CEH · topic practice

Network and Web Application Attacks practice questions

Practise Certified Ethical Hacker CEH Network and Web Application Attacks practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
19 questionsDomain: Network and Web Application Attacks

What the exam tests

What to know about Network and Web Application Attacks

Network and Web Application Attacks questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Network and Web Application Attacks exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Network and Web Application Attacks questions

19 questions · select your answer, then reveal the explanation

During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?

As a network defender, you notice an unusually high number of incomplete TCP three-way handshakes from a single external IP to multiple internal hosts. What is the most likely attack taking place?

A security analyst is configuring a web application firewall (WAF) to protect against SQL injection. Which HTTP parameter location should the analyst focus on to block malicious SQL queries?

You are performing a web application security assessment and discover that the application uses a hidden form field named 'price' to store the product price. The price is submitted with the form and used to process payments. Which attack would allow you to purchase an item for a lower price?

A network administrator wants to prevent an attacker from using a network sniffer to capture traffic between a client and a web server. Which protocol should be enforced to encrypt all communication?

Which TWO of the following are common web application vulnerabilities that allow an attacker to inject malicious code? (Select exactly 2)

Question 7hardmulti select
Read the full DNS explanation →

Which THREE of the following are effective countermeasures against DNS poisoning attacks? (Select exactly 3)

Refer to the exhibit. A security analyst captured the HTTP request and response shown. What type of vulnerability is present?

Exhibit

Refer to the exhibit.
GET /search?q=<script>alert('XSS')</script> HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0

HTTP/1.1 200 OK
Content-Type: text/html

<html><body>You searched for: <script>alert('XSS')</script></body></html>

You are the lead security engineer for a financial technology company that hosts a critical web application on three load-balanced servers behind a reverse proxy. The application uses a REST API to process transactions. Recently, the company has experienced intermittent service outages during peak hours. Upon reviewing logs, you find that the reverse proxy is returning HTTP 503 errors for legitimate API requests, and the application servers show high CPU usage but normal memory. The network team reports no bandwidth issues. The application team claims no code changes were made. You suspect a specific type of attack is causing the outages. Which action should you take first to confirm the attack type?

A penetration tester is analyzing a captured TCP session that includes a successful SQL injection attack. Which TWO of the following indicators would most likely confirm that the attack was successful?

Refer to the exhibit. A penetration tester executed the SQL injection payload and received the response shown. What is the most likely outcome of this attack?

Exhibit

Refer to the exhibit.

GET /search?q=1 UNION SELECT username,password FROM users-- HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0

HTTP/1.1 200 OK
Date: Mon, 04 Nov 2024 12:00:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html

<html><body><h1>Search Results</h1><p>admin:5f4dcc3b5aa765d61d8327deb882cf99</p><p>user1:5d41402abc4b2a76b9719d911017c592</p></body></html>
Question 12easymultiple choice
Read the full NAT/PAT explanation →

You are a security analyst for a medium-sized e-commerce company. The company hosts its web application on a single server running Apache on Ubuntu. Recently, the operations team noticed that the server's CPU usage spikes to 100% every few minutes, causing the website to become unresponsive. They have ruled out hardware issues. The web server logs show repeated requests to the same URL with varying parameters, such as /product?id=1, /product?id=2, etc., all originating from a single IP address. Each request returns a 200 OK response, but the server takes several seconds to generate the page. The application uses a relational database backend with an ORM. You suspect an attack is occurring. What is the most likely attack and the best immediate course of action?

Drag and drop the steps to recover a forgotten Windows administrator password using a bootable Linux USB into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric encryption

Asymmetric encryption

Hash function (broken)

Hash function (secure)

Symmetric encryption (deprecated)

Refer to the exhibit. A security analyst notices multiple ESTABLISHED connections on port 443 from different external IPs to the same process ID. What type of attack is most likely occurring?

Exhibit

C:\Users\admin>netstat -ano | findstr :80
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       1234
  TCP    10.1.1.5:443           10.2.2.3:54321         ESTABLISHED     5678
  TCP    10.1.1.5:443           10.2.2.4:12345         TIME_WAIT       0
  TCP    10.1.1.5:443           10.2.2.5:9876          ESTABLISHED     5678
C:\Users\admin>tasklist | findstr 5678
pid.exe                   5678 Console                    1      2,456 K

Refer to the exhibit. A web server log shows requests from a single IP. Which vulnerability is being exploited?

Exhibit

[Apache access log]
192.168.1.10 - - [20/Jan/2023:10:15:30 +0000] "GET /index.php?page=../../etc/passwd HTTP/1.1" 200 2345
192.168.1.10 - - [20/Jan/2023:10:15:31 +0000] "GET /index.php?page=../../windows/system32/config/sam HTTP/1.1" 200 1234
192.168.1.10 - - [20/Jan/2023:10:15:32 +0000] "GET /index.php?page=admin.php HTTP/1.1" 200 567

Refer to the exhibit. A user visits a malicious site that returns this HTML. Which attack is being executed?

Exhibit

HTTP/1.1 302 Found
Location: http://www.legitimatebank.com/login.php
Set-Cookie: sessionid=abc123; HttpOnly; Secure

HTTP/1.1 200 OK
Content-Type: text/html

<html>
<body>
<form action="http://www.legitimatebank.com/transfer.php" method="POST">
<input type="hidden" name="toAccount" value="attacker123">
<input type="hidden" name="amount" value="10000">
</form>
<script>document.forms[0].submit();</script>
</body>
</html>

Refer to the exhibit. An analyst runs an Nmap scan and finds these services. Which known vulnerability is most likely to be successfully exploited?

Exhibit

nmap -sV -p 80,443,3306 192.168.1.100

Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-20 10:30
Nmap scan report for 192.168.1.100
Host is up (0.0012s latency).

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd 2.4.49
443/tcp  open  ssl/http   Apache httpd 2.4.49
3306/tcp open  mysql      MySQL 5.7.35

Refer to the exhibit. A penetration tester sends a SOAP request and receives multiple user records. Which vulnerability is present?

Exhibit

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <getUserInfo>
      <userId>1 OR 1=1</userId>
    </getUserInfo>
  </soap:Body>
</soap:Envelope>

Response:
<soap:Envelope>
  <soap:Body>
    <getUserInfoResponse>
      <user>
        <id>1</id>
        <name>admin</name>
        <email>admin@test.com</email>
      </user>
      <user>
        <id>2</id>
        <name>user</name>
        <email>user@test.com</email>
      </user>
    </getUserInfoResponse>
  </soap:Body>
</soap:Envelope>

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network and Web Application Attacks sessions

Start a Network and Web Application Attacks only practice session

Every question in these sessions is drawn from the Network and Web Application Attacks domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Network and Web Application Attacks?
Network and Web Application Attacks questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network and Web Application Attacks questions in a focused session?
Yes — the session launcher on this page draws every question from the Network and Web Application Attacks domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.