", "<script>alert(1)</script>", "javascript:alert(1)", "'; alert(1); //" ], answer: 0, rationale: "If raw HTML is reflected into the page body, a script tag is a direct and reliable proof-of-concept. The other options depend on a different sink or are already encoded." }, { id: 2, domainCode: "1.0", domainName: "Reflected XSS Fundamentals", question: "A parameter is inserted into an HTML attribute like . Which payload is most appropriate to break out of the attribute and inject script content?", options: [ "", "\" autofocus onfocus=alert(1) x=\"", "", "javascript:alert(1)" ], answer: 1, rationale: "Closing the attribute value and adding an event handler is a common way to exploit attribute context. The payload must fit the sink; a plain script tag is not always enough." }, { id: 3, domainCode: "1.0", domainName: "Reflected XSS Fundamentals", question: "You confirm that user input is reflected inside a script block as a JavaScript string literal: var name = 'USER_INPUT';. What is the best reason payloads that close the string are effective here?", options: [ "They turn JavaScript parsing into HTML parsing", "They terminate the string and allow attacker-controlled JavaScript to execute", "They only work if CSP is disabled", "They require the page to use jQuery" ], answer: 1, rationale: "In JavaScript string context, breaking out of the string literal allows attacker-controlled code to run. This is a context-breaking issue, not an HTML parsing issue." }, { id: 4, domainCode: "1.0", domainName: "Reflected XSS Fundamentals", question: "A web app sanitizes angle brackets but reflects the payload inside an unquoted HTML attribute. Which attack technique is most likely to succeed?", options: [ "Injecting a closing tag like “, “Using spaces and a new event handler attribute”, “Using a URL-encoded semicolon”, “Using a DNS rebinding payload” ], answer: 1, rationale: “If an attribute is unquoted, whitespace can terminate the value and allow new attributes, including event handlers. Sanitizing angle brackets alone does not solve attribute-context injection.” }, { id: 5, domainCode: “2.0”, domainName: “Stored XSS and Persistence”, question: “An attacker posts a comment that executes every time another user views the thread. What best describes this vulnerability?”, options: [ “DOM-based XSS”, “Stored XSS”, “Blind SQL injection”, “Open redirect” ], answer: 1, rationale: “The malicious payload is persisted on the server and later served to viewers, which is the defining characteristic of stored XSS.” }, { id: 6, domainCode: “2.0”, domainName: “Stored XSS and Persistence”, question: “A product review field strips script tags but allows image tags. Which payload is most likely to survive basic filtering and still execute in many browsers?”, options: [ ““, ““, “