.

Why this answer

Directory listing exposes file names that may reveal sensitive information (e.g., backup files, config files). Attackers can then attempt to access these files directly, potentially leading to data disclosure.

55
Multi-Selecthard

Which THREE of the following are common indicators of a Server-Side Request Forgery (SSRF) vulnerability? (Select 3)

Select 3 answers
A.The server returns data from internal services like http://localhost/ or http://192.168.x.x/
B.The application supports file:// or dict:// URL schemes in user input
C.The application reflects user input in the page source without encoding
D.The application accepts a URL parameter that is fetched by the server
E.The server responds with a different delay when a URL is provided versus a non-URL input
AnswersA, B, D

Responses containing data from internal IPs indicate the server made requests to internal resources.

Why this answer

SSRF often involves requests to internal IPs or services, use of URL schemas like file://, and responses including internal data.

56
MCQeasy

Which of the following tools is specifically designed to automate the exploitation of SQL injection vulnerabilities and retrieve data from databases?

A.Metasploit
B.Nmap
C.Burp Suite
D.SQLMap
AnswerD

SQLMap is the industry-standard tool for automated SQL injection.

Why this answer

SQLMap is an open-source tool that automates detection and exploitation of SQL injection flaws.

57
MCQmedium

A security analyst observes a web application returning database error messages containing table names and column names in the HTTP response. Which type of SQL injection is MOST likely being exploited?

A.Blind SQL injection (boolean-based)
B.Union-based SQL injection
C.Error-based SQL injection
D.Out-of-band SQL injection
AnswerC

Error-based SQL injection uses database error messages to extract information.

Why this answer

Error-based SQL injection (in-band) relies on error messages from the database to extract information. The presence of database details in errors indicates error-based injection.

58
Multi-Selectmedium

Which TWO of the following are effective defenses against Cross-Site Request Forgery (CSRF) attacks? (Select 2)

Select 2 answers
A.Using anti-CSRF tokens
B.Setting the SameSite attribute on cookies
C.Enabling HTTP Strict Transport Security (HSTS)
D.Implementing input validation on all user inputs
E.Using Content Security Policy (CSP) headers
AnswersA, B

Tokens are a primary defense.

Why this answer

CSRF tokens are unique per request and validated server-side. SameSite cookies restrict cookie sending to same-site requests.

59
MCQmedium

During a web application penetration test, a tester submits a comment containing '<script>alert("XSS")</script>' and the script executes for all users who view the comment. Which type of cross-site scripting (XSS) vulnerability is present?

A.Blind XSS
B.Reflected XSS
C.DOM-based XSS
D.Stored (persistent) XSS
AnswerD

The script is stored and executed for all users, indicating stored XSS.

Why this answer

Stored (persistent) XSS occurs when the injected script is permanently stored on the server (e.g., in a database) and executed for every user who accesses that content.

60
MCQmedium

An attacker uses the following URL pattern to access files: http://example.com/../../etc/passwd. Which attack is being attempted?

A.Command injection
B.Local file inclusion (LFI)
C.Directory traversal
D.Remote file inclusion (RFI)
AnswerC

The use of ../ is characteristic of directory traversal attacks.

Why this answer

Directory traversal (path traversal) uses ../ sequences to access files outside the web root.

61
MCQhard

An application allows users to upload XML files for processing. A tester uploads the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which attack is being performed?

A.XML External Entity (XXE) injection
B.SQL injection
C.Cross-Site Scripting (XSS)
D.Server-Side Request Forgery (SSRF)
AnswerA

The DOCTYPE and entity declaration are classic XXE, and the file read confirms it.

Why this answer

This is an XML External Entity (XXE) injection attack, where an external entity is defined to read a local file. The server's XML parser processes the entity and reflects the file content, confirming the vulnerability.

62
MCQmedium

During a web application test, a penetration tester intercepts a request using Burp Suite Proxy, modifies the 'Referer' header, and resends the request. The application processes the request despite the modified header. Which attack is the tester attempting to validate?

A.Server-Side Request Forgery (SSRF)
B.Cross-Site Scripting (XSS)
C.Cross-Site Request Forgery (CSRF)
D.SQL injection
AnswerC

CSRF defenses sometimes check the Referer header; modifying it tests this defense.

Why this answer

CSRF (Cross-Site Request Forgery) attacks often rely on the Referer header for validation. By modifying it, the tester checks if the application validates the header. If the request is processed, the application is vulnerable to CSRF.

63
MCQeasy

A security team is implementing measures to prevent cross-site request forgery (CSRF) attacks. Which of the following is the most effective mitigation technique?

A.Enabling SSL/TLS
B.Using HTTP GET for all form submissions
C.Implementing CSRF tokens
D.Using input validation
AnswerC

CSRF tokens are the standard defense against CSRF attacks.

Why this answer

CSRF tokens are unique, unpredictable values that must be included in state-changing requests, ensuring the request originated from the legitimate site.

64
MCQeasy

An attacker attempts to log into a web application by trying many common passwords for a list of known usernames. Which type of authentication attack is this?

A.Dictionary attack
B.Credential stuffing
C.Password spraying
D.Brute force attack
AnswerC

Password spraying uses a few common passwords across many accounts.

Why this answer

Password spraying involves using a few common passwords against many usernames to avoid account lockouts, as opposed to brute force (many passwords on one account) or credential stuffing (using known username/password pairs).

65
MCQhard

During an assessment, a tester discovers that the web application accepts XML input and returns the parsed data. The tester submits the following payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The response contains the contents of /etc/passwd. This vulnerability is known as:

A.Local File Inclusion (LFI)
B.Server-Side Request Forgery (SSRF)
C.XML External Entity (XXE) Injection
D.SQL injection
AnswerC

XXE exploits XML parsers to read files or perform SSRF.

Why this answer

The payload defines an external entity that reads a local file, a classic XXE (XML External Entity) injection.

66
MCQeasy

Which HTTP method is commonly used by WebDAV to upload files to a web server, and if misconfigured, could allow an attacker to upload malicious scripts?

A.DELETE
B.GET
C.POST
D.PUT
AnswerD

PUT is the HTTP method used to upload files in WebDAV.

Why this answer

The PUT method allows uploading resources to the server, and if enabled without proper controls, can be exploited to upload malicious files.

67
MCQmedium

A security team deployed a web application firewall (WAF) that blocks requests containing SQL keywords like 'SELECT', 'UNION', and 'DROP'. An attacker bypasses the WAF by encoding the payload in base64 and using a SQL injection tool that decodes it server-side. Which mitigation would be MOST effective against this?

A.Increase WAF sensitivity to block base64-encoded strings
B.Implement prepared statements with parameterized queries
C.Disable error messages to hide database errors
D.Use a more restrictive input validation regex
AnswerB

Prepared statements eliminate SQL injection by using placeholders for user input.

Why this answer

Prepared statements (parameterized queries) prevent SQL injection by separating query structure from data, regardless of encoding. WAF bypasses are mitigated by using proper coding practices.

68
MCQhard

A web server running IIS 8.5 is found to have WebDAV enabled with write permissions. Which attack is MOST likely to be successful against this configuration?

A.Cross-Site Request Forgery (CSRF)
B.SQL injection
C.File upload leading to remote code execution
D.Directory traversal
AnswerC

WebDAV write permissions enable uploading executable files.

Why this answer

WebDAV with write permissions allows attackers to upload files (e.g., web shells) to the server, leading to remote code execution.

69
MCQeasy

Which of the following is a primary purpose of the SameSite cookie attribute in mitigating CSRF attacks?

A.To limit the cookie to a specific path
B.To encrypt the cookie value
C.To prevent the cookie from being sent in cross-origin requests, mitigating CSRF
D.To restrict the cookie to HTTPS connections only (Secure flag)
AnswerC

SameSite prevents cookies from being sent in cross-site requests, which is a key defense against CSRF.

Why this answer

SameSite cookie attribute (Strict, Lax, or None) controls when cookies are sent in cross-site requests. Setting SameSite to Lax or Strict prevents the browser from sending cookies on cross-site POST requests, thus mitigating CSRF.

70
Multi-Selecteasy

Which TWO of the following are commonly used to mitigate SQL injection vulnerabilities? (Select 2)

Select 2 answers
A.Stored procedures
B.Output encoding
C.Input validation
D.Parameterized queries
E.HTTPS encryption
AnswersA, D

Stored procedures can be safe if parameterized correctly.

Why this answer

Parameterized queries and stored procedures (when used correctly) prevent SQL injection by separating SQL logic from data.

71
MCQhard

A web application takes a URL from user input and fetches the content to display on the page. An attacker submits a URL pointing to an internal service like http://localhost:8080/admin. The server retrieves the internal resource and returns it. What is this attack?

A.Cross-Site Scripting (XSS)
B.Server-Side Request Forgery (SSRF)
C.Directory Traversal
D.Remote File Inclusion (RFI)
AnswerB

The server is tricked into making a request to an internal resource.

Why this answer

Server-Side Request Forgery (SSRF) occurs when a server makes requests to internal resources based on user-supplied URLs.

72
Multi-Selectmedium

Which THREE of the following are common indicators of an ongoing brute-force attack against a web application?

Select 3 answers
A.A single user account being locked out repeatedly
B.Login requests arriving at an unusually high frequency
C.Many different usernames being targeted from the same IP
D.Successful logins from unusual geographic locations
E.A high number of failed login attempts from a single IP address
AnswersB, C, E

High frequency suggests automated tool.

Why this answer

Multiple failed logins from the same IP, high frequency of login requests, and many different usernames tried from one source are typical signs of brute-force.

73
MCQhard

A tester sends the following payload to a web application: %3Cscript%3Ealert('XSS')%3C/script%3E. The application echoes back the decoded payload in the response without sanitization. This behavior is typical of which type of vulnerability?

A.HTTP Response Splitting
B.DOM-based XSS
C.Stored XSS
D.Reflected XSS
AnswerD

The input is reflected in the response unsanitized.

Why this answer

The payload is URL-encoded HTML and is decoded and reflected, indicating reflected XSS.

74
MCQmedium

A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?

A.Time-based SQL injection
B.Reflected XSS
C.Blind boolean-based SQL injection
D.CSRF
AnswerA

Time-based SQL injection uses database delay functions (e.g., SLEEP()) to infer information based on response times.

Why this answer

Time-based SQL injection involves injecting SQL code that causes the database to pause if a condition is true, allowing an attacker to infer information based on response times. The observed difference in response times for valid vs. invalid usernames is characteristic of this technique.

75
MCQhard

An attacker wants to perform a CSRF attack against a banking application. The application uses SameSite cookies set to 'Strict'. The attacker hosts a malicious page on their own domain. When the victim visits the malicious page, which of the following statements is TRUE regarding the CSRF attack?

A.The attack will succeed because cookies are sent regardless of SameSite settings.
B.The attack will succeed because the attacker can bypass SameSite using GET requests.
C.The attack will fail because CSRF requires POST requests and the malicious page only uses GET.
D.The attack will fail because the browser will not include the session cookie with the cross-origin request.
AnswerD

SameSite=Strict prevents cookie inclusion on cross-origin requests, defeating CSRF.

Why this answer

SameSite=Strict prevents cookies from being sent on cross-site requests, effectively blocking CSRF attacks if the attacker cannot control the origin.

Page 1 of 3 · 172 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ceh Web Injection questions.