CEH · topic practice

Web Application and Injection Attacks practice questions

Practise Certified Ethical Hacker CEH Web Application and Injection Attacks practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Web Application and Injection Attacks

What the exam tests

What to know about Web Application and Injection Attacks

Web Application and Injection Attacks questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Web Application and Injection Attacks exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Web Application and Injection Attacks questions

20 questions · select your answer, then reveal the explanation

A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?

Which of the following tools is commonly used to automate the detection and exploitation of SQL injection vulnerabilities?

A penetration tester intercepts the following request using Burp Suite: POST /change_password HTTP/1.1 Host: example.com Cookie: sessionid=abc123; SameSite=Lax Content-Type: application/x-www-form-urlencoded new_password=Hacker123 The tester successfully crafts a CSRF attack by embedding a hidden form in a malicious page. Which mitigation is most likely missing?

A web application allows users to upload profile pictures. An attacker uploads a file named "profile.php" containing malicious PHP code. When the attacker visits the uploaded file's URL, the code executes. Which vulnerability is being exploited?

An analyst observes the following log entry on a web server: GET /../../etc/passwd HTTP/1.1 200. Which type of attack is indicated?

During a penetration test, a tester uses the following payload in a search field: <script>alert(document.cookie)</script>. The payload is reflected in the response without sanitization. However, the tester notices that the attack only works when the payload is submitted via a POST request, not GET. Which type of XSS is this?

Which of the following is the primary purpose of using a CSRF token in a web application?

A web application uses user input in the following PHP code: include($_GET['page'] . '.php');. An attacker submits the URL: http://example.com/index.php?page=../../../../etc/passwd%00. Which two vulnerabilities are being attempted?

Which Burp Suite tool is most appropriate for modifying and re-sending a single HTTP request multiple times with different payloads to test for SQL injection?

A penetration tester finds that a web application accepts XML input and returns the parsed data in the response. The tester submits the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which vulnerability is being exploited?

An attacker attempts to log into a web application by trying many common passwords for a list of known usernames. Which type of authentication attack is this?

A security analyst wants to check if a web application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions would be most effective?

Which TWO of the following are effective mitigations against Cross-Site Request Forgery (CSRF)?

A web application is vulnerable to SQL injection. Which THREE of the following techniques can be used to extract data from the database using blind SQL injection?

Which TWO of the following are characteristics of stored (persistent) XSS?

A security analyst observes that after a user submits a comment on a blog, the comment is displayed immediately on the page without sanitization. Another user visits the page and the comment's JavaScript executes in their browser. Which type of XSS attack is this?

Which of the following tools is primarily used for automated SQL injection exploitation and database fingerprinting?

A penetration tester needs to perform a brute-force attack on a web application login form. Which Burp Suite tool is specifically designed for automating parameterized attacks like password guessing?

A web application uses a parameter 'file' to include server-side files. The following request is intercepted: GET /page.php?file=../../../etc/passwd HTTP/1.1. The response contains the contents of /etc/passwd. This vulnerability is most likely which of the following?

Which of the following is a recommended defense against Cross-Site Request Forgery (CSRF) attacks?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Web Application and Injection Attacks sessions

Start a Web Application and Injection Attacks only practice session

Every question in these sessions is drawn from the Web Application and Injection Attacks domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Web Application and Injection Attacks?
Web Application and Injection Attacks questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Web Application and Injection Attacks questions in a focused session?
Yes — the session launcher on this page draws every question from the Web Application and Injection Attacks domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.