Web Application Hacking for Certified Ethical Hacker (CEH)

Sample Practice Questions

1. Question 1

   A company's web application is vulnerable to session fixation attacks. What is the most appropriate defense strategy to mitigate this risk effectively?
   1. A. Implement HTTPS to encrypt all sessions.
   2. B. Regenerate session IDs upon successful login.
   3. C. Use strong password policies.
   4. D. Enable Multi-Factor Authentication (MFA).
   Explanation

   The correct answer is: B. Regenerate session IDs upon successful login..

   In a session fixation attack, the attacker forces the victim to use a session ID the attacker knows (e.g., by setting it in the URL or a cookie). If the application does not issue a new session ID after login, the attacker can reuse that same ID once the victim authenticates. The primary defense is to regenerate the session ID upon successful login (B): create a new session, invalidate the old one, and bind the new ID to the authenticated user so the fixed ID is useless. HTTPS (A), strong passwords (C), and MFA (D) improve security but do not stop session fixation; the fix is to change the session ID at authentication. Regenerating session IDs upon successful login is the most appropriate defense.

2. Question 2

   A penetration tester is trying to enumerate user accounts on a web application. Which technique is likely to be the most effective?
   1. A. Brute forcing login attempts
   2. B. Checking for default usernames
   3. C. Analyzing error messages for clues
   4. D. Using a web crawler to index the site
   Explanation

   The correct answer is: C. Analyzing error messages for clues.

   Many applications leak information in login or registration error messages--e.g., --Username does not exist-- vs --Invalid password,-- or --Email already registered.-- Analyzing these error messages (C) lets you infer valid usernames (or emails) with few requests and without brute-forcing passwords, so it is often the most effective way to enumerate user accounts. Brute forcing logins (A) can confirm valid accounts but is noisy and slow. Default usernames (B) help only when defaults exist and are not changed. Web crawler (D) finds pages and links, not necessarily user accounts. Error-message analysis is a standard, effective technique for username enumeration.

3. Question 3

   While assessing a web server, you detect that the server uses a vulnerable version of Apache Struts. Which type of attack is most likely to succeed in this scenario?
   1. A. SQL Injection
   2. B. Cross-Site Scripting (XSS)
   3. C. Remote Code Execution
   4. D. Cross-Site Request Forgery (CSRF)
   Explanation

   The correct answer is: C. Remote Code Execution.

   Apache Struts has had critical remote code execution (RCE) vulnerabilities (e.g., CVE-2017-5638 in the Jakarta Multipart parser). Exploiting these allows an attacker to execute arbitrary code on the server without prior authentication in many cases. SQL injection (A), XSS (B), and CSRF (D) depend on application logic and input handling; they are not the primary risk of --a vulnerable version of Apache Struts,-- which is known for RCE. When the scenario specifies a vulnerable version of Apache Struts, the attack most likely to succeed is Remote Code Execution.

4. Question 4

   A web application uses the GET method to submit sensitive information. What is the primary security concern with this practice?
   1. A. GET requests can be cached by the browser
   2. B. GET requests are slower than POST requests
   3. C. GET requests are not supported by all browsers
   4. D. GET requests are not encrypted by default
   Explanation

   The correct answer is: A. GET requests can be cached by the browser.

   GET parameters appear in the URL and are often logged (server logs, proxy logs, browser history, referrer headers) and cached by browsers and intermediaries. So sensitive data in GET (e.g., tokens, passwords) can be stored and leaked through caching, logs, and history--the primary security concern. Slower/faster (B) and browser support (C) are not the main security issue. Encryption (D) is determined by HTTPS, not by GET vs POST; both can be encrypted. The key problem with GET for sensitive data is exposure via caching, logging, and URL storage; A is the correct answer.

5. Question 5

   You are conducting a penetration test and find that a web application uses a self-signed certificate for HTTPS. What is the primary risk associated with this finding?
   1. A. The certificate can be easily forged.
   2. B. Users may ignore browser warnings, leading to potential MITM attacks.
   3. C. The encryption strength is reduced.
   4. D. The certificate cannot be revoked. --- ## 6. (Q33) While reviewing a web server, you find that sensitive information is being disclosed through directory listings. What is the best immediate action to mitigate this vulnerability? A. Configure firewall rules to block traffic B. Disable directory listing on the web server's configuration C. Implement SSL/TLS to encrypt data in transit D. Update the web server software to the latest version
   Explanation

   The correct answer is: B. Users may ignore browser warnings, leading to potential MITM attacks..

   Directory listing allows anyone to see the contents of a directory (file names, sometimes metadata) when no index file is present. The direct fix is to disable directory listing in the web server configuration (e.g., Apache `Options -Indexes`, nginx `autoindex off`), so the listing is no longer exposed. Firewall rules (A) do not address the misconfiguration. SSL/TLS (C) encrypts traffic but does not stop directory listing. Updating software (D) is good practice but does not fix this configuration issue. Disabling directory listing is the best immediate action to mitigate the vulnerability.

Other Certified Ethical Hacker (CEH) domains

• Cloud Computing (10 questions)
• Cryptography (14 questions)
• Information Security and Ethical Hacking Overview (33 questions)
• Mobile, IOT and OT Hacking (14 questions)
• Network and Perimeter Hacking (47 questions)
• Reconnaissance Techniques (24 questions)
• System Hacking Phases (14 questions)
• Wireless Network Hacking (27 questions)