




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A practice exam focused on web attacks using kali linux. It includes multiple-choice questions covering various tools and techniques, such as nmap, burp suite, sql injection, and xss, along with detailed explanations for each answer. This resource is designed to help students and professionals test their knowledge and prepare for certifications in cybersecurity and penetration testing. It covers topics like directory brute-forcing, http methods enumeration, and server-side request forgery, offering a comprehensive review of web security concepts and practical applications. The exam also addresses common vulnerabilities and methods to exploit them, making it a valuable tool for hands-on learning and skill development in the field of cybersecurity.
Typology: Exams
1 / 112
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which Kali Linux command is used to update the package list before installing new tools? A) apt-get upgrade B) apt-get update C) apt-get install D) apt-get dist-upgrade Answer: B Explanation: apt-get update refreshes the local package index, ensuring the latest versions are available for installation. Question 2. In Kali, which file stores static hostname-to-IP mappings for local resolution? A) /etc/resolv.conf B) /etc/hosts C) /etc/network/interfaces D) /etc/hostname Answer: B Explanation: /etc/hosts maps hostnames to IP addresses without querying DNS. Question 3. Which VPN client is pre‑installed on Kali for connecting to Offensive Security labs? A) OpenVPN
B) WireGuard C) Cisco AnyConnect D) SoftEther Answer: A Explanation: Offensive Security labs provide an OpenVPN configuration file for secure access. Question 4. What is the default port for Burp Suite’s proxy listener? A) 8080 B) 80 C) 8443 D) 8888 Answer: A Explanation: Burp Suite’s proxy listens on 127.0.0.1:8080 unless changed. Question 5. Which Burp Suite tab allows you to modify and resend a single HTTP request repeatedly? A) Intruder B) Repeater C) Scanner D) Decoder
Question 8. When creating a custom wordlist with Crunch, which option defines the minimum password length? A) - l B) - t C) - m D) - s Answer: A Explanation: -l sets the minimum length; -u sets the maximum. Question 9. Which tool is primarily used for recursive directory brute‑forcing on a target URL? A) Wfuzz B) Gobuster C) Nikto D) sqlmap Answer: B Explanation: Gobuster efficiently enumerates directories and files using wordlists. Question 10. In Dirb, what does the -X option specify? A) Proxy server
B) Extensions to try (e.g., .php,.html) C) Output format D) Verbose mode Answer: B Explanation: -X allows you to append file extensions to each wordlist entry. Question 11. Which Wfuzz mode is best for fuzzing HTTP POST parameters? A) FUZZURL B) FUZZHEADERS C) FUZZPOSTDATA D) FUZZCOOKIES Answer: C Explanation: FUZZPOSTDATA injects payloads into the body of POST requests. Question 12. Hakrawler is used to discover what type of information? A) Open ports B) Hidden form fields C) Site‑wide URLs and parameters D) Database schema Answer: C
Question 15. Which JavaScript function is commonly used to steal a victim’s cookies in an XSS payload? A) document.write() B) fetch() C) location.href D) document.cookie Answer: D Explanation: document.cookie returns the cookie string, which can be sent to an attacker’s server. Question 16. The Same‑Origin Policy (SOP) restricts which of the following? A) DNS resolution across domains B) Access to cookies, DOM, and XMLHttpRequest between different origins C) TCP connections to other hosts D) SSL certificate validation Answer: B Explanation: SOP isolates web pages so that scripts from one origin cannot read data from another origin. Question 17. Which attribute on a cookie helps mitigate CSRF attacks?
A) HttpOnly B) Secure C) SameSite D) Path Answer: C Explanation: SameSite instructs browsers not to send the cookie with cross‑site requests, reducing CSRF risk. Question 18. In a CSRF attack, the malicious request is typically triggered by which user action? A) Clicking a link on the attacker’s site B) Entering credentials on the target site C) Running a local script on the victim’s machine D) Opening an email attachment Answer: A Explanation: The attacker lures the victim to visit a page that automatically sends a forged request to the target. Question 19. Which CORS response header indicates which origins are allowed to access the resource? A) Access-Control-Allow-Methods B) Access-Control-Allow-Origin
Answer: B Explanation: UNION merges the output of two SELECT queries, allowing an attacker to inject additional rows. Question 22. In error‑based SQL injection, what does the attacker look for? A) HTTP 404 responses B) Database error messages in the page output C) DNS timeout logs D) SSL handshake failures Answer: B Explanation: Database errors often reveal information about the underlying query structure. Question 23. Which sqlmap command option enables enumeration of database tables? A) --tables B) --columns C) --dump D) --search Answer: A Explanation: --tables tells sqlmap to list all tables in the identified database.
Question 24. When performing a stacked query SQL injection on MySQL, which character separates individual statements? A) ; (semicolon) B) && (double ampersand) C) || (double pipe) D) ## (double hash) Answer: A Explanation: MySQL allows multiple statements in one query when separated by semicolons, provided the server permits it. Question 25. Which HTTP header can be abused to perform a Server‑Side Template Injection (SSTI) in some frameworks? A) User-Agent B) X-Forwarded-For C) Referer D) All of the above Answer: D Explanation: Many template engines render data from any header, so any of these can be a vector for SSTI.
Answer: C Explanation: 169.254.169.254 hosts metadata services on many cloud providers. Question 29. Which template engine uses the syntax {{ variable }} and is vulnerable to SSTI if user input is rendered directly? A) Mustache B) Twig C) Handlebars D) All of the above Answer: D Explanation: All listed engines use double‑curly braces for variable interpolation and can be abused when rendering untrusted input. Question 30. When exploiting command injection, which of the following payloads safely tests for injection on a Linux system? A) ; id B) && cat /etc/passwd C) | whoami
D) All of the above Answer: D Explanation: Each payload appends a benign command (id, whoami) to verify command execution. Question 31. In Insecure Direct Object Reference (IDOR), what is the primary flaw? A) Lack of input validation on file uploads B) Direct exposure of internal identifiers without proper authorization checks C) Use of weak encryption keys D) Missing CSRF tokens Answer: B Explanation: IDOR occurs when an application trusts a user‑supplied object identifier without verifying the user’s rights. Question 32. Which Burp Suite feature can automatically compare two HTTP responses to highlight differences? A) Repeater B) Intruder C) Comparer D) Decoder Answer: C
Question 35. Which of the following is NOT a typical payload type in Burp Intruder? A) Sniper B) Battering ram C) Pitchfork D) Catapult Answer: D Explanation: Burp Intruder provides Sniper, Battering ram, Pitchfork, and Clusterbomb; “Catapult” does not exist. Question 36. Which command disables the proxy intercept in Burp Suite’s Proxy tab? A) Ctrl+I B) Ctrl+R C) Ctrl+U D) Ctrl+Shift+I Answer: A Explanation: Ctrl+I toggles the intercept on/off. Question 37. In sqlmap, the option --risk=3 does what? A) Increases the number of concurrent threads
B) Enables more aggressive payloads that may be less reliable C) Lowers the timeout for each request D) Forces use of HTTPS only Answer: B Explanation: Higher risk levels allow sqlmap to try more intrusive, potentially unstable payloads. Question 38. Which HTTP method is commonly used to test for unsafe CORS configurations because it can include a pre‑flight request? A) GET B) POST C) HEAD D) OPTIONS Answer: D Explanation: Browsers send an OPTIONS pre‑flight request for non‑simple methods, exposing CORS headers. Question 39. Which Kali tool can be used to generate a reverse shell payload for Windows using PowerShell? A) msfvenom B) setoolkit C) netcat
Answer: C Explanation: HPP exploits how some back‑ends handle multiple instances of the same parameter, potentially altering logic. Question 42. Which Burp Suite extension helps automate detection of common XSS payload reflections? A) Autorize B) HackBar C) XSS Validator D) Active Scan++ Answer: C Explanation: “XSS Validator” (or similar extensions) automatically injects XSS payloads and checks for reflection. Question 43. In a CORS pre‑flight request, which header indicates the HTTP method the actual request will use? A) Access-Control-Request-Method B) Access-Control-Request-Headers C) Origin D) Referer Answer: A
Explanation: Access-Control-Request-Method tells the server which method (e.g., PUT, DELETE) the real request intends to use. Question 44. Which of the following is an effective way to bypass a basic authentication prompt using Burp Suite? A) Intercept the request, add Authorization: Basic <base64> header, and forward B) Change the HTTP method to HEAD C) Use a DNS rebinding attack D) Disable JavaScript in the browser Answer: A Explanation: Adding a correctly encoded Authorization header supplies the credentials the server expects. Question 45. Which Nmap timing template provides the fastest scan while still being reliable for most networks? A) - T0 (Paranoid) B) - T2 (Polite) C) - T4 (Aggressive) D) - T5 (Insane) Answer: C Explanation: -T4 balances speed and reliability; -T5 can cause packet loss on many networks.