", "';alert(1);//", "\">", "" ], answer: 1, rationale: "Because the input is inside a single-quoted JavaScript string, closing the quote and appending code is the most direct way to escape the context." }, { id: 6, domainCode: "3.0", domainName: "Cross-Site Scripting (XSS)", question: "A payload is inserted into an HTML attribute value wrapped in double quotes, and quotes are encoded but angle brackets are not. Which attack approach is most likely to succeed?", options: [ "Use an event handler injection after breaking the attribute with a quote character", "Use a full closing script tag to terminate the page's doctype", "Use a CSS import to execute JavaScript directly", "Use a null byte to stop all HTML parsing" ], answer: 0, rationale: "If the attribute context can be broken with a quote, an event handler can often be injected. This is a classic attribute-based XSS technique." }, { id: 7, domainCode: "3.0", domainName: "Cross-Site Scripting (XSS)", question: "A site uses a framework that sanitizes HTML but allows some attributes. Which feature should you inspect first to identify a possible stored XSS bypass?", options: [ "The response status code", "The allowed attribute and element whitelist", "The server's TLS certificate", "The browser's cache-control header" ], answer: 1, rationale: "When sanitization is whitelist-based, the allowed elements and attributes define the attack surface and are often the key to finding bypasses." }, { id: 8, domainCode: "4.0", domainName: "SQL Injection", question: "A login form uses the query SELECT * FROM users WHERE username = '$u' AND password = '$p'. Which input most directly tests for a boolean-based SQL injection in the username field?", options: [ "admin'--", "admin