7Safe Certified Security Testing CSTP Exam, Exams of Technology

This exam certifies advanced, hands-on expertise in security testing practices. Topics include penetration testing methodologies, advanced web and infrastructure testing, exploitation techniques, reporting, and remediation guidance. Candidates demonstrate the ability to conduct structured security assessments aligned with industry best practices and organizational risk profiles.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 92

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
7Safe Certified Security Testing CSTP Exam
**Question 1. Which of the following best describes the primary purpose of a Rules of
Engagement (RoE) document in a security test?**
A) To outline the testing methodology to be used
B) To define the legal and operational boundaries of the test
C) To list all known vulnerabilities of the target
D) To specify the hardware requirements for the testing tools
Answer: B
Explanation: The RoE sets the legal and operational limits, ensuring the tester knows what is
allowed and what is prohibited during the engagement.
**Question 2. In the OWASP Testing Guide, which phase directly follows Information
Gathering?**
A) Threat Modeling
B) Vulnerability Analysis
C) Exploitation
D) PostExploitation
Answer: B
Explanation: After gathering data, the tester analyses that information to identify potential
vulnerabilities before attempting exploitation.
**Question 3. Which HTTP header is most commonly used by web servers to disclose software
version information that can aid banner grabbing?**
A) SetCookie
B) UserAgent
C) Server
D) Referer
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c

Partial preview of the text

Download 7Safe Certified Security Testing CSTP Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which of the following best describes the primary purpose of a Rules of Engagement (RoE) document in a security test? A) To outline the testing methodology to be used B) To define the legal and operational boundaries of the test C) To list all known vulnerabilities of the target D) To specify the hardware requirements for the testing tools Answer: B Explanation: The RoE sets the legal and operational limits, ensuring the tester knows what is allowed and what is prohibited during the engagement. Question 2. In the OWASP Testing Guide, which phase directly follows Information Gathering? A) Threat Modeling B) Vulnerability Analysis C) Exploitation D) Post‑Exploitation Answer: B Explanation: After gathering data, the tester analyses that information to identify potential vulnerabilities before attempting exploitation. Question 3. Which HTTP header is most commonly used by web servers to disclose software version information that can aid banner grabbing? A) Set‑Cookie B) User‑Agent C) Server D) Referer Answer: C

Explanation: The Server header often contains the web server name and version, which attackers use for fingerprinting. Question 4. When using Nmap for OS fingerprinting, which scan type provides the most accurate results? A) SYN scan (-sS) B) UDP scan (-sU) C) TCP Connect scan (-sT) D) TCP/IP stack fingerprinting (-O) Answer: D Explanation: The - O option enables OS detection by analyzing TCP/IP stack responses, yielding the most precise OS fingerprint. Question 5. Which of the following tools is primarily designed for intercepting and modifying web traffic in a browser? A) Nmap B) Metasploit C) Burp Suite D) Wireshark Answer: C Explanation: Burp Suite acts as a proxy to capture, inspect, and manipulate HTTP/S traffic between the browser and server. Question 6. In the context of web application security, what does the term “parameter pollution” refer to? A) Injecting malicious code into URL parameters B) Supplying multiple values for the same parameter to confuse the application C) Overloading the server with excessive requests

C) HTTPOnly flag on cookies D) CSRF token implementation Answer: B Explanation: Proper session management requires generating a new session ID after authentication events to prevent session fixation. Question 10. Which of the following best describes an IDOR vulnerability? A) Bypassing authentication by modifying a URL parameter that references a resource directly B) Injecting malicious JavaScript into a comment field C) Exploiting a weak password policy to gain admin access D) Accessing a database through a vulnerable API endpoint Answer: A Explanation: Insecure Direct Object References occur when an application uses user‑supplied input to directly access objects without proper authorization checks. Question 11. Which Metasploit command is used to display a list of available payloads for a selected exploit? A) show options B) show exploits C) show payloads D) show targets Answer: C Explanation: The “show payloads” command lists payloads compatible with the currently selected exploit module. Question 12. What is the primary advantage of using a “reverse shell” payload over a “bind shell” in a firewall‑protected environment?

A) It requires fewer bytes of code. B) It avoids inbound connections that may be blocked by the firewall. C) It provides higher encryption. D) It does not need a listening port on the attacker machine. Answer: B Explanation: A reverse shell initiates an outbound connection from the target to the attacker, which is typically allowed through firewalls, whereas a bind shell requires inbound connections that are often blocked. Question 13. Which Windows service, when misconfigured, commonly allows attackers to perform remote registry attacks? A) Remote Desktop Services B) Server C) Remote Registry D) Windows Defender Answer: C Explanation: The Remote Registry service permits remote access to the registry; if enabled with weak permissions, it can be abused for data extraction or manipulation. Question 14. In Linux, which file typically contains the list of user accounts and their associated UID/GID information? A) /etc/passwd B) /etc/shadow C) /etc/group D) /etc/hosts Answer: A Explanation: /etc/passwd stores user account details, including usernames, UIDs, and default shells.

Explanation: Insufficient Logging & Monitoring is listed as A10 in the OWASP Top Ten. **Question 18. Which of the following best describes a “web application firewall” (WAF) rule that blocks requests containing the pattern “ D) Allowing password authentication over SSH without fail‑ 2 ‑ban Answer: C Explanation: Minimizing installed services reduces the attack surface and is a core hardening principle. Question 21. When using Burp Suite’s Intruder tool to test for parameter enumeration, which payload type is most suitable for trying a list of usernames? A) Sniper B) Battering Ram C) Pitchfork D) Cluster Bomb Answer: A Explanation: Sniper iterates a single payload position through a list, ideal for testing a series of usernames. Question 22. Which of the following attacks exploits a web application’s failure to properly validate the Content‑Security‑Policy header? A) Cross‑Site Request Forgery (CSRF) B) Cross‑Site Scripting (XSS) C) Clickjacking D) HTTP Parameter Pollution Answer: B Explanation: An absent or weak CSP allows injected scripts to execute, facilitating XSS attacks. Question 23. In a penetration test report, the term “impact” refers to: A) The likelihood of the vulnerability being discovered by an attacker B) The technical details of how the vulnerability works

A) 301

B) 302

C) 403

D) 404

Answer: A Explanation: 301 Moved Permanently signals a permanent URL change. Question 27. In the NIST 800‑115 technical guide, which phase directly follows “Exploitation” in the penetration testing lifecycle? A) Planning B) Reporting C) Post‑Exploitation D) Re‑testing Answer: C Explanation: After exploiting a vulnerability, the tester moves to post‑exploitation to assess impact and maintain access. Question 28. Which of the following best describes a “blind SQL injection” attack? A) The attacker receives error messages that reveal database details. B) The application returns data directly in the HTTP response. C) The attacker infers data based on the behavior of the application (e.g., time delays). D) The injection occurs only in hidden form fields. Answer: C Explanation: Blind SQLi relies on indirect indicators such as response timing or boolean conditions to infer data.

Question 29. Which of the following is a primary advantage of using a “static application security testing” (SAST) tool? A) It can detect runtime vulnerabilities in a live environment. B) It analyzes source code for security issues before deployment. C) It automatically patches discovered vulnerabilities. D) It requires no access to the application’s source code. Answer: B Explanation: SAST scans source or binary code to find security flaws early in the development lifecycle. Question 30. Which of the following techniques can be used to bypass a poorly implemented “input length” validation on a web form? A) Sending a payload that exceeds the maximum length in multiple fragmented packets B) Using Unicode encoding to represent characters C) Exploiting integer overflow in the server‑side length calculation D) All of the above Answer: D Explanation: All listed methods can circumvent naive length checks, leading to injection or buffer overflow. Question 31. In a Linux environment, which command is used to view active network connections and listening ports? A) netstat - tuln B) ipconfig /all C) traceroute D) ping - c 4 Answer: A

D) Increase the logging level for deserialization events Answer: B Explanation: Whitelisting permissible classes prevents attackers from injecting malicious objects during deserialization. Question 35. Which of the following best describes the “principle of least privilege”? A) Users should have administrative rights on all systems. B) Services should run with the minimum permissions required to perform their function. C) All network traffic should be encrypted end‑to‑end. D) Passwords should be changed every 30 days. Answer: B Explanation: Least privilege limits each component to only the rights it needs, reducing the impact of compromise. Question 36. In the context of web security, what does the term “CSRF token” aim to prevent? A) Cross‑Site Scripting attacks B) Unauthorized command execution on the server C) Forged requests from authenticated users to perform unwanted actions D) Information leakage through HTTP headers Answer: C Explanation: CSRF tokens bind a request to a user’s session, preventing attackers from tricking the user’s browser into executing unwanted actions. Question 37. Which of the following is a recommended way to securely store passwords in a web application? A) MD5 hashing without a salt

B) Plain‑text storage in a configuration file C) Salted bcrypt hashing D) Base64 encoding of the password Answer: C Explanation: Salted bcrypt provides a strong, adaptive hash resistant to brute‑force attacks. Question 38. Which of the following attacks exploits a web server’s failure to validate the “Host” header? A) HTTP Response Splitting B) Host Header Injection C) Directory Traversal D) HTTP Verb Tampering Answer: B Explanation: Manipulating the Host header can cause the server to generate malicious links or bypass virtual host restrictions. Question 39. Which of the following best describes a “pivot” technique in post‑exploitation? A) Escalating privileges on the compromised host B) Using the compromised host as a launch point to attack other internal systems C) Extracting data from the target’s database D) Installing a rootkit on the victim machine Answer: B Explanation: Pivoting leverages the foothold on one system to reach other network segments that were not directly reachable.

Question 43. In the context of secure coding, which of the following is the most effective way to prevent reflected XSS? A) Filtering out the “<” and “>” characters from all inputs B) Encoding output based on the context (HTML, JavaScript, URL) before rendering C) Using a web application firewall to block all scripts D) Disabling JavaScript in the browser Answer: B Explanation: Contextual output encoding ensures that any user‑supplied data is safely rendered, neutralizing reflected XSS. Question 44. Which of the following is a common sign that a web application is vulnerable to command injection? A) The application returns a generic “Invalid input” message for all inputs. B) Supplying a semicolon (;) in a parameter causes the server to execute additional commands. C) The application only accepts numeric input. D) The HTTP response size is always constant. Answer: B Explanation: The ability to inject command delimiters like “;” indicates that user input is being passed to the operating system shell. Question 45. Which of the following best describes “defense evasion” techniques used by attackers? A) Encrypting data at rest B) Obfuscating malicious code to avoid detection by security tools C) Implementing multi‑factor authentication D) Conducting regular vulnerability scans

Answer: B Explanation: Defense evasion involves hiding malicious activity from detection mechanisms such as AV, IDS, or sandbox environments. Question 46. Which of the following is the most reliable way to verify that a vulnerability found during scanning is a true positive? A) Relying solely on the scanner’s confidence rating B) Manually reproducing the exploit in a controlled environment C) Checking the vendor’s website for a patch release D) Sending an email to the target organization requesting confirmation Answer: B Explanation: Manual verification confirms that the vulnerability can actually be exploited, eliminating false positives. Question 47. Which of the following HTTP headers can be used to mitigate clickjacking attacks? A) X‑Content‑Type‑Options B) X‑Frame‑Options C) X‑XSS‑Protection D) Strict‑Transport‑Security Answer: B Explanation: X‑Frame‑Options instructs browsers whether the page may be displayed in a frame, preventing clickjacking. Question 48. Which of the following is the primary purpose of a “patch management” process? A) To back up all system data daily B) To ensure that software vulnerabilities are remedied in a timely manner

A) The application accepts JSON payloads only. B) The server returns an error mentioning “entity expansion”. C) The HTTP response includes a “Set‑Cookie” header. D) The application uses HTTPS for all communications. Answer: B Explanation: Errors related to entity processing often reveal that the XML parser is processing external entities. Question 52. Which of the following tools is specifically designed for automating the discovery of subdomains? A) Nikto B) Sublist3r C) Wireshark D) Nessus Answer: B Explanation: Sublist3r enumerates subdomains using multiple search engines and DNS queries. Question 53. Which of the following best describes “password spraying” as an attack technique? A) Trying a large number of passwords against a single account B) Using a single common password against many accounts C) Brute‑forcing a password hash offline D) Intercepting passwords over an insecure network Answer: B Explanation: Password spraying avoids account lockout by using a few common passwords across many usernames.

Question 54. In a penetration test, which of the following is the most appropriate way to document a discovered vulnerability? A) Include the CVE ID, proof‑of‑concept steps, risk rating, and remediation recommendation B) List only the affected URL C) Provide a screenshot without any description D) Mention the vulnerability without disclosing technical details Answer: A Explanation: Comprehensive documentation aids remediation and provides clear evidence and guidance. Question 55. Which of the following is a typical symptom of a compromised web server that has been used for data exfiltration? A) Increased CPU usage due to mining cryptocurrency B) Unexpected outbound connections to unfamiliar IP addresses C) Frequent reboot cycles initiated by the OS D) Decreased disk space caused by log rotation Answer: B Explanation: Outbound connections to unknown destinations often indicate data being sent out of the network. Question 56. Which of the following best describes a “logic bomb” in the context of malware? A) A virus that replicates itself across the network B) Code that triggers a malicious payload when a specific condition is met C) A Trojan that steals credentials silently D) Ransomware that encrypts files immediately upon infection Answer: B