“, ““, “javascript:alert(1)” ], answer: 0, rationale: “Breaking out of a single-quoted attribute requires a quote character and then adding a new event handler or attribute. The first option is a classic attribute-context breakout payload.” }, { id: 8, domainCode: “3.0”, domainName: “Cross-Site Scripting (XSS)”, question: “A response includes user input inside a JavaScript string: var msg = ‘USER_INPUT’;. Which encoding strategy is most appropriate to prevent XSS in this context?”, options: [ “HTML-encode the input only”, “URL-encode the input only”, “JavaScript string-encode the input”, “Base64-encode the input and append it directly” ], answer: 2, rationale: “When input is inserted into a JavaScript string, it must be encoded for JavaScript string context to prevent breaking out of the quoted value. HTML encoding alone does not reliably protect this context.” }, { id: 9, domainCode: “3.0”, domainName: “Cross-Site Scripting (XSS)”, question: “A stored XSS payload is not firing because the application strips angle brackets but allows an inline event handler in a tag already present in the page. What is the most likely reason the attack still works?”, options: [ “The browser ignores all HTML tags inside stored content”, “The payload can execute through an existing element’s event attribute without introducing new tags”, “Angle brackets are required for every XSS payload”, “Stored XSS is only possible in JSON responses” ], answer: 1, rationale: “XSS does not always require creating new tags. If injection occurs inside an existing HTML element or attribute, an event handler or similar inline script trigger may still execute.” }, { id: 10, domainCode: “4.0”, domainName: “SQL Injection”, question: “A parameter is vulnerable to error-based SQL injection. Which change is most likely to help confirm the issue in a typical testing workflow?”, options: [ “Add a SQL comment marker to suppress the rest of the query and observe a database error change”, “Switch the request from HTTPS to HTTP”, “Remove all cookies from the browser”, “Encode the payload with Base64 before sending it” ], answer: 0, rationale: “SQL comment markers can alter query structure and help provoke a database error or change in response, which is useful for confirming injection. This is a common first step in error-based testing.” }, { id: 11, domainCode: “4.0”, domainName: “SQL Injection”, question: “Which payload pattern is most appropriate for testing whether a numeric parameter is vulnerable to blind SQL injection through a boolean condition?”, options: [ “1 OR 1=1–“, ““, “../etc/passwd”, “” ], answer: 0, rationale: “A simple boolean condition such as 1 OR 1=1– is a standard test for numeric SQL injection. It often changes query logic in a way that can be observed in the response.” }, { id: 12, domainCode: “4.0”, domainName: “SQL Injection”, question: “A UNION-based SQL injection attempt fails because the number of selected columns is unknown. What is the best next step?”, options: [ “Assume the database is not vulnerable”, “Use ORDER BY or NULL-based probing to determine the column count”, “Switch to an XXE payload”, “Try a CSRF token bypass” ], answer: 1, rationale: “Finding the correct column count is essential for UNION-based exploitation. ORDER BY or NULL-based enumeration are standard techniques to identify how many columns the original query returns.” }, { id: 13, domainCode: “5.0”, domainName: “Cross-Site Request Forgery (CSRF)”, question: “Which condition most strongly indicates that a state-changing endpoint may be CSRFable?”, options: [ “It returns only JSON and uses a random User-Agent”, “It accepts a request authenticated only by a browser session cookie and lacks anti-CSRF defenses”, “It is accessible only over HTTPS”, “It includes a server banner in the response” ], answer: 1, rationale: “CSRF becomes possible when the browser automatically includes session credentials and the application does not require a CSRF token or another anti-CSRF defense. State-changing endpoints are the main target.” }, { id: 14, domainCode: “5.0”, domainName: “Cross-Site Request Forgery (CSRF)”, question: “Which CSRF defense is generally the most robust when implemented correctly?”, options: [ “Using POST instead of GET alone”, “Requiring a secret, unpredictable token tied to the user session”, “Changing the URL path on every request”, “Returning a 302 redirect after submission” ], answer: 1, rationale: “A session-bound unpredictable token is a core CSRF defense because an attacker cannot normally guess it from another origin. Method changes and redirects do not provide reliable protection by themselves.” }, { id: 15, domainCode: “6.0”, domainName: “XML External Entity Injection (XXE)”, question: “A file upload endpoint processes an XML document and the application makes an outbound DNS request when the payload contains an external entity reference. What does this most strongly suggest?”, options: [ “The XML parser is validating against a schema correctly”, “The parser is resolving external entities and may be vulnerable to XXE”, “The endpoint is protected from all server-side attacks”, “The response is the result of CSRF” ], answer: 1, rationale: “Outbound DNS or network interaction triggered by an external entity is a common sign that the XML parser is resolving external entities. That behavior is a hallmark of XXE exposure.” }, { id: 16, domainCode: “6.0”, domainName: “XML External Entity Injection (XXE)”, question: “Which payload is most appropriate for attempting a basic in-band XXE file disclosure on a parser that permits external entities?”, options: [ “ ]>”, “SELECT * FROM users WHERE id=1”, ““, “../../../../etc/passwd” ], answer: 0, rationale: “Defining an external entity that references a local file is the standard approach for in-band XXE file disclosure. The payload attempts to force the parser to include the file contents in the XML processing result.” }, { id: 17, domainCode: “7.0”, domainName: “Directory Traversal”, question: “A download endpoint takes a filename parameter and returns server files. Which payload is most relevant for testing directory traversal on a Unix-like system?”, options: [ “/var/www/html/index.php”, “../../../../../etc/passwd”, “http://127.0.0.1/admin”, “file://C:/windows/win.ini” ], answer: 1, rationale: “Relative path traversal sequences like ../ are the standard way to attempt escaping a restricted directory. On Unix-like systems, /etc/passwd is a common target used to confirm traversal.” }, { id: 18, domainCode: “7.0”, domainName: “Directory Traversal”, question: “An application filters the string ../ but still appears vulnerable to traversal. Which approach is often effective against naive filters?”, options: [ “Switching from GET to PUT”, “URL-encoding or double-encoding traversal sequences”, “Changing the Host header only”, “Adding a CSRF token” ], answer: 1, rationale: “Naive filters often fail when traversal sequences are URL-encoded or double-encoded. Testing alternative encodings is a common way to bypass simplistic input validation.” }, { id: 19, domainCode: “8.0”, domainName: “Server-Side Request Forgery (SSRF)”, question: “Which behavior is the strongest indicator that an image fetch feature may be vulnerable to SSRF?”, options: [ “The application rejects all PNG files”, “The server makes a request to a user-supplied URL and returns timing differences or fetched content”, “The browser displays a favicon”, “The endpoint uses HTTPS” ], answer: 1, rationale: “SSRF commonly involves server-side fetching of attacker-controlled URLs. Evidence such as timing changes, response content, or out-of-band interactions indicates that the server is making the request.” }, { id: 20, domainCode: “9.0”, domainName: “Adapting Attacks to Bypass Defenses”, question: “A WAF blocks the exact string ‘UNION SELECT’ but the SQL injection is still present. Which payload adaptation is most likely to bypass a simple keyword filter?”, options: [ “Use mixed case, comments, or whitespace variation such as UN/**/ION SEL/**/ECT”, “Replace the payload with an X-Frame-Options header”, “Use only numeric cookie values”, “Change the request method to HEAD” ], answer: 0, rationale: “Simple keyword-based defenses are often bypassed by altering casing, inserting comments, or changing whitespace. These transformations preserve SQL syntax while avoiding exact string matches.” } ] }); });