", "\" onmouseover=\"alert(1)", "", "javascript:alert(1)" ], answer: 0, rationale: "A raw script tag is the most direct test when input is placed unencoded into HTML body content. Other payloads depend on attribute or URL contexts and may not execute there." }, { id: 2, domainCode: "1.0", domainName: "XSS Fundamentals and Context Identification", question: "An application places user input inside an existing double-quoted HTML attribute value, such as value=\"USER_INPUT\". Which payload most directly breaks out of the attribute and adds an event handler?", options: [ "", "javascript:alert(1)" ], answer: 0, rationale: "Closing the textarea tag ends the text area context and allows a script tag to be introduced. Attribute-based payloads do not fit this specific rendering context." }, { id: 5, domainCode: "1.0", domainName: "XSS Fundamentals and Context Identification", question: "During manual testing, you suspect DOM-based XSS in a client-side search box that reads location.hash and writes to innerHTML. Which browser-side indicator best supports that finding?", options: [ "The server returns a 500 error before rendering", "The payload appears only after JavaScript runs in the browser", "The payload is stored in the database and viewed later", "The response contains a hidden form field" ], answer: 1, rationale: "DOM-based XSS is created or amplified by client-side script after the response loads. If the payload only appears after JavaScript execution, that strongly indicates a DOM issue." }, { id: 6, domainCode: "1.0", domainName: "XSS Fundamentals and Context Identification", question: "A search page reflects input inside an HTML comment: . Which technique is most appropriate to reach executable markup?", options: [ "Use an event handler in the current comment", "Close the comment and inject HTML", "Switch to a POST request", "Add semicolons to the payload" ], answer: 1, rationale: "HTML comments must be closed before markup can be interpreted. Breaking out of the comment is the correct way to move into executable HTML context." }, { id: 7, domainCode: "2.0", domainName: "Reflected XSS Exploitation", question: "A reflected XSS point is found in a query parameter, and the application filters literal ", "", "" ], answer: 0, rationale: "If image tags are allowed and event attributes are not filtered, an onerror handler is a classic stored XSS vector. It executes when the image fails to load." }, { id: 14, domainCode: "3.0", domainName: "Stored XSS Exploitation", question: "A stored XSS payload is intended to steal an authenticated session token, but the cookie is marked HttpOnly. What is the most important implication?", options: [ "The cookie can still be read directly by document.cookie", "The cookie cannot be read by JavaScript, so another exfiltration method is needed", "The browser will automatically block the XSS payload", "The cookie becomes available only in POST requests" ], answer: 1, rationale: "HttpOnly prevents JavaScript from reading the cookie value directly. Attackers must instead rely on actions performed in the victim's session or exfiltrate other accessible data." }, { id: 15, domainCode: "3.0", domainName: "Stored XSS Exploitation", question: "A forum stores post content and later wraps it inside a div element. The application escapes < and > but not single quotes. Which exploitation path is most likely if the content is later inserted into an HTML attribute in another view?", options: [ "Single-quote attribute break-out", "Reflected request smuggling", "XXE via malformed XML", "Open redirect with fragment reuse" ], answer: 0, rationale: "If the stored value is later rendered inside a single-quoted attribute, unescaped apostrophes can break out of the attribute and allow injection. The same payload may be safe in one view but dangerous in another." }, { id: 16, domainCode: "4.0", domainName: "DOM-Based XSS", question: "A JavaScript snippet assigns location.search directly to innerHTML on a results page. Which input source is the attacker controlling in this case?", options: [ "Only server-side template variables", "The browser URL query string", "The database record for the page", "The HTTP response status code" ], answer: 1, rationale: "DOM XSS frequently comes from browser-controlled sources such as the query string, hash, or postMessage data. Here, the query string is the attacker-controlled source." }, { id: 17, domainCode: "4.0", domainName: "DOM-Based XSS", question: "A page reads location.hash and uses it inside eval(). Which mitigation is the most appropriate and directly effective?", options: [ "Change eval to a safe DOM API and avoid executing strings as code", "Add more client-side logging", "Move the parameter from hash to query string", "Use gzip compression on the response" ], answer: 0, rationale: "Avoiding string-to-code functions like eval is the most direct fix for DOM XSS. Safer DOM APIs and strict data handling eliminate the execution sink." }, { id: 18, domainCode: "4.0", domainName: "DOM-Based XSS", question: "A SPA uses document.write(location.hash.slice(1)). Which browser behavior makes this especially dangerous?", options: [ "The hash is never sent over the network, so it bypasses server-side filtering", "The browser encrypts the fragment automatically", "The server logs the fragment in every request", "The fragment is always removed by CORS" ], answer: 0, rationale: "The fragment identifier is not included in HTTP requests, so server-side filters never see it. If client-side code writes it into the DOM unsafely, DOM XSS can result." }, { id: 19, domainCode: "5.0", domainName: "Filter Bypass, WAF Evasion, and Payload Engineering", question: "A WAF blocks the exact string ", "" ], answer: 1, rationale: "Using a different executable HTML/SVG gadget is a common bypass when literal script tags are blocked. SVG onload is frequently effective and avoids the blocked keyword." }, { id: 20, domainCode: "5.0", domainName: "Filter Bypass, WAF Evasion, and Payload Engineering", question: "A target strips parentheses from input, but still reflects HTML. Which technique is most relevant for building an executable payload under this constraint?", options: [ "Use event handlers or other syntax that does not require parentheses", "Switch to a SQL UNION payload", "Encode the payload only in Base64 and stop there", "Use path traversal to include a JavaScript file" ], answer: 0, rationale: "If parentheses are removed, payloads that avoid function-call syntax become more practical, such as certain event-handler chains or alternative browser behaviors. Payload engineering is about adapting to the exact filter set." } ] }); });