", "file://../secret.txt" ], answer: 0, rationale: "Windows targets commonly accept backslashes as path separators, so traversal using '..\\' can bypass filters that only block forward-slash sequences. The other options are either malformed or target Unix-style paths." }, { id: 8, domainCode: "8.0", domainName: "Server-Side Request Forgery (SSRF)", question: "You find an image-fetch feature that accepts a URL and the server retrieves it. Which testing approach is most useful to verify whether the server can access internal services?", options: [ "Sending a payload that points to an external public website only", "Using a client-side JavaScript fetch from the browser console", "Pointing the URL to an internal address such as 127.0.0.1 or a private network host", "Encoding the URL in base64 so the browser will not send it" ], answer: 2, rationale: "SSRF is confirmed by making the server request an internal or otherwise restricted target and observing behavior differences or callbacks. Public external URLs alone do not prove internal access." }, { id: 9, domainCode: "9.0", domainName: "Adapting Attacks to Bypass Defenses", question: "A WAF blocks a SQL injection payload because it matches a common keyword pattern. Which modification is most likely to help bypass a simple keyword-based filter while preserving query logic?", options: [ "Rewrite the payload using alternative syntax such as comments or string concatenation where applicable", "Add more spaces and line breaks until the server times out", "Remove the injectable parameter from the request", "Convert the payload to XML so the WAF treats it as safe" ], answer: 0, rationale: "Bypassing simple filters often involves changing the payload's syntax while maintaining equivalent SQL behavior, such as inserting comments or using alternate encodings. This is a core defense-adaptation technique." }, { id: 10, domainCode: "1.0", domainName: "Fundamental Web Technologies", question: "What is the primary security purpose of the SameSite cookie attribute in modern browsers?", options: [ "It forces the cookie to be signed by the application server", "It limits when the browser sends the cookie on cross-site requests", "It prevents the cookie from being stored in memory", "It encrypts the cookie value before transmission" ], answer: 1, rationale: "SameSite controls whether cookies are included on cross-site requests, which helps mitigate CSRF. It does not sign or encrypt the cookie." }, { id: 11, domainCode: "2.0", domainName: "Burp Suite Functionality", question: "While testing a login flow, you need to send the same request through a sequence of manual edits while preserving prior versions for comparison. Which Burp feature is most directly useful?", options: [ "Proxy HTTP history only", "Comparer", "Repeater with request tabs and response history", "Crawler" ], answer: 2, rationale: "Repeater supports iterative request editing and comparison of server responses, which is ideal for controlled manual testing. Comparer is for diffing data, but it is not the primary request-replay tool." }, { id: 12, domainCode: "3.0", domainName: "Cross-Site Scripting (XSS)", question: "A payload is reflected inside a script block as part of a quoted JavaScript string. Which outcome most strongly suggests the correct exploit strategy?", options: [ "Close the string literal, then execute JavaScript in the same script context", "Use only HTML comments because script blocks ignore JavaScript", "Inject a SQL UNION clause to trigger DOM mutation", "Use a relative path traversal sequence to reach the script source" ], answer: 0, rationale: "When the payload is inside a JavaScript string, the exploit often requires breaking out of the string literal and then injecting executable code. Context-aware payload construction is essential." }, { id: 13, domainCode: "4.0", domainName: "SQL Injection", question: "During exploitation, a parameter appears to be protected by input sanitization, but numeric values are still accepted and influence database behavior. What is the best first test?", options: [ "Insert a payload that changes arithmetic or comparison behavior while remaining syntactically valid", "Switch immediately to XXE because numeric parameters are not injectable", "Try directory traversal sequences against the database name", "Send a CSRF proof-of-concept to the same endpoint" ], answer: 0, rationale: "If numeric input is still processed by the backend database, a syntactically valid expression can reveal injection behavior. Testing with arithmetic or comparison changes is a practical first step." }, { id: 14, domainCode: "5.0", domainName: "Cross-Site Request Forgery (CSRF)", question: "A state-changing endpoint rejects requests if the Content-Type is application/json, but accepts simple form submissions. Which situation most likely allows a CSRF attack to succeed?", options: [ "The endpoint only accepts requests sent from Burp Repeater", "The browser can submit a cross-site form that triggers the action with the victim's cookies", "The application uses HTTPS", "The request contains an X-Forwarded-For header" ], answer: 1, rationale: "Classic form-based CSRF is possible when the target accepts browser-submitted form requests and relies on cookies for authentication. HTTPS and proxy headers do not stop CSRF." }, { id: 15, domainCode: "6.0", domainName: "XML External Entity Injection (XXE)", question: "Which parser behavior most increases the risk of XXE exploitation in a web application that accepts XML input?", options: [ "The parser validates XML against a schema before processing", "The parser resolves external entities during document parsing", "The parser converts XML to UTF-8", "The parser strips whitespace between elements" ], answer: 1, rationale: "XXE depends on the parser resolving external entities, because that is what causes the application to fetch external resources or read local files. Formatting and schema validation alone do not create the vulnerability." }, { id: 16, domainCode: "7.0", domainName: "Directory Traversal", question: "A file retrieval endpoint blocks '../' but still appears vulnerable. Which encoding approach is most likely to help bypass a superficial path traversal filter?", options: [ "Sending the payload once over HTTPS instead of HTTP", "Double URL-encoding traversal characters so the server decodes them later", "Changing the HTTP method from GET to POST", "Adding a random cookie value to the request" ], answer: 1, rationale: "Double encoding can bypass filters that inspect only the first decoding layer, while the backend may decode again and process the traversal sequence. This is a common path traversal bypass technique." }, { id: 17, domainCode: "8.0", domainName: "Server-Side Request Forgery (SSRF)", question: "A server-side URL fetcher returns a different error when the supplied host is unreachable. How can this behavior help confirm SSRF?", options: [ "It proves the browser executed the request locally", "It indicates the server attempted the outbound request and its network response changed based on reachability", "It confirms the endpoint is protected by CORS", "It means the URL parameter is only used for display purposes" ], answer: 1, rationale: "A response difference based on target reachability is strong evidence that the server is making the outbound request. That variation is a classic SSRF testing signal." }, { id: 18, domainCode: "9.0", domainName: "Adapting Attacks to Bypass Defenses", question: "A filter blocks obvious XSS payloads containing the string 'script'. Which strategy is most likely to bypass a simplistic blacklist while still achieving script execution in the browser?", options: [ "Use a different browser that ignores filters", "Employ an event-handler-based payload in an allowed HTML tag or use equivalent obfuscated syntax", "Replace the payload with a directory traversal sequence", "Convert the payload into a DNS name" ], answer: 1, rationale: "Simple blacklists often fail against alternative execution paths such as event handlers or obfuscated equivalents. The key is to preserve browser execution while avoiding the blocked token." }, { id: 19, domainCode: "2.0", domainName: "Burp Suite Functionality", question: "Which Burp tool is primarily used to analyze whether a session token or other random value is sufficiently unpredictable?", options: [ "Decoder", "Sequencer", "Intruder", "Extender" ], answer: 1, rationale: "Sequencer evaluates the randomness and predictability of tokens. Decoder transforms data formats, Intruder automates attacks, and Extender adds custom functionality." }, { id: 20, domainCode: "1.0", domainName: "Fundamental Web Technologies", question: "When examining an HTTP request in Burp, what is the most accurate description of the Host header?", options: [ "It identifies the target domain or authority the client intends to reach", "It encrypts the request body before transmission", "It determines the HTTP method used by the browser", "It stores the user's session identifier" ], answer: 0, rationale: "The Host header indicates the authority of the destination server in HTTP/1.1 requests. It is not related to encryption, HTTP method selection, or session storage." } ] }); });