", "\" onmouseover=\"alert(1)", "javascript:alert(1)", "alert(1)" ], answer: 0, rationale: "If the reflection is in an HTML text node and angle brackets are not fully neutralized, a script tag is a direct and common execution vector. The other payloads depend on attribute or URL contexts, which are not described here." }, { id: 6, domainCode: "3.0", domainName: "Cross-Site Scripting (XSS)", question: "A value is injected into an HTML attribute enclosed in double quotes, for example . Which payload is the best starting point to break out of the attribute and create executable JavaScript?", options: [ "test' onclick='alert(1)", "\" onfocus=\"alert(1)", "", "javascript:alert(1)" ], answer: 1, rationale: "Because the attribute is enclosed in double quotes, adding a double quote can terminate the attribute value and allow a new event handler to be inserted. The other payloads are more suitable for different contexts." }, { id: 7, domainCode: "4.0", domainName: "SQL Injection", question: "A login form is vulnerable to SQL injection, but the application returns a generic error for all malformed input. Which technique is most effective for confirming the vulnerability without visible database errors?", options: [ "Time-based blind SQL injection using delays", "Union-based injection with large result sets", "Second-order SQL injection through stored logs", "Error-based SQL injection with verbose server messages" ], answer: 0, rationale: "Time-based blind SQL injection is well suited when the application suppresses error messages, because the attacker can infer query execution from response delays. Union-based and error-based methods typically require more informative responses." }, { id: 8, domainCode: "4.0", domainName: "SQL Injection", question: "Which input would most likely cause a SQL query such as SELECT * FROM products WHERE category = '$input' to return all products if the application does not sanitize the parameter?", options: [ "' OR 1=1--", "\"; DROP TABLE products;--", "admin@example.com", "/* comment */" ], answer: 0, rationale: "Closing the string and adding a tautology such as OR 1=1 is a classic way to alter the WHERE clause and return all rows. The other inputs do not reliably manipulate the query in this specific context." }, { id: 9, domainCode: "5.0", domainName: "Cross-Site Request Forgery (CSRF)", question: "Which condition is most important for a CSRF attack to succeed against a state-changing endpoint?", options: [ "The victim must be using Burp Suite during the attack.", "The target request must rely on browser-sent credentials such as cookies or HTTP auth.", "The application must use only GET requests for state changes.", "The attacker must know the victim's password." ], answer: 1, rationale: "CSRF works by leveraging credentials the browser automatically sends, typically cookies or HTTP authentication. The attacker does not need the password, and the attack is not dependent on Burp Suite or GET-only behavior." }, { id: 10, domainCode: "5.0", domainName: "Cross-Site Request Forgery (CSRF)", question: "A site defends against CSRF by requiring a token that is bound to the user session and verified on every POST request. Which test is the most relevant way to assess the strength of this defense?", options: [ "Check whether the token changes when the page is reloaded and whether it is rejected if reused from another session.", "Verify whether the token is visible in the browser URL bar.", "Test whether the token can be compressed by the server.", "Determine whether the token is longer than 32 characters." ], answer: 0, rationale: "A robust CSRF token should be unpredictable, tied to the session, and rejected outside that context. Reuse across sessions or poor rotation would indicate weak implementation." }, { id: 11, domainCode: "6.0", domainName: "XML External Entity Injection (XXE)", question: "Which XML parser behavior is the key prerequisite for a classic external entity XXE attack to read local files?", options: [ "The parser must validate against a JSON schema.", "The parser must resolve external entities.", "The parser must convert XML to CSV.", "The parser must strip all whitespace from elements." ], answer: 1, rationale: "XXE requires a parser that resolves external entities, allowing references to local or remote resources. The other behaviors are unrelated to entity resolution." }, { id: 12, domainCode: "6.0", domainName: "XML External Entity Injection (XXE)", question: "An application accepts XML and returns parsed values, but direct file retrieval is blocked. Which approach is most useful for confirming XXE via out-of-band interaction?", options: [ "Send a malformed HTML document with inline JavaScript.", "Use an external entity referencing a controlled listener to trigger an outbound request.", "Insert a UNION SELECT statement in the XML body.", "Add a random XML comment and compare response lengths." ], answer: 1, rationale: "Out-of-band XXE testing often uses an external entity that points to an attacker-controlled domain, allowing confirmation through an outbound callback. The other options do not test XML entity resolution." }, { id: 13, domainCode: "7.0", domainName: "Directory Traversal", question: "A download endpoint uses a file path parameter and appears vulnerable to directory traversal. Which input is the best starting point to attempt reading /etc/passwd on a Linux target?", options: [ "..%2f..%2f..%2fetc%2fpasswd", "....//etc/passwd", "/var/www/html/etc/passwd", "C:\\windows\\system32\\drivers\\etc\\hosts" ], answer: 0, rationale: "URL-encoded traversal sequences such as ../ can bypass naive filtering and are a common starting point for Linux path traversal. The Windows path is OS-specific, and the other strings are not standard traversal attempts." }, { id: 14, domainCode: "7.0", domainName: "Directory Traversal", question: "A server validates that the requested file name does not contain ../, but still allows access to unintended files when a separator is encoded differently. Which technique is most relevant to test next?", options: [ "Changing the HTTP method from GET to TRACE", "Using alternative encodings or path normalization bypasses", "Adding a long random cookie value", "Switching to a different browser user agent" ], answer: 1, rationale: "Traversal filters often fail when attackers use alternate encodings, normalization quirks, or platform-specific path separators. Method changes, cookies, and user agent changes are generally unrelated to file path resolution." }, { id: 15, domainCode: "8.0", domainName: "Server-Side Request Forgery (SSRF)", question: "A feature fetches a remote URL supplied by the user and returns the response. Which target is the most useful SSRF test to determine whether the server can reach internal-only services?", options: [ "https://example.com", "http://127.0.0.1:8080", "https://www.google.com", "mailto:test@example.com" ], answer: 1, rationale: "Loopback addresses such as 127.0.0.1 are classic SSRF targets for testing access to services bound to localhost or internal interfaces. Public external sites do not prove internal reachability, and mailto is not an HTTP fetch target." }, { id: 16, domainCode: "8.0", domainName: "Server-Side Request Forgery (SSRF)", question: "An SSRF sink blocks obvious internal IPs and only allows hostnames. Which technique is most relevant for bypassing this restriction during testing?", options: [ "Using DNS rebinding or alternative host resolution tricks", "Adding a fragment identifier after the URL", "Setting the request body to multipart/form-data", "Removing all cookies from the request" ], answer: 0, rationale: "When hostnames are allowed but IPs are filtered, DNS-based bypasses or resolution tricks can make the server resolve a permitted name to an internal address. Fragments, body format, and cookies do not affect name resolution." }, { id: 17, domainCode: "9.0", domainName: "Adapting Attacks to Bypass Defenses", question: "A reflected XSS payload is blocked by a server-side filter that removes the substring script. Which adaptation is most likely to work if the application still allows HTML tags?", options: [ "Use an event handler on an allowed tag, such as ", "Switch to a POST request with the same payload", "Encode the payload as plain text only", "Append a random query parameter to the URL" ], answer: 0, rationale: "If script tags are blocked but HTML is still permitted, alternative vectors such as event handlers on benign tags are often effective. Changing method or adding parameters does not bypass content filtering." }, { id: 18, domainCode: "9.0", domainName: "Adapting Attacks to Bypass Defenses", question: "A WAF blocks requests containing a single quote character, but the application processes URL-decoded input. Which approach is most relevant to test first?", options: [ "Send the request over HTTP/2 instead of HTTP/1.1", "Use URL encoding or double encoding to alter how the quote is delivered", "Change the session cookie value", "Add an empty JSON object to the request body" ], answer: 1, rationale: "If filtering occurs before full decoding or is inconsistent across layers, encoded or double-encoded characters may bypass the defense. Protocol changes and unrelated body or cookie changes are less likely to help." }, { id: 19, domainCode: "3.0", domainName: "Cross-Site Scripting (XSS)", question: "You find that user input is inserted into a JavaScript string literal like var name = 'PAYLOAD';. Which payload is the best starting point to break out of the string and execute code?", options: [ "“, “‘;alert(1);//”, “\” onload=\”alert(1)”, “javascript:alert(1)” ], answer: 1, rationale: “When input is inside a single-quoted JavaScript string, closing the string with a quote and appending a statement is the most direct route to execution. The other payloads are intended for HTML or attribute contexts.” }, { id: 20, domainCode: “2.0”, domainName: “Burp Suite Functionality”, question: “While testing a login flow, you need to capture a one-time token from one request and reuse it in another request automatically within the same attack run. Which Burp feature is most appropriate?”, options: [ “Repeater with manual copy-paste only”, “Intruder payload processing and/or sessions handling”, “Comparer with text diffing”, “Logger with passive history review” ], answer: 1, rationale: “Intruder supports payload processing, session handling, and request modification workflows that can chain dynamic values during automated attacks. Repeater, Comparer, and Logger do not provide the same automation for token reuse.” } ] }); });