OffSec OSWE WEB300 OffSec Web Expert Exam, Exams of Technology

This advanced certification measures expert-level skills in identifying, exploiting, and chaining complex web application vulnerabilities. Topics include advanced authentication bypasses, deserialization attacks, business logic flaws, source code analysis, and custom exploit development. Candidates must demonstrate deep understanding of web technologies and the ability to craft reliable exploits in real-world, hardened environments.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 95

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
OffSec OSWE WEB300 OffSec Web Expert
Exam
**Question 1.** Which Burp Suite feature allows you to automatically repeat a series of
requests with modified parameters?
A) Intruder
B) Repeater
C) Scanner
D) Sequencer
**Answer:** A
**Explanation:** Intruder can be configured with payload positions and payload sets to
automate the repetition of a request with different data, useful for fuzzing and bruteforcing.
**Question 2.** When decompiling a Java .class file with JDGUI, which of the following is NOT
typically recovered?
A) Original variable names
B) Method signatures
C) Control flow structures
D) Bytecode instructions
**Answer:** A
**Explanation:** Decompilers reconstruct code from bytecode but cannot restore the original
sourcelevel variable names unless the class was compiled with debugging information.
**Question 3.** In .NET, which tool is most suitable for editing the IL of an assembly and
resaving it without recompilation?
A) ILSpy
B) dnSpy
C) dotPeek
D) Reflector
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f

Partial preview of the text

Download OffSec OSWE WEB300 OffSec Web Expert Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which Burp Suite feature allows you to automatically repeat a series of requests with modified parameters? A) Intruder B) Repeater C) Scanner D) Sequencer Answer: A Explanation: Intruder can be configured with payload positions and payload sets to automate the repetition of a request with different data, useful for fuzzing and brute‑forcing. Question 2. When decompiling a Java .class file with JD‑GUI, which of the following is NOT typically recovered? A) Original variable names B) Method signatures C) Control flow structures D) Bytecode instructions Answer: A Explanation: Decompilers reconstruct code from bytecode but cannot restore the original source‑level variable names unless the class was compiled with debugging information. Question 3. In .NET, which tool is most suitable for editing the IL of an assembly and re‑saving it without recompilation? A) ILSpy B) dnSpy C) dotPeek D) Reflector

Exam

Answer: B Explanation: dnSpy provides a full decompiler and editor for .NET assemblies, allowing you to modify IL and save the patched assembly directly. Question 4. Which HTTP header is most commonly misused to bypass CSRF protections? A) X‑Requested‑With B) Origin C) Referer D) Content‑Type Answer: B Explanation: When the Origin header is missing or incorrectly validated, an attacker can craft cross‑origin requests that bypass CSRF checks that rely on this header. Question 5. In PHP, the expression 0 == "a" evaluates to true because of: A) Type juggling with numeric conversion B) Strict comparison C) Magic quotes D) Hash collision Answer: A Explanation: PHP converts the string “a” to 0 when using ==, causing the loose comparison to succeed. Question 6. Which of the following is a typical sign of a blind SQL injection vulnerability? A) Error messages containing SQL syntax B) Application returns different page titles for true/false conditions C) Direct database dump in the response

Exam

A) fs.readFile B) JSON.parse C) eval D) require Answer: C Explanation: eval executes arbitrary JavaScript code, making it a prime vector for server‑side JavaScript injection if fed unchecked user data. Question 10. Which template engine is vulnerable to Server‑Side Template Injection (SSTI) when using the {{ }} syntax? A) Handlebars B) Jinja C) Mustache D) EJS Answer: B Explanation: Jinja2 processes expressions inside {{ }}; if user input is rendered without sanitization, it can lead to SSTI and RCE. Question 11. When performing SSRF, which internal AWS metadata URL is commonly targeted to obtain IAM credentials? A) http://169.254.169.254/latest/meta-data/iam/security-credentials/ B) http://169.254.169.254/latest/user-data/ C) http://169.254.169.254/latest/api/token D) http://169.254.169.254/latest/instance-id Answer: A

Exam

Explanation: The IAM security‑credentials endpoint returns temporary access keys for the instance’s role, a valuable asset for attackers. Question 12. Which of the following is a reliable method to detect insecure deserialization in a PHP codebase? A) Search for unserialize( without prior validation B) Look for base64_encode usage C) Identify mysqli_query calls D) Find header( statements Answer: A Explanation: Direct calls to unserialize on user‑supplied data without validation often indicate a potential object injection point. Question 13. In the context of session fixation, what is the primary mitigation technique? A) Use HTTP‑Only cookies only B) Regenerate session ID after authentication C) Encrypt session IDs D) Store sessions in a database Answer: B Explanation: Regenerating the session identifier after login prevents an attacker from forcing a victim to use a known session ID. Question 14. Which Burp Suite module can compare two HTTP responses to highlight differences? A) Comparer B) Decoder

Exam

Question 17. In a Java Spring MVC application, which annotation defines a method that handles all HTTP verbs for a given path? A) @GetMapping B) @PostMapping C) @RequestMapping D) @PutMapping Answer: C Explanation: @RequestMapping can specify multiple HTTP methods or omit the method attribute to accept any verb. Question 18. Which of the following is NOT a typical effect of a successful command injection? A) Arbitrary file read B) Remote code execution C) Database schema alteration D) Denial of service via resource exhaustion Answer: C Explanation: While command injection can affect the underlying OS, directly altering a database schema is more characteristic of SQL injection, not OS command execution. Question 19. Which of these HTTP methods is most often disabled to reduce attack surface? A) GET B) POST C) OPTIONS D) HEAD

Exam

Answer: C Explanation: OPTIONS can reveal supported methods and headers, so many hardened servers disable it unless explicitly required. Question 20. In a Node.js Express app, which middleware can unintentionally enable HTTP Parameter Pollution (HPP)? A) body-parser B) helmet C) cors D) express-rate-limit Answer: A Explanation: body-parser merges duplicate query parameters into an array, which can be abused if the app assumes a single value. Question 21. Which of the following is a correct way to mitigate insecure deserialization in Java? A) Disable Serializable interface globally B) Use a whitelist of allowed classes during deserialization C) Encrypt serialized data D) Store serialized objects in a file system Answer: B Explanation: Implementing a ObjectInputFilter or using a safe deserialization library that only permits known classes prevents gadget chain exploitation. Question 22. When analyzing a .NET application, which attribute indicates that a method can be invoked during deserialization? A) [OnDeserialized]

Exam

Question 25. Which of the following is a common technique to bypass a blacklist that blocks the string “localhost” in an SSRF payload? A) Use IP address 127.0.0.1 B) Encode as %6C%6F%63%61%6C%68%6F%73%74 C) Use DNS rebinding to a malicious domain D) All of the above Answer: D Explanation: All listed methods can evade simple string‑based blacklist filters for “localhost”. Question 26. Which of the following is the most appropriate way to protect against OS command injection in a Java servlet? A) Use Runtime.exec with user input directly B) Validate input against a whitelist of allowed commands C) Encode the command with Base D) Disable the servlet container’s exec capability Answer: B Explanation: Whitelisting permitted commands ensures only known safe operations are executed, preventing arbitrary injection. Question 27. In Burp Suite, the “Repeater” tool is primarily used for: A) Automated scanning of vulnerabilities B) Manual modification and re‑sending of a single request C) Recording macros of user actions D) Comparing two HTTP messages Answer: B

Exam

Explanation: Repeater lets the tester edit a request and resend it repeatedly to observe responses. Question 28. Which of the following is a hallmark of a successful SSTI exploitation in a Jinja2 environment? A) Ability to read /etc/passwd via {{ config }} B) Execution of {{ ''.__class__.__mro__[1].__subclasses__() }} to discover classes C) Direct file upload without authentication D) Session fixation token reuse Answer: B Explanation: Accessing Python’s class hierarchy through Jinja2 expression can lead to arbitrary code execution. Question 29. Which of the following HTTP status codes is most commonly used to indicate a successful CSRF token validation failure? A) 200 OK B) 403 Forbidden C) 401 Unauthorized D) 500 Internal Server Error Answer: B Explanation: When a CSRF token is missing or invalid, servers often respond with 403 to indicate the request is forbidden. Question 30. In the context of CORS, which header tells the browser which origins are allowed to read the response? A) Access-Control-Allow-Methods B) Access-Control-Allow-Origin

Exam

Question 33. In a PHP application that uses password_hash for storing credentials, which of the following is the best practice for verifying a password? A) Compare hashes with == B) Use password_verify C) Store raw passwords in the session D) Re‑hash the input with a new salt each time Answer: B Explanation: password_verify safely checks the supplied password against the stored hash, handling salt and algorithm details. Question 34. Which of the following is an effective defense against blind SQL injection? A) Use addslashes on all inputs B) Parameterized queries / prepared statements C) Disable error reporting D) Encode all inputs with urlencode Answer: B Explanation: Prepared statements separate code from data, eliminating the ability for an attacker to alter the query logic. Question 35. Which of the following techniques can be used to enumerate internal services via SSRF when only HTTP GET is allowed? A) Use http://127.0.0.1:22/ to trigger SSH banner leakage B) Send a request to http://169.254.169.254/latest/meta-data/ C) Use DNS rebinding to a private IP D) All of the above Answer: D

Exam

Explanation: All listed methods can be leveraged through an SSRF endpoint that performs HTTP GET to internal addresses. Question 36. In a Node.js application, which of the following npm packages is frequently abused for prototype pollution? A) lodash B) express C) request D) mongoose Answer: A Explanation: Certain versions of lodash expose functions that allow modification of Object.prototype, leading to pollution attacks. Question 37. Which of the following is the most appropriate way to handle user‑provided file paths in a PHP script to prevent Directory Traversal? A) Prepend /var/www/uploads/ to the user input and use realpath to verify the result stays within the directory B) Use basename on the input only C) Replace .. with an empty string D) Encode the path with urlencode Answer: A Explanation: Combining a known base directory with realpath ensures the final resolved path cannot escape the intended location. Question 38. Which of the following Burp extensions can automate the detection of reflected XSS payloads? A) Autorize

Exam

Question 41. Which HTTP method is safe to use for idempotent operations but can still be abused in CSRF attacks if not protected? A) GET B) POST C) PUT D) DELETE Answer: A Explanation: GET is considered safe and idempotent, yet browsers automatically include cookies, making it vulnerable to CSRF when state‑changing actions are triggered via GET. Question 42. In a .NET Core API, which attribute disables antiforgery token validation for a specific action? A) [ValidateAntiForgeryToken] B) [IgnoreAntiforgeryToken] C) [AllowAnonymous] D) [DisableRequestSizeLimit] Answer: B Explanation: [IgnoreAntiforgeryToken] tells the framework to skip CSRF token checks for that endpoint. Question 43. Which of the following is the most effective way to prevent prototype pollution in JavaScript? A) Use Object.freeze(Object.prototype) at runtime B) Rely on strict mode ("use strict") C) Validate that object keys do not contain __proto__ or constructor before merging

Exam

D) Encode all object keys with encodeURIComponent Answer: C Explanation: Explicitly checking for dangerous property names before merging objects stops the injection of malicious prototypes. Question 44. Which of the following statements about CORS pre‑flight requests is true? A) They are sent for all GET requests B) They use the OPTIONS method C) They include the Authorization header automatically D) They bypass same‑origin policy entirely Answer: B Explanation: Browsers issue an OPTIONS request as a pre‑flight when a cross‑origin request uses non‑simple methods or custom headers. Question 45. In a Java application, which method of java.sql.Statement is vulnerable to SQL injection if user input is concatenated? A) executeQuery B) prepareStatement C) executeBatch D) setString Answer: A Explanation: executeQuery runs a raw SQL string; concatenating untrusted data into it enables injection. prepareStatement mitigates this risk. Question 46. Which of the following is a recommended practice when handling file downloads to avoid path traversal?

Exam

Explanation: VerifyCsrfToken checks the CSRF token on POST, PUT, PATCH, and DELETE requests. Question 49. Which of the following is the most reliable way to detect a hidden admin panel using automated tools? A) Brute‑force common URLs like /admin B) Scan for HTTP responses containing the word “admin” C) Use directory enumeration with a wordlist and look for 200/302 status codes D) Check the robots.txt file for disallowed paths Answer: C Explanation: Systematic enumeration with a comprehensive wordlist and analyzing response codes uncovers hidden endpoints more consistently than heuristic checks. Question 50. Which of the following JavaScript functions can be used to safely encode user input before inserting it into HTML to prevent XSS? A) escape() B) encodeURI() C) DOMPurify.sanitize() D) unescape() Answer: C Explanation: DOMPurify provides robust sanitization against XSS, whereas escape and encodeURI are insufficient for HTML contexts. Question 51. In a .NET application, which attribute can be applied to a controller action to require that the request be made over HTTPS? A) [RequireHttps] B) [HttpSecure]

Exam

C) [EnforceSsl] D) [SslOnly] Answer: A Explanation: [RequireHttps] forces the framework to reject non‑TLS requests for the decorated action. Question 52. Which of the following is a common indicator that an application is vulnerable to insecure deserialization via Java’s ObjectInputStream? A) Presence of readObject() method in source code B) Use of java.util.Properties for configuration C) Logging of stack traces containing ClassNotFoundException D) Absence of serialVersionUID fields Answer: A Explanation: Overriding readObject() often signifies custom deserialization logic, which may be exploitable if untrusted data reaches it. Question 53. Which of the following is the best practice for storing secret keys used by a web application? A) Hard‑code them in source files B) Store them in environment variables or a secrets manager C) Place them in a publicly accessible directory D) Encode them with Base64 and commit to version control Answer: B Explanation: Secrets managers or environment variables keep credentials out of source code and version control, reducing exposure.