























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This advanced certification measures expert-level skills in identifying, exploiting, and chaining complex web application vulnerabilities. Topics include advanced authentication bypasses, deserialization attacks, business logic flaws, source code analysis, and custom exploit development. Candidates must demonstrate deep understanding of web technologies and the ability to craft reliable exploits in real-world, hardened environments.
Typology: Exams
1 / 95
This page cannot be seen from the preview
Don't miss anything!
























































































Question 1. Which Burp Suite feature allows you to automatically repeat a series of requests with modified parameters? A) Intruder B) Repeater C) Scanner D) Sequencer Answer: A Explanation: Intruder can be configured with payload positions and payload sets to automate the repetition of a request with different data, useful for fuzzing and brute‑forcing. Question 2. When decompiling a Java .class file with JD‑GUI, which of the following is NOT typically recovered? A) Original variable names B) Method signatures C) Control flow structures D) Bytecode instructions Answer: A Explanation: Decompilers reconstruct code from bytecode but cannot restore the original source‑level variable names unless the class was compiled with debugging information. Question 3. In .NET, which tool is most suitable for editing the IL of an assembly and re‑saving it without recompilation? A) ILSpy B) dnSpy C) dotPeek D) Reflector
Answer: B Explanation: dnSpy provides a full decompiler and editor for .NET assemblies, allowing you to modify IL and save the patched assembly directly. Question 4. Which HTTP header is most commonly misused to bypass CSRF protections? A) X‑Requested‑With B) Origin C) Referer D) Content‑Type Answer: B Explanation: When the Origin header is missing or incorrectly validated, an attacker can craft cross‑origin requests that bypass CSRF checks that rely on this header. Question 5. In PHP, the expression 0 == "a" evaluates to true because of: A) Type juggling with numeric conversion B) Strict comparison C) Magic quotes D) Hash collision Answer: A Explanation: PHP converts the string “a” to 0 when using ==, causing the loose comparison to succeed. Question 6. Which of the following is a typical sign of a blind SQL injection vulnerability? A) Error messages containing SQL syntax B) Application returns different page titles for true/false conditions C) Direct database dump in the response
A) fs.readFile B) JSON.parse C) eval D) require Answer: C Explanation: eval executes arbitrary JavaScript code, making it a prime vector for server‑side JavaScript injection if fed unchecked user data. Question 10. Which template engine is vulnerable to Server‑Side Template Injection (SSTI) when using the {{ }} syntax? A) Handlebars B) Jinja C) Mustache D) EJS Answer: B Explanation: Jinja2 processes expressions inside {{ }}; if user input is rendered without sanitization, it can lead to SSTI and RCE. Question 11. When performing SSRF, which internal AWS metadata URL is commonly targeted to obtain IAM credentials? A) http://169.254.169.254/latest/meta-data/iam/security-credentials/ B) http://169.254.169.254/latest/user-data/ C) http://169.254.169.254/latest/api/token D) http://169.254.169.254/latest/instance-id Answer: A
Explanation: The IAM security‑credentials endpoint returns temporary access keys for the instance’s role, a valuable asset for attackers. Question 12. Which of the following is a reliable method to detect insecure deserialization in a PHP codebase? A) Search for unserialize( without prior validation B) Look for base64_encode usage C) Identify mysqli_query calls D) Find header( statements Answer: A Explanation: Direct calls to unserialize on user‑supplied data without validation often indicate a potential object injection point. Question 13. In the context of session fixation, what is the primary mitigation technique? A) Use HTTP‑Only cookies only B) Regenerate session ID after authentication C) Encrypt session IDs D) Store sessions in a database Answer: B Explanation: Regenerating the session identifier after login prevents an attacker from forcing a victim to use a known session ID. Question 14. Which Burp Suite module can compare two HTTP responses to highlight differences? A) Comparer B) Decoder
Question 17. In a Java Spring MVC application, which annotation defines a method that handles all HTTP verbs for a given path? A) @GetMapping B) @PostMapping C) @RequestMapping D) @PutMapping Answer: C Explanation: @RequestMapping can specify multiple HTTP methods or omit the method attribute to accept any verb. Question 18. Which of the following is NOT a typical effect of a successful command injection? A) Arbitrary file read B) Remote code execution C) Database schema alteration D) Denial of service via resource exhaustion Answer: C Explanation: While command injection can affect the underlying OS, directly altering a database schema is more characteristic of SQL injection, not OS command execution. Question 19. Which of these HTTP methods is most often disabled to reduce attack surface? A) GET B) POST C) OPTIONS D) HEAD
Answer: C Explanation: OPTIONS can reveal supported methods and headers, so many hardened servers disable it unless explicitly required. Question 20. In a Node.js Express app, which middleware can unintentionally enable HTTP Parameter Pollution (HPP)? A) body-parser B) helmet C) cors D) express-rate-limit Answer: A Explanation: body-parser merges duplicate query parameters into an array, which can be abused if the app assumes a single value. Question 21. Which of the following is a correct way to mitigate insecure deserialization in Java? A) Disable Serializable interface globally B) Use a whitelist of allowed classes during deserialization C) Encrypt serialized data D) Store serialized objects in a file system Answer: B Explanation: Implementing a ObjectInputFilter or using a safe deserialization library that only permits known classes prevents gadget chain exploitation. Question 22. When analyzing a .NET application, which attribute indicates that a method can be invoked during deserialization? A) [OnDeserialized]
Question 25. Which of the following is a common technique to bypass a blacklist that blocks the string “localhost” in an SSRF payload? A) Use IP address 127.0.0.1 B) Encode as %6C%6F%63%61%6C%68%6F%73%74 C) Use DNS rebinding to a malicious domain D) All of the above Answer: D Explanation: All listed methods can evade simple string‑based blacklist filters for “localhost”. Question 26. Which of the following is the most appropriate way to protect against OS command injection in a Java servlet? A) Use Runtime.exec with user input directly B) Validate input against a whitelist of allowed commands C) Encode the command with Base D) Disable the servlet container’s exec capability Answer: B Explanation: Whitelisting permitted commands ensures only known safe operations are executed, preventing arbitrary injection. Question 27. In Burp Suite, the “Repeater” tool is primarily used for: A) Automated scanning of vulnerabilities B) Manual modification and re‑sending of a single request C) Recording macros of user actions D) Comparing two HTTP messages Answer: B
Explanation: Repeater lets the tester edit a request and resend it repeatedly to observe responses. Question 28. Which of the following is a hallmark of a successful SSTI exploitation in a Jinja2 environment? A) Ability to read /etc/passwd via {{ config }} B) Execution of {{ ''.__class__.__mro__[1].__subclasses__() }} to discover classes C) Direct file upload without authentication D) Session fixation token reuse Answer: B Explanation: Accessing Python’s class hierarchy through Jinja2 expression can lead to arbitrary code execution. Question 29. Which of the following HTTP status codes is most commonly used to indicate a successful CSRF token validation failure? A) 200 OK B) 403 Forbidden C) 401 Unauthorized D) 500 Internal Server Error Answer: B Explanation: When a CSRF token is missing or invalid, servers often respond with 403 to indicate the request is forbidden. Question 30. In the context of CORS, which header tells the browser which origins are allowed to read the response? A) Access-Control-Allow-Methods B) Access-Control-Allow-Origin
Question 33. In a PHP application that uses password_hash for storing credentials, which of the following is the best practice for verifying a password? A) Compare hashes with == B) Use password_verify C) Store raw passwords in the session D) Re‑hash the input with a new salt each time Answer: B Explanation: password_verify safely checks the supplied password against the stored hash, handling salt and algorithm details. Question 34. Which of the following is an effective defense against blind SQL injection? A) Use addslashes on all inputs B) Parameterized queries / prepared statements C) Disable error reporting D) Encode all inputs with urlencode Answer: B Explanation: Prepared statements separate code from data, eliminating the ability for an attacker to alter the query logic. Question 35. Which of the following techniques can be used to enumerate internal services via SSRF when only HTTP GET is allowed? A) Use http://127.0.0.1:22/ to trigger SSH banner leakage B) Send a request to http://169.254.169.254/latest/meta-data/ C) Use DNS rebinding to a private IP D) All of the above Answer: D
Explanation: All listed methods can be leveraged through an SSRF endpoint that performs HTTP GET to internal addresses. Question 36. In a Node.js application, which of the following npm packages is frequently abused for prototype pollution? A) lodash B) express C) request D) mongoose Answer: A Explanation: Certain versions of lodash expose functions that allow modification of Object.prototype, leading to pollution attacks. Question 37. Which of the following is the most appropriate way to handle user‑provided file paths in a PHP script to prevent Directory Traversal? A) Prepend /var/www/uploads/ to the user input and use realpath to verify the result stays within the directory B) Use basename on the input only C) Replace .. with an empty string D) Encode the path with urlencode Answer: A Explanation: Combining a known base directory with realpath ensures the final resolved path cannot escape the intended location. Question 38. Which of the following Burp extensions can automate the detection of reflected XSS payloads? A) Autorize
Question 41. Which HTTP method is safe to use for idempotent operations but can still be abused in CSRF attacks if not protected? A) GET B) POST C) PUT D) DELETE Answer: A Explanation: GET is considered safe and idempotent, yet browsers automatically include cookies, making it vulnerable to CSRF when state‑changing actions are triggered via GET. Question 42. In a .NET Core API, which attribute disables antiforgery token validation for a specific action? A) [ValidateAntiForgeryToken] B) [IgnoreAntiforgeryToken] C) [AllowAnonymous] D) [DisableRequestSizeLimit] Answer: B Explanation: [IgnoreAntiforgeryToken] tells the framework to skip CSRF token checks for that endpoint. Question 43. Which of the following is the most effective way to prevent prototype pollution in JavaScript? A) Use Object.freeze(Object.prototype) at runtime B) Rely on strict mode ("use strict") C) Validate that object keys do not contain __proto__ or constructor before merging
D) Encode all object keys with encodeURIComponent Answer: C Explanation: Explicitly checking for dangerous property names before merging objects stops the injection of malicious prototypes. Question 44. Which of the following statements about CORS pre‑flight requests is true? A) They are sent for all GET requests B) They use the OPTIONS method C) They include the Authorization header automatically D) They bypass same‑origin policy entirely Answer: B Explanation: Browsers issue an OPTIONS request as a pre‑flight when a cross‑origin request uses non‑simple methods or custom headers. Question 45. In a Java application, which method of java.sql.Statement is vulnerable to SQL injection if user input is concatenated? A) executeQuery B) prepareStatement C) executeBatch D) setString Answer: A Explanation: executeQuery runs a raw SQL string; concatenating untrusted data into it enables injection. prepareStatement mitigates this risk. Question 46. Which of the following is a recommended practice when handling file downloads to avoid path traversal?
Explanation: VerifyCsrfToken checks the CSRF token on POST, PUT, PATCH, and DELETE requests. Question 49. Which of the following is the most reliable way to detect a hidden admin panel using automated tools? A) Brute‑force common URLs like /admin B) Scan for HTTP responses containing the word “admin” C) Use directory enumeration with a wordlist and look for 200/302 status codes D) Check the robots.txt file for disallowed paths Answer: C Explanation: Systematic enumeration with a comprehensive wordlist and analyzing response codes uncovers hidden endpoints more consistently than heuristic checks. Question 50. Which of the following JavaScript functions can be used to safely encode user input before inserting it into HTML to prevent XSS? A) escape() B) encodeURI() C) DOMPurify.sanitize() D) unescape() Answer: C Explanation: DOMPurify provides robust sanitization against XSS, whereas escape and encodeURI are insufficient for HTML contexts. Question 51. In a .NET application, which attribute can be applied to a controller action to require that the request be made over HTTPS? A) [RequireHttps] B) [HttpSecure]
C) [EnforceSsl] D) [SslOnly] Answer: A Explanation: [RequireHttps] forces the framework to reject non‑TLS requests for the decorated action. Question 52. Which of the following is a common indicator that an application is vulnerable to insecure deserialization via Java’s ObjectInputStream? A) Presence of readObject() method in source code B) Use of java.util.Properties for configuration C) Logging of stack traces containing ClassNotFoundException D) Absence of serialVersionUID fields Answer: A Explanation: Overriding readObject() often signifies custom deserialization logic, which may be exploitable if untrusted data reaches it. Question 53. Which of the following is the best practice for storing secret keys used by a web application? A) Hard‑code them in source files B) Store them in environment variables or a secrets manager C) Place them in a publicly accessible directory D) Encode them with Base64 and commit to version control Answer: B Explanation: Secrets managers or environment variables keep credentials out of source code and version control, reducing exposure.