Part 8: Web Application Attacks (15 Questions)

⸻

Which attack exploits unsanitized user input to execute malicious SQL commands?

• A) Cross-Site Scripting (XSS)

• B) SQL Injection (SQLi)

• C) Directory Traversal

• D) Session Hijacking

Answer: B) SQL Injection (SQLi)

Which web attack aims to execute malicious scripts in a victim’s browser via trusted websites?

• A) Cross-Site Scripting (XSS)

• B) Cross-Site Request Forgery (CSRF)

• C) Broken Authentication

• D) IDOR Attack

Answer: A) Cross-Site Scripting (XSS)

What is the primary goal of a Cross-Site Request Forgery (CSRF) attack?

• A) To trick the victim into executing unintended actions on a trusted site

• B) To capture session cookies

• C) To escalate user privileges

• D) To perform remote code execution

Answer: A) To trick the victim into executing unintended actions on a trusted site

Which HTTP method is most commonly exploited in file upload vulnerabilities?

• A) GET

• B) POST

• C) PUT

• D) DELETE

Answer: C) PUT

An attacker manipulates URL parameters to gain unauthorized access to resources. What attack is this?

• A) IDOR Attack

• B) CSRF Attack

• C) XSS Attack

• D) SQL Injection

Answer: A) IDOR Attack

What security vulnerability allows attackers to bypass authentication mechanisms via URL manipulation?

• A) Directory Traversal

• B) Command Injection

• C) Path Manipulation

• D) Broken Access Control

Answer: D) Broken Access Control

Which attack relies on injecting malicious commands directly into a vulnerable web application’s operating system?

• A) SQL Injection

• B) Command Injection

• C) Remote File Inclusion (RFI)

• D) Cross-Site Scripting (XSS)

Answer: B) Command Injection

Which web attack technique manipulates input fields to bypass client-side validation and inject malicious payloads?

• A) Form Injection

• B) SQL Injection

• C) Buffer Overflow

• D) LDAP Injection

Answer: D) LDAP Injection

What security header can help mitigate Cross-Site Scripting (XSS) attacks?

• A) X-Content-Type-Options

• B) Strict-Transport-Security

• C) Content-Security-Policy (CSP)

• D) Cache-Control

Answer: C) Content-Security-Policy (CSP)

Which web attack exploits weak session management by stealing or predicting session tokens?

• A) Clickjacking

• B) Cookie Poisoning

• C) Session Hijacking

• D) IDOR Attack

Answer: C) Session Hijacking

What is the primary goal of a Clickjacking attack?

• A) To inject malicious code into web forms

• B) To trick users into clicking invisible elements

• C) To modify cookie values

• D) To manipulate URL parameters

Answer: B) To trick users into clicking invisible elements

An attacker uses ../../etc/passwd in a URL to gain unauthorized access to system files. What attack is this?

• A) SQL Injection

• B) Directory Traversal

• C) Remote File Inclusion (RFI)

• D) Path Manipulation

Answer: B) Directory Traversal

Which OWASP Top 10 vulnerability relates to failing to properly validate uploaded files?

• A) Injection

• B) Security Misconfiguration

• C) Insecure Deserialization

• D) Unrestricted File Upload

Answer: D) Unrestricted File Upload

What type of attack involves including malicious scripts in web pages that execute on other users’ browsers?

• A) DOM-based XSS

• B) Stored XSS

• C) Reflected XSS

• D) Blind XSS

Answer: B) Stored XSS

Which tool is widely used for discovering web application vulnerabilities through automated scanning?

• A) Hydra

• B) Nikto

• C) John the Ripper

• D) Metasploit

Answer: B) Niktoissues.