", "%3Csvg%3E", "javascript:alert(1)" ], answer: 0, rationale: "If input is placed inside an existing HTML attribute and quotes are unfiltered, breaking out of the attribute is a common bypass. That allows injection of a new event handler or attribute-based payload." }, { id: 8, domainCode: "8.0", domainName: "SQL Injection Fundamentals", question: "A search parameter is vulnerable to UNION-based SQL injection. What is the key requirement for a successful UNION SELECT payload?", options: [ "The response must be compressed", "The number and data types of columns must be compatible", "The database must allow stacked queries", "The parameter must be in a POST request" ], answer: 1, rationale: "UNION queries must match the original query's column count and generally compatible data types. Without that alignment, the injected UNION statement fails or returns errors." }, { id: 9, domainCode: "9.0", domainName: "SQLMap Essentials", question: "You have identified a likely injectable POST parameter and want sqlmap to test only that parameter while preserving the rest of the captured request. Which approach is best?", options: [ "Use the raw request file with the target parameter marked for testing", "Provide only the URL and no request data", "Disable all tamper scripts and ignore the request body", "Send the request through an unrelated browser extension" ], answer: 0, rationale: "Using the captured raw request lets sqlmap preserve headers, cookies, and body structure while focusing on the suspected parameter. This improves accuracy when the target requires specific session context." }, { id: 10, domainCode: "10.0", domainName: "Command Injections", question: "A web application appends user input to a system ping command. Which character is most commonly used to separate a new command in Unix-like shells?", options: [ "&", "|", ";", "<" ], answer: 2, rationale: "The semicolon is a classic shell command separator in Unix-like environments. It allows a new command to run after the original one, making it a common command injection primitive." }, { id: 11, domainCode: "11.0", domainName: "File Upload Attacks", question: "An application validates uploads only by file extension and stores files in a web-accessible directory. Which file is most likely to be abused for code execution on a PHP server?", options: [ "profile.jpg", "shell.php", "avatar.png", "document.pdf" ], answer: 1, rationale: "If extension validation is weak and the upload directory is web-accessible, a PHP file can often be executed by the web server. This is a classic upload-to-RCE condition." }, { id: 12, domainCode: "12.0", domainName: "Server-side Attacks", question: "Which issue is most directly associated with server-side request forgery (SSRF)?", options: [ "The browser is tricked into running attacker JavaScript", "The server is induced to make an unintended request to an internal resource", "The database returns too many rows", "The application fails to set a secure cookie flag" ], answer: 1, rationale: "SSRF occurs when the server itself makes requests based on attacker input, often reaching internal services or metadata endpoints. It is a server-side network trust issue, not a browser-side one." }, { id: 13, domainCode: "13.0", domainName: "Login Brute Forcing", question: "During password guessing against a login form, you notice the application locks the account after several failures. Which alternative is most likely to be effective and still realistic to test?", options: [ "Continue with the same username until lockout clears", "Use a distributed password spray with a small set of common passwords across many accounts", "Increase the request size to bypass lockout", "Disable TLS to avoid detection" ], answer: 1, rationale: "Password spraying spreads a few common passwords across many accounts to reduce per-account lockout risk. It is a common and realistic approach when simple brute force triggers protections." }, { id: 14, domainCode: "14.0", domainName: "Broken Authentication", question: "A password reset token is short, predictable, and valid for 24 hours. What is the primary security weakness?", options: [ "The token is too long-lived and too easy to guess", "The token is stored in the browser cache", "The token is encrypted with AES", "The token is only sent over HTTPS" ], answer: 0, rationale: "Broken authentication can stem from weak reset tokens that are guessable and remain valid too long. A reset token should be high entropy, single-use, and expire quickly." }, { id: 15, domainCode: "15.0", domainName: "Web Attacks", question: "Which response header is most relevant when evaluating whether a cookie can be accessed by client-side JavaScript during a web attack?", options: [ "HttpOnly", "Server", "ETag", "Vary" ], answer: 0, rationale: "The HttpOnly attribute prevents JavaScript from reading a cookie, reducing impact from XSS-based cookie theft. It is a key control when assessing session exposure." }, { id: 16, domainCode: "16.0", domainName: "File Inclusion", question: "A parameter is vulnerable to local file inclusion and the application runs on Linux. Which payload is most appropriate to confirm access to the system's user list?", options: [ "/etc/passwd", "C:\\Windows\\System32\\drivers\\etc\\hosts", "/proc/cpuinfo", "/var/log/nginx/access.log" ], answer: 0, rationale: "On Linux, /etc/passwd is a standard file often used to confirm file inclusion because it is readable and indicative of local file access. The Windows path is platform-specific and not suitable here." }, { id: 17, domainCode: "17.0", domainName: "Attacking GraphQL", question: "In a GraphQL endpoint, what is the most direct way to discover the schema during initial assessment if introspection is enabled?", options: [ "Send a query requesting __schema and __type fields", "Force a file upload to trigger a stack trace", "Use a SQL UNION statement in the query field", "Set the User-Agent to GraphQL" ], answer: 0, rationale: "GraphQL introspection exposes schema metadata via special fields such as __schema and __type. If enabled, it is the standard approach for mapping types, queries, and mutations." }, { id: 18, domainCode: "18.0", domainName: "API Attacks", question: "An API endpoint accepts JSON and returns user profile data. Which test is most relevant to detect broken object-level authorization?", options: [ "Change the HTTP method from POST to OPTIONS", "Replace the JSON body with XML", "Modify the object identifier to another user's ID", "Remove all request headers" ], answer: 2, rationale: "Broken object-level authorization often appears when an attacker can change an object ID and access another user's data. Testing identifier manipulation is a core API security check." }, { id: 19, domainCode: "19.0", domainName: "Attacking Common Applications", question: "A popular CMS admin panel allows file editing, but you only have a low-privileged account. Which feature is most likely to be abused if permissions are misconfigured?", options: [ "Theme or plugin editor", "RSS feed reader", "Search box", "Language selector" ], answer: 0, rationale: "Theme and plugin editors can lead to code execution if lower-privileged users can modify server-side files. This is a common weakness in misconfigured web applications." }, { id: 20, domainCode: "20.0", domainName: "Bug Bounty Hunting Process", question: "During a bug bounty engagement, what is the best first step after discovering a suspicious issue to ensure a high-quality report?", options: [ "Immediately post it publicly to validate impact", "Collect reproducible evidence and determine clear impact", "Assume the issue is already known and move on", "Only report it if exploit code works in every browser" ], answer: 1, rationale: "A strong bug bounty report requires reproducible evidence and a clear impact statement. Good documentation helps triage, reduces back-and-forth, and increases the chance of a successful submission." } ] }); });