6. Exploiting Application Vulnerabilities

Ref:📕CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

Press the Start button to begin the practice test.

PenTest+ (PT0-002) Chapter 06. Exploiting Application-Based Vulnerabilities

1 / 161

Which of the following Linux distributions is not used for ethical hacking (penetration testing)?

A. Kali Linux

B. Parrot OS

C. BlackArch Linux

D. Ubuntu Linux

2 / 161

Which SQL statement is commonly used to obtain data from a database in SQL injection attacks?

A. CREATE DATABASE

B. ALTER TABLE

C. SELECT

D. CREATE INDEX

3 / 161

Which technique in SQL injection is used to force the database to generate an error in order to enhance and refine the attack?

A. Boolean

B. Time delay

C. Error-based technique

D. Union operator

4 / 161

What is an important security measure for mitigating risk from unconstrained Kerberos delegation?

A. Enabling Kerberos delegation on all application servers

B. Turning off Kerberos delegation in Active Directory by default

C. Always keeping the Kerberos delegation on

D. None of the above

5 / 161

Which technique can be used to exploit SQL injection vulnerabilities by forcing the database to generate an error in order to enhance and refine an attack?

A. Union operator

B. Boolean

C. Error-based technique

D. Time delay

6 / 161

What is the primary characteristic of out-of-band SQL Injection?

A. The attacker retrieves data using the same channel used to inject the SQL code

B. The attacker retrieves data using a different channel

C. The attacker doesn’t make the application display any data

D. The attacker uses a SELECT statement to combine two queries

7 / 161

What is one potential way an attacker can exploit an Insecure Direct Object Reference vulnerability?

A. By changing the value of a parameter that directly references an object

B. By manipulating the URL to redirect to a different website

C. By injecting malicious code into the application

D. By accessing the application’s source code

8 / 161

What is the Boolean technique typically used for in the context of SQL injection attacks?

A. To return HTTP 500 messages

B. In blind SQL injection attacks

C. To understand the reason for error codes

D. To download DVWA

9 / 161

What could be the possible mitigation techniques for Insecure Direct Object Reference vulnerabilities?

A. Using application firewall

B. Hardening the operating system

C. Applying input validation, using peruser or session Indirect Object References, and access control checks

D. Performing network segmentation

10 / 161

What is improper error handling and why is it a security risk?

A. It is an overuse of error messages that annoy users.

B. It is a type of weakness that can provide information to an attacker, aiding in additional attacks.

C. It is when error messages don’t provide sufficient information for developers.

D. It is the practice of throwing error messages randomly, interrupting application flow.

11 / 161

Which of the following methods are most commonly recommended by OWASP to prevent and mitigate clickjacking attacks?

A. Use malicious code in the application to restrict framing from other domains

B. Send directive response headers to the proper content security policy frame ancestors to instruct the browser not to allow framing from other domains

C. Allow framing from all domains without any restrictions

D. Ignore the current frame level in the application

12 / 161

Which of the following SQL statements is often used to modify data in a database during an SQL Injection attack?

A. SELECT

B. UPDATE

C. CREATE DATABASE

D. CREATE TABLE

13 / 161

What could potentially happen if an SQL server does not sanitize user inputs in stored procedures?

A. The server could freeze due to higher CPU utilization

B. The server could restart

C. The size of the server’s memory could increase

D. Malicious SQL statements could be executed within the stored procedure

14 / 161

Which type of SQL injection does not make the application display or transfer any data, rather, the attacker is able to reconstruct the information by sending specific statements and discerning the behavior of the application and database?

A. In-band SQL injection

B. Out-of-band SQL injection

C. Blind (or inferential) SQL injection

D. Error-based SQL injection

15 / 161

Among the following authentication-based vulnerabilities, which one would NOT involve bypassing authentication through direct manipulation of user identification details?

A. Exploiting default credentials

B. Session hijacking

C. Credential brute forcing

D. Redirecting

16 / 161

Which one of the following is not a method that can be used within the HTTP protocol?

A. GET

B. POST

C. OPTIONS

D. INSERT

17 / 161

In the context of SQL injection attacks, why are the SELECT, UPDATE, DELETE, INSERT INTO, and other SQL commands significant?

A. They define the database schema for the attacker.

B. They serve as the language that the attacker uses to interact with the database.

C. They allow the attacker to encrypt the database data.

D. They are the tools the attacker uses to secure the database against further intrusion.

18 / 161

Which of the following is a correct description about HTTP?

A. HTTP is a stateful protocol that sequences of related commands are treated as a single interaction.

B. An HTTP transaction consists of multiple requests from a client to a server, followed by multiple responses from the server back to the client.

C. HTTP is a protocol that needs a persistent connection for communication logic.

D. The HTTP 1.1 protocol is defined in RFCs 7230–7235.

19 / 161

What is an Out-of-band SQL injection?

A. It’s an injection where the attacker obtains the data using the same channel used to inject the SQL code.

B. It’s an injection where the attacker retrieves data by using a different channel.

C. It’s an injection where the attacker doesn’t make the application display or transfer any data.

D. It’s an injection where the attacker uses database commands to delay answers.

20 / 161

Which of the following methods does HTTP NOT support?

A. GET

B. PROXY

C. POST

D. DELETE

21 / 161

What is a defining feature of a blind (or inferential) SQL injection?

A. The attacker obtains data using the same channel that is used to inject the SQL code.

B. The attacker retrieves data using the same channel used to provide the SQL injection.

C. The attacker is able to reconstruct the information by sending specific statements and discerning the behavior of the application and database.

D. The attacker exploits the application by manipulating a URL query string.

22 / 161

What is the purpose of the HTTP GET method in an HTTP request?

A. Sends data to the server

B. Retrieves information from the server

C. Deletes the specified resource

D. Returns the HTTP methods that the server supports

23 / 161

What does an attacker need to do in order to exploit a system with Insecure Direct Object Reference vulnerabilities?

A. Introduce a third-party software

B. Modify the system’s firewall settings

C. Map out all locations in the application where user input is used to reference objects directly

D. Install a malicious software

24 / 161

What security feature can be used to verify a file’s integrity and ensure it is delivered without tampering or manipulation?

A. Two-factor authentication

B. Firewall rule

C. Subresource Integrity (SRI)

D. Hash function

25 / 161

Which of the following is NOT a recommended measure for preventing XSS attacks according to OWASP?

A. Use an auto-escaping template system.

B. Insert untrusted data anywhere without validation.

C. Use HTML escape before inserting untrusted data into HTML element content.

D. Implement content security policy.

26 / 161

What is the main objective of UNION-based SQL injection attack?

A. To delete data from the database

B. To find the structure of the database

C. To obtain the values of columns of other tables

D. To manipulate the database schema

27 / 161

Which of the following strategies should be used to increase the security of a web application based on session management?

A. Use a short session ID to speed up server response time

B. Include session ID in the URL for easy access

C. Use persistent cookies to store session IDs

D. Use non-persistent cookies and a long session ID to avoid brute-force attacks

28 / 161

What is a potential consequence of exploiting unvalidated redirects and forwards vulnerabilities in a web application?

A. The attacker can deploy an antivirus system.

B. Clients can be redirected to play an online game.

C. The attacker can modify the URL to redirect the user to a non-malicious site.

D. The attacker can modify the URL to redirect the user to a malicious site and steal sensitive information.

29 / 161

What is the primary purpose of Swagger (OpenAPI) in the context of Application Programming Interfaces (APIs)?

A. It is a programming language used to develop APIs

B. It is a modern framework for API documentation and development

C. It is a standard library used to create APIs

D. It is an authentication and authorization standard for APIs

30 / 161

What is the key vulnerability that LDAP Injection attacks leverage?

A. Weak server passwords

B. Unsanitized user input directly inserted into an LDAP statement

C. Poor network security

D. Server hardware failure

31 / 161

Which of the following describes the correct sequence of steps when conducting a reflected XSS attack?

A. The attacker finds a vulnerability in the web server, sends a malicious link to the victim, the victim clicks on the link and the attack is sent to the vulnerable server, the attack is reflected to the victim and executed, and lastly the victim sends information to the attacker

B. The attacker sends a malicious link to the victim, the victim clicks on the link, the attacker finds a vulnerability in the web server, the attack is reflected to the victim and the victim sends information to the attacker

C. The attack is sent to the vulnerable server, the attacker finds a vulnerability in the web server, the attacker sends a malicious link to the victim, the victim clicks on the link, and the victim sends information to the attacker

D. The attacker sends a malicious link to the victim, the victim clicks on the link, the attack is sent to the vulnerable server, the attacker finds a vulnerability in the web server, and lastly the victim sends information to the attacker

32 / 161

Which of the following Linux distributions is Debian-based and widely used for penetration testing?

A. Kali Linux

B. Parrot OS

C. BlackArch Linux

D. Ubuntu

33 / 161

Which of the following techniques is typically used to obtain records from the database by using a different channel in SQL injection attacks?

A. Union operator

B. Boolean

C. Error-based technique

D. Out-of-band technique

34 / 161

Which of the following tools is a collection that includes a web proxy, automated scanning, fuzzing, and other capabilities to identify vulnerabilities in web applications?

A. Burp Suite

B. OWASP ZAP

C. ffuf

D. gobuster

35 / 161

What are the two general types of LDAP injection attacks discussed in the text?

A. SQL Injection and Reconnaissance

B. Information disclosure and HTTP Header Injection

C. Authentication bypass and Information disclosure

D. Cross-Site Scripting and Authentication bypass

36 / 161

What are some ways an attacker can exploit application-based vulnerabilities through authentication methods?

A. DNS spoofing and mail gateways

B. XSS scripting and cookie poisoning

C. Credential brute forcing and session hijacking

D. File inclusion vulnerabilities and SSRF attacks

37 / 161

In the context of application-based vulnerabilities, what function does the command ’nc -lvp 80’ provide during a SQL injection attack?

A. It acts as a value to be injected in the database

B. It starts a listener on the web server

C. It acts as a bind shell on the victim’s system

D. It serves as a backdoor through the database

38 / 161

Which of the following methods can an attacker use to bypass authentication in vulnerable systems?

A. Exploiting weak system configuration

B. Session hijacking

C. Data tampering

D. Data sniffing

39 / 161

In HTTP Protocol, what does the HTTP message status code range in 400 represent?

A. Informational messages

B. Successful transactions

C. HTTP redirections

D. Client errors

40 / 161

Which of the following techniques can an attacker use to compromise a session token in a web session?

A. Predicting session tokens

B. Session sniffing

C. On-path attack

D. All of the above

41 / 161

Which of the following examples is demonstrating the use of US ASCII encoding to evade Web Application Firewalls (WAFs)?

A. <EMBED SRC="data:image/svg+xml;base64,…" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

B. <img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74& #x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

C. ¼script¾alert(¢XSS¢)¼/script¾

D. <img src="javascriptalert(’xss’);">

42 / 161

Which of the following measures could a tester implement to minimize the risk of session fixation attacks?

A. Initialize a session after the user is authenticated

B. Change the default session ID name to a generic name

C. Encrypt the entire web session

D. Implement the session ID in the URL

43 / 161

What kind of attack is described, where unauthorized commands are transmitted from a user trusted by the application?

A. SQL Injection

B. Cross-site Scripting (XSS)

C. Cross-site Request Forgery (CSRF)

D. Phishing

44 / 161

Which of the following SQL injection techniques could an attacker use to verify whether certain conditions are true or false?

A. Union Operator

B. Boolean

C. Time Delay

D. Out-of-band technique

45 / 161

Which of the following is NOT a common way an attacker can take advantage of authentication-based vulnerabilities in a system?

A. Session hijacking

B. Redirecting

C. Exploiting default credentials

D. Increasing access rights

46 / 161

Which of the following is NOT a valid method used in HTTP protocols?

A. TRACE

B. UPLOAD

C. GET

D. OPTIONS

47 / 161

What is the purpose of a SELECT statement in SQL context?

A. To delete data from a database

B. To obtain data from a database

C. To modify a database

D. To create an index

48 / 161

What is the purpose of adding a single quote (’) or a semicolon (;) to the field or parameter in a web form during penetration testing?

A. To retrieve all records in the database.

B. To freeze the application.

C. To make the application generate an error.

D. To test the application’s input sanitization mechanisms.

49 / 161

Which Linux distributions are often used for penetration testing?

A. Windows 10

B. MacOS

C. Android OS

D. Kali Linux, Parrot OS, and BlackArch Linux

50 / 161

What is a recommended strategy to avoid cookie manipulation attacks?

A. Use data originating from untrusted sources to dynamically write to cookies

B. Store user input in a cookie but do not embed it in a response within the DOM

C. Rely on client-side scripts to process user input in a safe manner

D. Avoid dynamically writing to cookies using data originating from untrusted sources

51 / 161

What sequence is commonly used in exploiting Directory Traversal Vulnerabilities by manipulating variables that reference files?

A. ././seq

B. ../../

C. .././../

D. ./.././

52 / 161

What is the purpose of using the out-of-band exploitation technique during a blind SQL injection attack?

A. To force the victim server to send the results of the query to another server

B. To initiate a shell from the victim’s system to the attacker

C. To bind a shell to a specific port to listen for an incoming connection

D. To set up a web server such as NGINX or Apache

53 / 161

What is an Insecure Direct Object Reference vulnerability and how is it exploited?

A. It is a vulnerability that exposes system files through unsanitized user input

B. It is a vulnerability where an application allows direct access to objects based on user input, which if exploited, could allow attackers to bypass authorization and access protected resources

C. It is a vulnerability that allows attackers to access information via indirect object references

D. It is a vulnerability that is exploited by physically accessing the compromised system

54 / 161

What type of protocols are HTTP and its functions different from, especially in terms of interactions and commands?

A. Stateless protocols

B. Stateful protocols

C. Application-level protocols

D. Transport layer protocols

55 / 161

According to the OWASP, which of the following is NOT a recommended method for preventing XSS attacks?

A. Use an auto-escaping template system

B. Insert untrusted data wherever possible

C. Use CSS escape and strictly validate before inserting untrusted data

D. Sanitize HTML markup with a library

56 / 161

What is the main purpose of an attacker exploiting HTTP parameter pollution (HPP) vulnerabilities?

A. To disable the whole application

B. To garner unauthorized access to others’ sensitive data

C. To bypass input validation, trigger application errors, or modify internal variable values

D. To launch a Denial of Service (DoS) attack

57 / 161

Which of the following SQL injection techniques would an attacker use if they are not receiving help output or error messages from the application?

A. Union operator

B. Boolean

C. Error-based technique

D. Time delay

58 / 161

What is a key difference between local file inclusion (LFI) and remote file inclusion (RFI) vulnerabilities?

A. Only RFI vulnerabilities allow an attacker to execute code

B. LFI vulnerabilities are less common than RFI vulnerabilities

C. LFI vulnerabilities allow attackers to read and execute files on the victim’s system, while RFI vulnerabilities allow an attacker to execute code hosted on the attacker’s system

D. The exploitation of RFI vulnerabilities requires physical access to the server

59 / 161

What is the main reason the use of non-persistent cookies is recommended for tracking users after authentication in a web application session?

A. They make the web application run faster

B. They are necessary for the use of the Max-Age attribute

C. They ensure the session ID is not stored on the client’s cache for a prolonged period

D. They make the session ID easier to validate and filter

60 / 161

Which of the following methods can be used to prevent XSS (Cross Site Scripting) attacks, according to OWASP?

A. Use an auto-escaping template system

B. Input untrusted data in all locations

C. Ignore HTML escaping when inserting untrusted data into HTML element content

D. Use URL encoding on the entire URL or path fragments of a URL, to encode parameter values

61 / 161

Which HTTP method is used to retrieve information from the server?

A. POST

B. PUT

C. GET

D. DELETE

62 / 161

Which of the following statements is true about HTTP?

A. HTTP is a stateful protocol, similar to FTP, SMTP, IMAP, and POP.

B. HTTP relies on a persistent connection for communication logic.

C. An HTTP transaction consists of multiple requests from a client to a server, with multiple responses.

D. An HTTP transaction consists of a single request from a client to a server, followed by a single response from the server back to the client.

63 / 161

Which Linux distribution, used for penetration testing, is based on Arch Linux and comes with more than 1900 different tools and packages?

A. Kali Linux

B. Parrot OS

C. BlackArch Linux

D. WebSploit Labs

64 / 161

Which of the following is NOT a common method used by attackers to take advantage of authentication-based vulnerabilities in a system?

A. Credential brute forcing

B. Session hijacking

C. Using a VPN to mask IP

D. Exploiting weak credentials

65 / 161

What is the difference between a Local File Inclusion (LFI) vulnerability and a Remote File Inclusion (RFI) vulnerability

A. LFI allows a user to upload their input into files or upload files to the server while RFI enables an attacker to execute code hosted on their own system.

B. LFI is a vulnerability in remote systems, while RFI is a vulnerability in local systems.

C. LFI enables an attacker to execute malware, while RFI enables an attacker to read files on the victim’s system.

D. LFI and RFI are the same things, there is no difference.

66 / 161

What is HTTP Parameter Pollution in the context of Exploiting Application-Based Vulnerabilities?

A. Manipulation of HTTP headers to inject malicious code.

B. The occurrence of multiple HTTP parameters with the same name causing an application to interpret values incorrectly.

C. Intercepting and modifying HTTP requests and responses.

D. Manipulating the routing of HTTP requests to expose sensitive data.

67 / 161

What does the HTTP status code range 400-499 represent in an HTTP response message?

A. Informational messages

B. Successful transactions

C. HTTP redirections

D. Client errors

68 / 161

What is the risk associated with developers including comments in source code?

A. It can result in slower execution of the code

B. It can add unnecessary length to the code block

C. It can potentially reveal sensitive information about system, like passwords or API credentials

D. It can make the code overly complex

69 / 161

Which type of insecure practice in source code might provide attackers with too much information?

A. Including plain text passwords in the source code

B. Leaving comments in the source code

C. Using outdated libraries

D. Failing to validate user input

70 / 161

What is HTTP Parameter Pollution in the context of web application vulnerabilities?

A. The use of multiple HTTP parameters with the same name that can cause an application to interpret values incorrectly.

B. The use of excessive parameters in an HTTP request that can overload and crash a web application.

C. The use of incorrect syntax for HTTP parameters that can cause confusion in the application.

D. The use of malicious parameters that can introduce viruses or malware into the web application.

71 / 161

What is the purpose of the ’query-string’ in a URL?

A. It is the IP address (numeric or DNS-based) for the web server being accessed

B. It contains name/value pairs that represent dynamic parameters associated with the request

C. It designates the port number to which the target web server listens

D. It is the portion of the URL that designates the underlying protocol to be used

72 / 161

What could be a potential type of attack if a web application does not filter out invalid session ID values?

A. Rainbow table attack

B. Birthday attack

C. SQL injection attack

D. DoS attack

73 / 161

What is a key characteristic of a Persistent/Stored XSS attack?

A. The malicious code is sent to the victim via a URL

B. The payload is never sent to the server

C. The malicious script is permanently stored on a vulnerable or malicious server

D. The attack doesn’t have permanent effects

74 / 161

Which of the following techniques is often used to determine the type of back-end database a web application is using?

A. Checking for error messages

B. Inspecting the source code

C. Scanning network ports

D. Using a dictionary attack

75 / 161

What are the general rules for preventing XSS attacks according to OWASP?

A. Use an auto-escaping template system, never insert untrusted data except in allowed locations, use HTML escape before inserting untrusted data into HTML element content, and educate users about safe browsing.

B. Convert all input into numerical values, remove all HTML tags from input data before storing it in the database, and use URL escape before every URL requests.

C. Use CSS escape for all data, sanitize HTML markup with any library, and use X-XSS-Protection response header only.

D. Implement SSL for all web transactions, use third-party library for HTML escaping, and sanitize all inputs with a custom-built sanitizer.

76 / 161

What does the request version-number field in an HTTP protocol specify?

A. The IP address of the client.

B. The path to the requested resource.

C. The type of browser used by the client.

D. The version of HTTP used by the client.

77 / 161

What could be the possible consequence of a successful exploitation of Cross-site scripting (XSS)?

A. Installation or execution of malicious code

B. Encoding tags in Unicode

C. Displaying user-supplied data

D. Running an XSS test through browser’s address bar

78 / 161

In the context of SQL Injection attacks, why is it important to identify and manipulate hidden fields of POST requests during penetration testing?

A. To test if application sanitizes user input correctly

B. To increase the database size

C. To reduce the speed of the application

D. To create new SQL databases

79 / 161

Which of the following is NOT a category of SQL statements described in this section?

A. Data definition language (DDL) statements

B. Data manipulation language (DML) statements

C. Customer control statements

D. Session control statements

80 / 161

What type of vulnerabilities could potentially be discovered by analyzing collected requests and using fuzzing while pen-testing an API?

A. Interface vulnerabilities

B. Design vulnerabilities

C. Implementation bugs

D. Network vulnerabilities

81 / 161

What can an attacker do using an ALTER DATABASE SQL injection (SQLi) vulnerability?

A. View, insert, delete, or modify records in a database

B. Upload a corrupt file to the application

C. Balance load between servers

D. Decrypt all encrypted data in the system

82 / 161

Which of the given tools is used to perform an automated scan of a vulnerable web application and has capabilities like proxy, automated scanning, and fuzzing?

A. Feroxbuster

B. Burp Suite

C. OWASP ZAP

D. Gobuster

83 / 161

How does a Cross-Site Request Forgery (CSRF) attack differ from Cross-site Scripting (XSS) attack?

A. CSRF attacks exploit the trust an application has in a user’s browser, while XSS attacks exploit flaws in a user’s decision making.

B. CSRF attacks trick the user’s browser into sending HTTP requests, while XSS attacks occur when an application misunderstands the nature of a request.

C. CSRF attacks are software bugs, while XSS attacks are network-based.

D. CSRF attacks use viruses to manipulate a system, while XSS attacks use malware.

84 / 161

Which of the following accurately describes an LDAP injection attack where the attacker bypasses password and credential checking?

A. Information disclosure

B. Authentication bypass

C. Data manipulation

D. Privilege escalation

85 / 161

What measures the paragraph suggests to prevent the exploitation of default credentials?

A. Changing the manufacturer’s default passwords

B. Use of complex, hard-to-decipher passwords

C. Use of multiple passwords for a system

D. Never using any password

86 / 161

What is one of the common ways a web application may be vulnerable to an attack due to the management of user sessions?

A. Exploiting the use of predictable session tokens

B. Blocking the website’s access to the user’s location settings

C. Disabling the use of cookies for the duration of the user’s session

D. Forcing the web application to process all cookies only on the client’s side

87 / 161

Which of the following is NOT a method or technology underpinning modern APIs?

A. Simple Object Access Protocol (SOAP)

B. Representational State Transfer (REST)

C. Graphical Query Language (GQL)

D. GraphQL

88 / 161

Which of the following is not a typical place where you would find Cross-Site Scripting (XSS) vulnerabilities?

A. Search fields that echo a search string back to the user

B. HTTP headers

C. Input fields that echo user data

D. Website backgrounds

89 / 161

What is the purpose of the HTTP CONNECT method?

A. It retrieves information from the server

B. It sends data to the server

C. It converts the request connection to a transparent TCP/IP tunnel

D. It deletes the specified resource

90 / 161

What is the purpose of the out-of-band exploitation technique in the context of a blind SQL injection vulnerability?

A. To execute a DBMS function to establish an out-of-band connection

B. To directly extract compromised data from the blind SQL injection attack

C. To patch the SQL injection vulnerability on the server

D. To monitor the victim server’s network traffic

91 / 161

What are the capabilities of Burp Suite as mentioned in the text?

A. Session cookies interception and modification of transactions

B. Automated scanning of vulnerabilities

C. Enumerating directories of a web application

D. Detailed network scanning

92 / 161

What is out-of-band SQL injection?

A. It is a form of SQL injection in which the attacker achieves data retrieval using the same channel for injecting the SQL code.

B. It is a form of SQL injection where the attacker retrieves data using a different channel.

C. It is a form of SQL injection where the attacker does not make the application display or transfer any data; rather, the attacker is able to reconstruct the information by sending specific statements.

D. It is a form of SQL injection that combines two queries into a single result or a set of results using a SELECT statement.

93 / 161

What can a successful exploitation of injection-based vulnerabilities lead to?

A. Data encryption

B. Installation of new updates

C. Disclosure of sensitive information, manipulation of data, and DoS conditions

D. Improving system performance

94 / 161

What does an HTTP DELETE method do?

A. It retrieves information from the server

B. It sends data to the server

C. It deletes the specified resource

D. It returns only HTTP headers and no document body

95 / 161

How can an attacker potentially exploit a directory traversal vulnerability?

A. By manipulating variables that reference files with the dot-dot-slash sequence

B. By storing sensitive configuration files inside the web root directory

C. By preventing user input when using file system calls

D. By performing input validation and only accepting known good input

96 / 161

What types of HTTP methods could be used to have different interactions with the server in a web application?

A. GET, POST, TRACE, DELETE

B. PROXY, NAT, TRACE, PUT

C. SYN ACK, SYN, GET, POST

D. ACK, SYN ACK, PUT, DELETE

97 / 161

What are the ways an attacker can compromise a session token or perform session hijacking?

A. Predicting session tokens and Session sniffing

B. Using strong credentials

C. Redirecting and Exploiting default credentials

D. Using Kerberos and Brute force

98 / 161

Why is it important not to include session ID in a URL when maintaining a web session?

A. It helps to easily fingerprint the session ID

B. It increases the usability of the application

C. It prevents session fixation attacks

D. It allows a developer to set the session ID to just a few bits

99 / 161

Which of the following SQL commands is not typically injected by an attacker during SQLi?

A. DROP TABLE

B. SELECT

C. CREATE INDEX

D. INSERT INTO

100 / 161

What is a primary difference between Cross-site request forgery (CSRF) attacks and XSS attacks?

A. CSRF attacks exploit the trust that an application has in a user’s browser, while XSS attacks do not

B. XSS attacks are typically more damaging than CSRF attacks

C. CSRF attacks and XSS attacks exploit the same vulnerabilities

D. XSS attacks rely on a user’s identity, but CSRF attacks do not

101 / 161

Which of the following software tools is NOT typically used for hacking web applications by intercepting, modifying, or deleting transactions between a web browser and a web application?

A. Burp Suite

B. ZAP

C. gobuster

D. feroxbuster

102 / 161

Which of the following is a common way to test for SQL injection vulnerabilities during a penetration test?

A. Inserting a semicolon or single quote into a web form field or parameter.

B. Updating all data in the database.

C. Creating a new database.

D. Deleting records from a database.

103 / 161

What is a common method for attempting to identify SQL injection vulnerabilities during penetration testing?

A. Adding a semicolon or single quote to the field or parameter in a web form

B. Restarting the server and monitoring startup logs

C. Sending massive amounts of data to test for buffer overflows

D. Attempting to directly access sensitive data files on the server

104 / 161

Which of the following statements about HTTP is incorrect?

A. HTTP is a very simple protocol

B. An HTTP transaction consists of a single request from a client to a server, followed by a single response from the server back to the client

C. HTTP is categorized as a stateful protocol that relies on a persistent connection for communication logic

D. HTTP uses a request/response model

105 / 161

What is the main objective of using the UNION operator in SQL injection attacks?

A. To create duplicate values in the database

B. To obtain the values of columns of other tables

C. To delete information from the database

D. To update the existing database information

106 / 161

Which of the following is NOT a recommended practice for preventing XSS attacks according to the OWASP?

A. Use the HTTPOnly cookie flag

B. Implement content security policy

C. Use all input as is without converting to a safe form

D. Educate users about safe browsing

107 / 161

What can an attacker do if a DROP INDEX SQL injection vulnerability exists in a web application?

A. Insert predefined SQL commands via any input field in the application

B. Create a new index or search key element

C. Remove select data from the database

D. Modify system control statements

108 / 161

What techniques or measures should be taken when testing and securing APIs?

A. API services should only provide HTTP endpoints.

B. Parameter validation should be ignored.

C. API development should be regularly discussed on public forums.

D. Perform validation of parameters in the application and sanitize incoming data from API clients.

109 / 161

In HTTP protocol, what does the HEAD method do?

A. Uploads a representation of the specified URI

B. Returns only HTTP headers and no document body

C. Deletes the specified resource

D. Does a message loopback test along the path to the target resource

110 / 161

What documentation could a penetration tester use to gain valuable information about potential attack vectors in an API?

A. SOAP specifications

B. REST details

C. GraphQL language specifics

D. WSDL documents

111 / 161

Which of the following is NOT a method for exploiting application-based vulnerabilities mentioned in the provided text?

A. Session hijacking

B. Redirecting

C. Malware infection

D. Exploiting weak credentials

112 / 161

What does the HTTP GET method do in an HTTP request?

A. Sends data to the server

B. Retrieves information from the server

C. Deletes the specified resource

D. Converts the request connection to a transparent TCP/IP tunnel

113 / 161

Which of the following is NOT a general rule for preventing Cross-Site Scripting (XSS) attacks?

A. Use an auto-escaping template system.

B. Use HTML escape before inserting untrusted data into HTML element content.

C. Insert untrusted data into any location.

D. Convert untrusted input into a safe form.

114 / 161

Which of the following best describes the OWASP Top 10?

A. A pay-to-use penetration testing tool developed by OWASP

B. A countdown of the top 10 developers in the OWASP community

C. An awareness document listing the top 10 application security risks

D. A list of the top 10 OWASP chapters around the world

115 / 161

What are the common tools use by hackers to exploit vulnerabilities in web applications?

A. Burp Suite and OWASP ZAP

B. Sublime Text and Atom

C. Notepad++ and Visual Studio Code

D. Microsoft Word and Excel

116 / 161

What can stacked queries in SQL be used for that makes it susceptible for exploitation?

A. It can be used to make very simple queries

B. It can be used to execute any SQL statement or procedure

C. It can only be used to execute SELECT statements

D. It can be used to manipulate the database structure

117 / 161

What is the best mitigation for SQL injection vulnerabilities according to the text?

A. Use a Firewall

B. Use a VPN

C. Use immutable queries

D. Use strong passwords

118 / 161

Which of the following correctly describes an LFI (Local File Inclusion) vulnerability?

A. It allows an attacker to upload malicious files to the server.

B. It enables an attacker to execute code hosted on his or her own system.

C. It makes an attacker able to read an execute files on the victim’s system.

D. It is less common than RFI vulnerabilities.

119 / 161

What does HTTP status code messages in the 500 range indicate?

A. Messages are informational

B. Messages are related to successful transactions

C. Messages are related to client errors

D. Messages are related to server errors

120 / 161

What is the application-level protocol used in the TCP/IP protocol suite that uses a request/response model for transmitting messages?

A. FTP

B. SMTP

C. IMAP

D. HTTP

121 / 161

How can the SQL UNION operator be exploited by an attacker?

A. An attacker can alter the structure of the database

B. An attacker can delete all data from the database

C. An attacker can disrupt the database’s indexing system

D. An attacker can perform a SQL injection to attain values from multiple tables

122 / 161

Which of the following is NOT a rule for preventing XSS attacks according to OWASP?

A. Use the HTTPOnly cookie flag

B. Use an auto-escaping template system

C. Use URL escape before inserting untrusted data into HTML URL parameter values

D. Send all user data to a third-party server for validation

123 / 161

What method is the most widely used for session ID exchange in a web application?

A. URL parameters and rewriting

B. Body arguments on POST requests

C. Cookies

D. URL arguments on GET requests

124 / 161

Which of the following BEST describes a technique for XSS Evasion?

A. Embedding a Scalable Vector Graphics (SVG) file using HTML embed tags

B. Inflating the payload size to overwhelm the WAFs

C. Using physical access to compromise the server

D. Encrypting the entire payload with AES encryption

125 / 161

Why should the session ID not be included in a URL?

A. Because it may cause the server to crash

B. Because it could attract more traffic to the site

C. Because it could lead to session fixation attacks or ID manipulation

D. Because it is easier for developers to manage

126 / 161

What is the significance of the HTTP methods that include GET, HEAD, TRACE, POST, PUT, DELETE, OPTIONS, and CONNECT in the context of HTTP communication?

A. These methods define whether the connection will be stateful or stateless.

B. These methods determine the web server the connection will be made to.

C. These methods describe the specific actions requested of the web server.

D. These methods identify the TCP/IP protocol needed to establish communication.

127 / 161

Which among the following tools can help collect full API requests during penetration testing?

A. Swagger

B. Burp Suite

C. SOAP

D. GraphQL

128 / 161

What is a race condition vulnerability in the context of system security?

A. When a system attempts two or more operations simultaneously, which need to be done sequentially

B. An attack where the attacker pushes a configuration to a security device

C. A situation where an attacker has a long time window to perform an attack

D. A type of attack that is easy to perform due to low complexity

129 / 161

What could be a potential result of successful XSS exploitation mentioned in the text?

A. Increasing the website’s loading speed

B. Installation or execution of malicious code

C. Minor changes in the website’s layout

D. Increase in the website’s visitor traffic

130 / 161

What are potential outcomes of successful exploitation of XSS vulnerabilities?

A. Account compromise

B. User-supplied data modification

C. Site redirection

D. All of the above

131 / 161

What are the different methods an HTTP request can be based on?

A. GET, HEAD, POST, TRACE, PUT, DELETE, OPTIONS, CONNECT

B. GET, POST, PUT, DELETE

C. GET, POST, CONNECT, OPTIONS

D. GET, HEAD, TRACE, DELETE

132 / 161

Which of the following is NOT a general rule for preventing XSS (Cross-Site Scripting) attacks according to OWASP?

A. Use an auto-escaping template system

B. Use attribute escape before inserting trusted data into HTML common attributes

C. Use JavaScript escape before inserting untrusted data into JavaScript data values

D. Implement content security policy

133 / 161

What kind of attack can be executed by manipulating parameters exchanged between the web client and the web server in a web application?

A. Credential stuffing

B. Parameter tampering

C. Distributed Denial of Service (DDoS)

D. Spear phishing

134 / 161

What is a technique an attacker could use to exploit a directory traversal vulnerability?

A. They can manipulate variables that reference files with the dot-dot-slash (../) sequence

B. They can prevent user input when using file system calls

C. They can perform input validation by only accepting known good input

D. They can store sensitive configuration files inside the web root directory

135 / 161

Which objects are typically targeted by XSS vulnerabilities as indicated in section ’6. Exploiting Application-Based Vulnerabilities’?

A. Search fields that echo a search string back to the user, HTTP headers, Input fields that echo user data, Error messages that return user-supplied text, Hidden fields that may include user input data, Applications that display user-supplied data

B. Data encryption processes, HTTP headers, Applications that display user-supplied data

C. Error messages that return user-supplied text, Input fields that echo user data, Data deletion processes

D. Search fields, HTTP headers, Data transfer protocols, Applications that display user-supplied data

136 / 161

Which of the following is NOT a type of LDAP injection attack?

A. Authentication bypass

B. Information disclosure

C. Packet sniffing

D. Modifying the LDAP tree

137 / 161

Which of the following is the best description of Hard-Coded Credentials in the context of application-based vulnerabilities?

A. They are default login data provided by application developers

B. They are fixed login data embedded within the application’s code

C. They are authentication data masked with a cryptographic algorithm

D. They are temporary login data that expire after a certain period

138 / 161

Which of the following techniques can be used to potentially evade XSS filters?

A. Utilizing HTML img tags

B. Implementing hexadecimal HTML character references

C. Using US ASCII encoding to evade WAFs

D. All of the above

139 / 161

Which of the following is NOT a method an attacker can use to exploit application-based vulnerabilities for bypassing authentication?

A. Credential brute forcing

B. Session hijacking

C. Redirecting

D. Installing antivirus software

140 / 161

What is a command injection attack?

A. An attack where an attacker attempts to modify cookies

B. An attack where an attacker attempts to execute commands on a system via a vulnerable application

C. An attack where an attacker attempts to modify a web application’s public website

D. An attack where an attacker attempts to gain unauthorized access to the application’s database

141 / 161

Which of the following can an attacker do when exploiting SQL injection vulnerabilities?

A. Inject complete or partial SQL queries

B. Update the web application’s interface

C. Restrict access to certain users

D. Block the communication between the application and the database

142 / 161

What is the purpose of using the UNION operator in an SQL injection attack?

A. To create new entries in a database

B. To delete entries in a database

C. To obtain the values of columns from other tables

D. To disable the database server

143 / 161

Which statement correctly describes the use of the Error-based technique in SQL injection attacks?

A. It combines two SELECT statements into one.

B. It delays responses from the database.

C. It forces the database to generate an error to enhance the attack.

D. It verifies whether certain conditions are true or false.

144 / 161

Which session management mechanism is one of the most widely used and offers advanced capabilities?

A. URL parameters and rewriting

B. Body arguments on POST requests

C. Cookies

D. HTTP headers

145 / 161

What is the vulnerability that command injection attacks exploit?

A. An application having excessive user privileges

B. An application not validating user-supplied data

C. An application having insufficient security protocols

D. An application having outdated software

146 / 161

What action can be performed in SQLi attacks using the UPDATE SQL command?

A. Delete data in a database

B. Insert new data into a database

C. Update data in a database

D. Create a new database

147 / 161

What could provide a roadmap that describes the underlying implementation of an application and give penetration testers valuable clues about attack vectors?

A. Application Error Messages

B. Software Log Files

C. API Documentation

D. Source Code

148 / 161

Which of the following is NOT a general rule for preventing XSS attacks, according to OWASP?

A. Use an auto-escaping template system.

B. Insert trusted data in any location.

C. Implement content security policy.

D. Use HTML escape before inserting untrusted data into HTML element content.

149 / 161

Which HTTP method is typically used to send data to the server, often in the form of HTML forms, API requests, etc.?

A. GET

B. POST

C. OPTIONS

D. HEAD

150 / 161

What is the role of an HTTP proxy?

A. HTTP proxies only function as servers.

B. HTTP proxies function as both servers and clients, making requests to web servers on behalf of other clients.

C. HTTP proxies only perform Network Address Translation (NAT) and filtering of HTTP requests.

D. HTTP proxies are solely used for the support of caching of HTTP messages.

151 / 161

Which of the following statements about Business Logic Flaws is incorrect?

A. They are different from typical security vulnerabilities.

B. They can typically be found by using scanners or other similar tools.

C. Data validation and a detailed threat model can help prevent them.

D. MITRE has assigned Common Weakness Enumeration (CWE) ID 840 to business logic errors.

152 / 161

What does the HTTP status code in the 400 range represent?

A. Messages related to successful transactions

B. Messages related to client errors

C. Messages related to server errors

D. Messages in the 100 range are informational

153 / 161

Which of the following is NOT a general rule by OWASP for preventing XSS attacks?

A. Use an auto-escaping template system.

B. Use CSS escape and strictly validate before inserting untrusted data into HTML-style property values.

C. Allow insertion of untrusted data in any location.

D. Use URL escape before inserting untrusted data into HTML URL parameter values.

154 / 161

Which of the following best describes a Stored XSS attack?

A. Malicious code is sent via a malicious URL directly to the victim’s web browser

B. Malicious code is permanently stored on a vulnerable or malicious server

C. Malicious code is sent via a URL which triggers the web browser’s DOM

D. Malicious code is injected via input fields into a web network’s database

155 / 161

What is the function of a HTTP GET method in an HTTP protocol?

A. Uploads a representation of the specified URI

B. Deletes the specified resource

C. Converts the request connection to a transparent TCP/IP tunnel

D. Retrieves information from the server

156 / 161

What does the Time-Delay SQL Injection Technique in the given context do?

A. Checks if the MySQL version is 8.x and forces the server to delay the answer by 10 seconds

B. Overloads the server with an increased time of delay

C. Crashes the MySQL server

D. Generates a false report of the MySQL version

157 / 161

What is the purpose of a ’User-Agent’ field in an HTTP request?

A. It specifies the version of HTTP used by the client

B. It instructs the web server on which HTTP methods to respond back with

C. It indicates the browser type and version used to access the website

D. It is used to indicate the path of the requested URL

158 / 161

Which of the following options is NOT a method or technology behind modern APIs as per the provided text?

A. SOAP

B. REST

C. GraphQL

D. PinLatch

159 / 161

What does SOAP exclusively use to provide API services?

A. JSON

B. XML

C. GraphQL

D. TLS

160 / 161

Which of the following is not a recommended rule by OWASP for preventing XSS attacks?

A. Use JavaScript escape before inserting untrusted data into JavaScript data values.

B. Use CSS escape and strictly validate before inserting untrusted data into HTML-style property values.

C. Convert ’ to '.

D. Use HTML escape before inserting untrusted data into HTML element content.

161 / 161

In a SQL injection vulnerability, the attacker may use SQL commands to conduct the attack. Which of the following SQL commands would likely allow an attacker to view data from a database?

A. CREATE DATABASE

B. UPDATE

C. SELECT

D. ALTER DATABASE

Your score is

Boost Your Skills with Free Anki Flashcards

Click the download button to get the CompTIA Pentest+ Anki deck.

Deepen your understanding of application-based vulnerabilities with our CompTIA PenTest+ Chapter 06 practice questions.

Explore techniques for identifying and exploiting weaknesses in applications, crucial for effective penetration testing.
Complement your study with our free Anki decks to reinforce learning. For official insights, visit CompTIA’s website.

Ready for more?
Dive into Chapter 07: Cloud, Mobile, and IoT Security to broaden your cybersecurity knowledge.

Press the Start button to begin the practice test.

Boost Your Skills with Free Anki Flashcards

Explore our other free practice tests:

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.

Press the Start button to begin the practice test.

Boost Your Skills with Free Anki Flashcards

Explore our other free practice tests:

Hands-onCybersecurity Training in a LIVE SOCwith Enterprise Security ToolsInternships Available.

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.