", "", "javascript:alert(1)" ], answer: 0, rationale: "In an attribute context, a single quote can terminate the value when the application uses single-quoted attributes. The payload then injects an event handler to execute script." }, { id: 4, domainCode: "4.0", domainName: "SQL Injection", question: "A product search parameter is vulnerable to SQL injection. The application displays no visible errors, but you need to confirm the vulnerability using a true/false condition without causing delays. Which technique is most suitable?", options: [ "Boolean-based blind SQL injection", "Time-based blind SQL injection", "Union-based SQL injection", "Stacked queries with delayed responses" ], answer: 0, rationale: "Boolean-based blind SQL injection relies on changes in the application's response when a condition evaluates to true or false, even when errors are hidden." }, { id: 5, domainCode: "5.0", domainName: "Cross-Site Request Forgery (CSRF)", question: "An application uses a session cookie with SameSite=Lax, and the vulnerable action is triggered by a POST request. Which CSRF defense is strongest and most appropriate for this endpoint?", options: [ "A per-request anti-CSRF token validated server-side", "Changing the cookie name to a random value", "Requiring the request to include a User-Agent header", "Setting the cookie path to /account" ], answer: 0, rationale: "A server-validated anti-CSRF token directly binds the request to the user’s session and prevents cross-site request forgery even if cookies are sent." }, { id: 6, domainCode: "6.0", domainName: "XML External Entity Injection (XXE)", question: "A file upload endpoint accepts SVG documents and the application processes them as XML. You want to test for XXE without relying on outbound internet access. Which payload is most useful for confirming local file disclosure?", options: [ "Define an external entity that references a local file such as file:///etc/passwd", "Use an XML comment to hide malicious tags from the parser", "Add a CDATA section containing JavaScript", "Insert a namespace declaration with a long URI" ], answer: 0, rationale: "XXE testing commonly uses an external entity that references a local file. If the parser expands the entity, the file contents may be disclosed in the response or an error message." }, { id: 7, domainCode: "7.0", domainName: "Directory Traversal", question: "An image viewer retrieves files using a parameter such as ?file=logo.png. Which payload is most likely to bypass a naive prefix-based filter that blocks direct occurrences of ../?", options: [ "..%252f..%252f..%252fetc%252fpasswd", "/etc/passwd", "\\..\\..\\windows\\win.ini", "file:///etc/passwd" ], answer: 0, rationale: "Double-encoded traversal sequences can bypass filters that decode only once or perform simplistic pattern matching. The application may later decode the payload again and resolve the traversal." }, { id: 8, domainCode: "8.0", domainName: "Server-Side Request Forgery (SSRF)", question: "An application fetches a URL supplied by the user to generate a preview. Which test is most useful to detect SSRF against internal services?", options: [ "Point the feature to an internal address like http://127.0.0.1:80/ or http://169.254.169.254/", "Use a very long host name to trigger a DNS error", "Submit a URL with a fragment identifier only", "Send the request over HTTP/2 instead of HTTP/1.1" ], answer: 0, rationale: "SSRF is often confirmed by forcing the server to request an internal-only host or cloud metadata address and then observing the resulting behavior or callback." }, { id: 9, domainCode: "9.0", domainName: "Adapting Attacks to Bypass Defenses", question: "A WAF blocks requests containing the string UNION SELECT, but the backend database still appears vulnerable. Which approach is most likely to help bypass the filter in a SQL injection test?", options: [ "Use case variation, inline comments, or alternative syntax to obfuscate the keyword", "Switch from GET to POST so the WAF cannot inspect the request", "Add a valid Content-Type header", "Change the User-Agent to a browser string" ], answer: 0, rationale: "When keyword filtering is in place, SQL injection payloads may still work if they are obfuscated using comments, mixed case, or alternate syntax that preserves database interpretation." }, { id: 10, domainCode: "2.0", domainName: "Burp Suite Functionality", question: "You capture a request that includes a JSON body and want to resend it repeatedly while making small edits to headers and parameters. Which Burp tool is best suited for this workflow?", options: [ "Repeater", "Target", "Dashboard", "Project options" ], answer: 0, rationale: "Repeater is the primary Burp tool for manually editing and replaying individual requests during active testing." }, { id: 11, domainCode: "1.0", domainName: "Fundamental Web Technologies", question: "A browser sends a request to https://app.example with both a session cookie and a custom X-Auth token. Which statement best describes the scope of a cookie set with the HttpOnly attribute?", options: [ "It cannot be read by JavaScript, but it is still sent with applicable requests", "It cannot be transmitted over HTTPS", "It prevents the cookie from being stored by the browser", "It ensures the cookie is only sent to cross-site requests" ], answer: 0, rationale: "HttpOnly prevents client-side scripts from accessing the cookie, reducing theft via XSS, but the browser still includes it in relevant HTTP requests." }, { id: 12, domainCode: "3.0", domainName: "Cross-Site Scripting (XSS)", question: "A reflected input is placed inside a JavaScript string literal: var q = '...';. The application escapes angle brackets but not quotes. Which payload is most likely to break the string and execute code?", options: [ "';alert(1);//", "", "“, “javascript:alert(1)” ], answer: 0, rationale: “Inside a JavaScript string, a quote can terminate the literal. The appended semicolon and comment help neutralize the rest of the original script so the payload executes cleanly.” }, { id: 13, domainCode: “4.0”, domainName: “SQL Injection”, question: “A search box uses parameterized queries, but a separate sort parameter is concatenated directly into the SQL statement after the ORDER BY clause. Why can this still be exploitable?”, options: [ “Because query structure elements such as ORDER BY are not protected by value parameterization”, “Because prepared statements automatically block all database access”, “Because ORDER BY always requires a subquery”, “Because the server must expose SQL errors for the attack to work” ], answer: 0, rationale: “Parameterized queries protect values, but if untrusted input is concatenated into SQL structure such as ORDER BY, the application may still be injectable.” }, { id: 14, domainCode: “5.0”, domainName: “Cross-Site Request Forgery (CSRF)”, question: “A state-changing endpoint accepts a POST request with no CSRF token, but the developer says SameSite=Strict is sufficient. Which scenario most strongly weakens that defense in practice?”, options: [ “The action can be triggered by a same-site subdomain under attacker control”, “The endpoint uses JSON instead of form data”, “The response includes the Cache-Control header”, “The password field is masked in the UI” ], answer: 0, rationale: “SameSite protections are not a complete substitute for CSRF tokens, especially where same-site trust boundaries are weak or attacker-controlled subdomains are possible.” }, { id: 15, domainCode: “6.0”, domainName: “XML External Entity Injection (XXE)”, question: “An XML parser has external entity resolution disabled, but the application still processes a user-controlled XInclude directive in a document it later transforms. What is the main security concern?”, options: [ “The parser may include remote or local resources during document processing”, “The document will always fail schema validation”, “The application becomes vulnerable only to XSS, not XXE”, “The XML declaration cannot be used with XInclude” ], answer: 0, rationale: “Even when external entities are disabled, XInclude can sometimes cause the processor to fetch and include external content, creating a server-side inclusion risk.” }, { id: 16, domainCode: “7.0”, domainName: “Directory Traversal”, question: “A download endpoint normalizes path separators and rejects ../, but it still allows filenames with excessive dot segments and mixed encoding. Which defense is most reliable on the server side?”, options: [ “Resolve the final path against an allowlisted base directory and enforce the result stays within it”, “Strip only the first occurrence of ../ from the input”, “Block all requests that contain a slash character”, “Replace backslashes with forward slashes in the response” ], answer: 0, rationale: “The safest defense is to canonicalize the path and verify the resolved location remains inside an approved directory. Simple string filtering is easy to bypass.” }, { id: 17, domainCode: “8.0”, domainName: “Server-Side Request Forgery (SSRF)”, question: “An SSRF-prone import feature fetches a user-supplied URL but blocks obvious internal IP literals. Which bypass is often effective when the application resolves hostnames server-side?”, options: [ “Use a domain name that resolves to an internal IP via DNS”, “Append a random query string to the URL”, “Choose HTTPS instead of HTTP”, “Encode the scheme as uppercase letters only” ], answer: 0, rationale: “If the server resolves hostnames itself, DNS-based tricks can redirect a seemingly benign domain to an internal address and bypass literal IP checks.” }, { id: 18, domainCode: “9.0”, domainName: “Adapting Attacks to Bypass Defenses”, question: “A web application blocks the literal substring