1. Why is a written scope and Rules of Engagement mandatory before any ethical hacking test?
Difficulty: EasyType: MCQTopic: Scope Rules
- To gain explicit authorization and define boundaries that keep testing lawful and safe
- To make reports look longer for management
- To avoid writing a final report
- To ensure testers can attack any third-party system
Authorization proves consent and sets legal and safety limits. A good scope lists in-scope assets, time windows, contact paths, and what is out of bounds. This avoids accidental disruption and legal trouble.
Correct Answer: To gain explicit authorization and define boundaries that keep testing lawful and safe
Example Code
Scope: targets=[api.example.com, 203.0.113.0/24]; OOS=[prod-db]; window=Sat 01:00–05:00; emergency=+1-555-0100
2. Which ordering matches the common PTES workflow?
Difficulty: EasyType: MCQTopic: Pentest Flow
- Pre-engagement → Recon → Threat modeling → Vulnerability analysis → Exploitation → Post-exploitation → Reporting
- Recon → Exploitation → Reporting → Vulnerability analysis → Threat modeling → Post-exploitation → Pre-engagement
- Reporting → Threat modeling → Pre-engagement → Recon → Post-exploitation → Exploitation → Vulnerability analysis
- Exploitation → Recon → Vulnerability analysis → Reporting → Pre-engagement → Threat modeling → Post-exploitation
PTES starts before any testing with approvals and planning, then moves from information gathering to modeling, finding weaknesses, safely exploiting, learning more on post-exploitation, and finally reporting.
Correct Answer: Pre-engagement → Recon → Threat modeling → Vulnerability analysis → Exploitation → Post-exploitation → Reporting
Example Code
flow = ["pre", "recon", "model", "vuln", "exploit", "post", "report"]
3. In ethical hacking, what does “without authorization” generally imply for legality?
Difficulty: MediumType: MCQTopic: Legal Ethics
- Accessing systems you do not have clear, written permission to test
- Scanning only open ports
- Using strong passwords
- Encrypting your traffic
Ethical testing must have explicit permission from the owner. Acting without authorization, or exceeding granted permissions, risks criminal or civil penalties even if intentions are good.
Correct Answer: Accessing systems you do not have clear, written permission to test
Example Code
permit: signed_letter(id=ENG-2025-0142, owner=ExampleCorp, assets=list)
4. What is the purpose of a Safe Harbor clause in a vulnerability disclosure or bounty program?
Difficulty: MediumType: MCQTopic: Legal Ethics
- It protects good-faith research within stated rules from legal action by the program owner
- It allows testing of any vendor worldwide
- It guarantees cash rewards for all submissions
- It replaces the need for authorization
Safe Harbor language states that if you follow program rules, the organization will not pursue legal action. It encourages responsible testing and clear reporting.
Correct Answer: It protects good-faith research within stated rules from legal action by the program owner
Example Code
policy.safeHarbor: { goodFaith: true, followRules: true, noLegalAction: true }5. Which activity is typically out of scope for standard penetration tests unless explicitly allowed?
Difficulty: EasyType: MCQTopic: Scope Rules
- Denial-of-Service or traffic flood tests
- Low-impact recon on owned domains
- Reporting security headers
- Reading public documentation
DoS can disrupt business. Most engagements forbid it unless there is an approved window, a lab environment, and explicit sign-off.
Correct Answer: Denial-of-Service or traffic flood tests
Example Code
if (!scope.flags.allowDoS) { skip("no-DoS"); }6. Before running a phishing simulation, what ethical requirement must be met?
Difficulty: MediumType: MCQTopic: Social Engg
- Informed consent and explicit authorization from the organization
- Only using a free mail server
- Masking the sender name
- Sending at night to avoid alerts
Social engineering touches people and data. It needs clear consent, agreed scenarios, and safety rules to avoid harm and legal risk.
Correct Answer: Informed consent and explicit authorization from the organization
Example Code
SE.plan: { approver: CISO, audience: sales@, pretext: invoice, dataHandled: minimal }7. Why keep a chain of custody when handling sensitive evidence during an engagement?
Difficulty: MediumType: MCQTopic: Evidence
- To document who handled data and preserve its integrity for audits or legal review
- To speed up network scans
- To avoid writing test cases
- To reduce report pages
A chain of custody records every transfer and control action on evidence. It proves data was not altered and maintains trust in findings.
Correct Answer: To document who handled data and preserve its integrity for audits or legal review
Example Code
entry = { time, handler, action, itemHash, location } // append to evidence log8. Which option best describes the NIST testing flow for ethical hacking style assessments?
Difficulty: MediumType: MCQTopic: Pentest Flow
- Plan → Execute tests → Analyze findings → Report and mitigate
- Exploit first → Plan later → Ignore analysis → No report
- Only plan, no testing
- Report first, plan after testing
NIST guidance emphasizes planning and authorization, then structured testing, analysis, and mitigation. This turns results into action and controls risk.
Correct Answer: Plan → Execute tests → Analyze findings → Report and mitigate
Example Code
steps = ["plan", "test", "analyze", "mitigate"]
9. A strong Vulnerability Disclosure Policy should include which element?
Difficulty: MediumType: MCQTopic: VDP Rules
- Clear contact method, testing boundaries, and non-retaliation language
- Only a marketing email address
- Permission to test any vendor’s assets
- A promise to fix all bugs in 24 hours
VDPs guide researchers with where to report, what is allowed, and that good-faith research will not be punished. It improves safety and signal quality.
Correct Answer: Clear contact method, testing boundaries, and non-retaliation language
Example Code
vdp: { contact: security@example.com, allowed: list, oos: list, safeHarbor: true }10. How should an ethical hacker write a high-impact finding so it drives action?
Difficulty: MediumType: SubjectiveTopic: Reporting
Lead with risk and business impact in plain language. Show a simple proof of how to reproduce. Explain root cause and the likely attacker path. Provide concrete fixes and a quick mitigation if a full fix takes time. Close with validation steps so teams know when it is done. Keep it precise, respectful, and easy to read by both engineers and managers.
Example Code
Finding: Broken access control → Impact: read other users’ invoices → Repro: GET /api/invoices/42 → Fix: enforce owner check
11. State three ethical principles you follow during a test and why they matter.
Difficulty: EasyType: SubjectiveTopic: Legal Ethics
First, do no harm: prefer low-risk tests and avoid disruption. Second, respect privacy: minimize data collection and handle any sensitive data carefully. Third, act with integrity: be transparent, stay within scope, and report issues promptly. These build trust and keep testing both safe and useful.
Example Code
Principles: minimize_impact; protect_data; follow_scope
12. You discovered personal data while testing. What steps do you take?
Difficulty: MediumType: SubjectiveTopic: OSINT Recon
Stop and reduce exposure. Capture only what is needed to prove the issue, never bulk-download. Hash or redact sensitive fields in notes and screenshots. Securely store evidence, restrict access, and notify the authorized owner quickly so they can contain risk. Delete any extra copies after the client confirms receipt and retention rules.
Example Code
screenshot: redact(email, phone, token); store in encrypted evidence vault
13. If you trigger a potential outage during testing, how do you respond?
Difficulty: MediumType: SubjectiveTopic: Priv Esc
Follow the emergency path in the Rules of Engagement. Stop the test, contact the on-call owner, share what you did and the exact timing, and help with rollback. Document the incident, lessons learned, and safeguard changes so it does not repeat. Transparency preserves trust.
Example Code
onError: stop(); notify(oncall); provide steps_to_revert; log(event)
14. What is the safest approach to test brute-force protections on a production login?
Difficulty: MediumType: MCQTopic: Engagement Safety
- Use a very small, agreed sample with throttle limits and a dedicated test account
- Run unlimited guesses on real user accounts
- Disable the WAF first
- Test only during peak business hours
Abuse testing can lock out users or flood logs. Use a test account, tiny volumes, and rate limits agreed in advance to avoid user impact.
Correct Answer: Use a very small, agreed sample with throttle limits and a dedicated test account
Example Code
authTest: account=test_user; maxAttempts=20; rate=1/min; stopOnAlert=true
15. You gained low-privilege shell on a server in scope. How do you apply ethical post-exploitation?
Difficulty: HardType: SubjectiveTopic: Post Exploit
Confirm the host is in scope, then gather minimal situational data: whoami, hostname, network routes, patch level. Seek written approval before privilege escalation. Avoid data harvesting; prove access with a harmless file or unique token if allowed. Keep timestamps, commands, and outputs in your notes. When done, remove any artifacts you placed and help the client validate containment.
Example Code
whoami && hostname && ip addr show; touch /tmp/POC_README; exit
16. What is the key difference between passive and active reconnaissance?
Difficulty: EasyType: MCQTopic: OSINT Recon
- Passive gathers data without touching the target; active interacts with target systems
- Passive is faster than active in all cases
- Active is always illegal while passive is always legal
- Passive focuses on exploitation while active is only reporting
Passive methods use third-party sources like search engines, C T logs, and public datasets. Active methods send probes to the target such as pings, scans, or HTTP requests.
Correct Answer: Passive gathers data without touching the target; active interacts with target systems
Example Code
Passive: site:example.com filetype:pdf
Active: nmap -sV example.com
17. Which option lists mostly passive subdomain discovery sources?
Difficulty: MediumType: MCQTopic: OSINT Recon
- Certificate Transparency logs, DNS datasets, search engines
- DNS brute force, wordlists, ffuf
- ARP scans, SNMP sweeps, ping sweeps
- SMTP VRFY, SMB null sessions, RPC calls
C T logs, historical DNS, and search engines do not directly hit the target. Brute force and fuzzing are active as they send queries to target name servers or web servers.
Correct Answer: Certificate Transparency logs, DNS datasets, search engines
Example Code
amass enum -passive -d example.com
18. Why are Certificate Transparency logs useful in recon?
Difficulty: EasyType: MCQTopic: OSINT Recon
- They reveal hostnames seen on recently issued TLS certificates
- They expose database passwords by design
- They block malicious traffic automatically
- They list only expired certificates
C T logs are public and show certificates issued for a domain. Hostnames on those certs often include new apps and subdomains.
Correct Answer: They reveal hostnames seen on recently issued TLS certificates
Example Code
curl 'https://crt.sh/?q=%25.example.com&output=json' | jq '.[].name_value'
19. Which search query best finds public PDFs under a domain?
Difficulty: MediumType: MCQTopic: OSINT Recon
- site:example.com filetype:pdf
- domain:example.com type:pdf
- search example.com pdfs
- pdf:example.com site
The site operator limits to a domain. The filetype operator limits to a specific document format, such as P D F.
Correct Answer: site:example.com filetype:pdf
Example Code
site:careers.example.com filetype:pdf "confidential"
20. In Shodan, which filter narrows results to an organization’s owned ranges?
Difficulty: MediumType: MCQTopic: OSINT Recon
- org:"Example Corp"
- asn:AS15169
- city:"Bengaluru"
- product:"Apache"
The org filter restricts results by organization. ASN filters by autonomous system, city filters by location, product filters by software banners.
Correct Answer: org:"Example Corp"
Example Code
org:"Example Corp" port:443 http.title:"login"
21. Which DNS record is most helpful to map mail infrastructure during recon?
Difficulty: MediumType: MCQTopic: OSINT Recon
- MX records
- TXT records only
- NS records
- SOA records
M X records point to mail exchangers used for inbound email. TXT records also help for SPF and DMARC, but mail routing starts with M X.
Correct Answer: MX records
Example Code
dig MX example.com +short
22. Why do testers review robots.txt during information gathering?
Difficulty: EasyType: MCQTopic: OSINT Recon
- It may disclose hidden paths or deprecated endpoints
- It always blocks security scanners automatically
- It contains encryption keys by default
- It lists user passwords for S E O
Robots guidelines sometimes include sensitive or obsolete paths that hint at admin or backup areas. It is a hint, not an access control.
Correct Answer: It may disclose hidden paths or deprecated endpoints
Example Code
curl -s https://example.com/robots.txt
23. Which step helps you pivot from a company name to its netblocks for scope discovery?
Difficulty: MediumType: MCQTopic: OSINT Recon
- Query WHOIS and ASN to list allocated IP ranges
- Run SMB null sessions on random hosts
- Export all browser cookies
- Crack Wi-Fi in a cafe
WHOIS and A S N data reveal ownership and address ranges. This helps map external attack surface in a lawful and structured way.
Correct Answer: Query WHOIS and ASN to list allocated IP ranges
Example Code
whois example.com
whois AS13335
24. Which tool and mode is typically used for active subdomain brute forcing?
Difficulty: MediumType: MCQTopic: OSINT Recon
- ffuf with Host header fuzzing
- theHarvester with Bing only
- Shodan with org filter
- Maltego CE default graph
F f u f can brute force virtual hosts by fuzzing the Host header or paths. Search engines are passive; graphs are visual analysis, not brute force.
Correct Answer: ffuf with Host header fuzzing
Example Code
ffuf -w subs.txt -u https://FUZZ.example.com -mc 200,301
25. What useful clues can document or image metadata reveal during OSINT?
Difficulty: MediumType: MCQTopic: OSINT Recon
- Usernames, software versions, creation times, sometimes GPS
- Hashed passwords for all employees
- Private encryption keys
- Firewall rule sets
Metadata can leak creator names, tool versions, timestamps, and geo tags that support pivoting and social engineering.
Correct Answer: Usernames, software versions, creation times, sometimes GPS
Example Code
exiftool report.pdf
exiftool image.jpg | grep GPS
26. State three ethical rules to follow during OSINT on a live company.
Difficulty: EasyType: SubjectiveTopic: Legal Ethics
Respect scope and consent. Avoid privacy harm by collecting only what is needed. Do not attempt login or bypass controls during passive work. Document sources and timestamps so results can be verified later.
Example Code
Rules: scope_only; minimize_data; no_auth_attempts; timestamp_sources
27. Outline a quick recon playbook for a new target domain that keeps risk low.
Difficulty: MediumType: SubjectiveTopic: Pentest Flow
Start passive: whois, DNS, subdomains from C T logs and search engines. Collect tech stack from headers and icons. Enumerate public endpoints and docs. Build an asset list and rank by exposure. Only then run safe, rate-limited active checks that were approved.
Example Code
whois; dig ANY; subfinder -d target; curl -I; httpx -l hosts.txt -status -tech-detect
28. When would you choose Amass passive mode versus active mode?
Difficulty: MediumType: SubjectiveTopic: OSINT Recon
Pick passive to avoid touching the target and to move fast using third-party sources. Choose active when you have approval to probe and want deeper coverage with brute force, alterations, and DNS resolution checks. Many teams start passive, then confirm with limited active steps.
Example Code
amass enum -passive -d example.com
amass enum -brute -active -d example.com
29. How would you safely discover corporate email patterns and related attack surface?
Difficulty: MediumType: SubjectiveTopic: OSINT Recon
Collect naming patterns from public PDFs and social profiles. Check MX and SPF or DMARC TXT for mail providers. Do not brute force accounts. Use breach corpuses carefully and disclose only minimal evidence. Purpose is to inform risk, not to access mail.
Example Code
dig TXT example.com | grep spf
Pattern: first.last@example.com from public docs
30. What details should your recon evidence log capture so findings are reproducible?
Difficulty: HardType: SubjectiveTopic: Evidence
Record source link, query or command used, timestamp, scope tag, and data hash if files were saved. Note environment like resolver or V P N exit. Add reasoning on why the item matters. This lets others reproduce and verify the same result later.
Example Code
log.csv fields: time, source, query, scope_id, notes, sha256
31. Which Nmap option performs a TCP SYN or half-open scan?
Difficulty: EasyType: MCQTopic: Network Scan
SYN scan sends a SYN and reads the response without completing the handshake. It is fast and common for discovery.
Correct Answer: -sS
Example Code
nmap -sS 10.10.10.0/24
32. Why are UDP scans slower and often less reliable than TCP scans?
Difficulty: MediumType: MCQTopic: Network Scan
- Open UDP ports often send no reply so scanners must wait for timeouts
- UDP packets are bigger than TCP by default
- Routers block all UDP traffic by design
- Operating systems never implement UDP correctly
UDP services may not answer, and many hosts rate limit ICMP unreachable messages. Scans rely on timeouts and retries, which increases duration.
Correct Answer: Open UDP ports often send no reply so scanners must wait for timeouts
Example Code
sudo nmap -sU --top-ports 50 10.10.10.10
33. Which flag enables service and version detection in Nmap?
Difficulty: EasyType: MCQTopic: Network Scan
The sV flag probes detected ports with fingerprints to identify product and version. It helps confirm real services behind ports.
Correct Answer: -sV
Example Code
nmap -sS -sV -p 22,80,443 target
34. Which Nmap option attempts remote OS fingerprinting?
Difficulty: MediumType: MCQTopic: Network Scan
The capital letter O turns on OS detection using TCP and ICMP probes and fingerprint matching.
Correct Answer: -O
Example Code
sudo nmap -O 10.10.10.10
35. What does Nmap’s NSE (Nmap Scripting Engine) provide?
Difficulty: MediumType: MCQTopic: Network Scan
- Extensible scripts for discovery and vuln checks
- Only packet capture features
- Kernel hardening
- Automatic exploitation by default
NSE runs Lua scripts to automate discovery, enumeration, and some vulnerability checks. It is modular and runs with categories.
Correct Answer: Extensible scripts for discovery and vuln checks
Example Code
nmap --script=vuln -p80,443 target
36. Which NSE category is generally safe for production scanning without causing changes?
Difficulty: EasyType: MCQTopic: Engagement Safety
- safe
- intrusive
- exploit
- brute
Scripts tagged safe aim to avoid disruptive actions. Intrusive, brute, and exploit can cause more risk and need approval.
Correct Answer: safe
Example Code
nmap --script "safe" target
37. What does Nmap’s -T4 do?
Difficulty: MediumType: MCQTopic: Network Scan
- Increases scan speed with a more aggressive timing template
- Enables traceroute for all hosts
- Runs only top 100 ports
- Disables DNS resolution
Timing templates range from T0 to T5. T4 speeds up scans but may trigger controls. Use slower templates on fragile networks.
Correct Answer: Increases scan speed with a more aggressive timing template
Example Code
nmap -sS -T4 10.10.10.0/24
38. Which option disables host discovery and treats targets as online?
Difficulty: EasyType: MCQTopic: Network Scan
Pn skips ping probes. Useful when ping is filtered, but it will try every host which can be slow.
Correct Answer: -Pn
Example Code
nmap -Pn -p 80,443 203.0.113.0/24
39. Which simple technique is commonly used to capture a service banner on a TCP port?
Difficulty: MediumType: MCQTopic: Network Scan
- Open a raw TCP session and read the greeting
- Send an ICMP echo request
- Run a full credentialed scan
- Only inspect DNS TXT records
Many services present a banner on connect. A quick netcat or telnet session can reveal product names and hints.
Correct Answer: Open a raw TCP session and read the greeting
Example Code
nc -v target 25
GET / HTTP/1.0
40. Which NSE script family helps enumerate Windows SMB shares and users?
Difficulty: MediumType: MCQTopic: Service Enum
- smb-enum-*
- http-enum-*
- dns-brute-*
- ssl-*
Scripts like smb-enum-shares and smb-enum-users query SMB services for share lists and account info when permissions allow.
Correct Answer: smb-enum-*
Example Code
nmap -p445 --script smb-enum-shares,smb-enum-users target
41. State three precautions to keep network scans safe on production systems.
Difficulty: EasyType: SubjectiveTopic: Scope Rules
Use an approved target list and window. Start with conservative timing like T2 or T3. Limit ports and protocols first, then expand if stable. Monitor with the owner and stop on alert.
Example Code
nmap -sS -T2 --top-ports 100 --max-retries 2 --host-timeout 30m targets.txt
42. How do you speed up UDP enumeration while keeping reasonable accuracy?
Difficulty: MediumType: SubjectiveTopic: Network Scan
Scan only high-value ports first like 53, 123, and 161. Use sudo to send proper probes. Increase parallelism gradually. Combine with service checks such as snmpwalk or dig to verify. Accept that many results will be filtered or open|filtered.
Example Code
sudo nmap -sU --top-ports 30 --defeat-rst-ratelimit --max-retries 2 target
43. You see 80 and 443 open. What quick HTTP enumeration steps do you run?
Difficulty: MediumType: SubjectiveTopic: Service Enum
Fetch headers and titles, detect tech, and crawl a little. Probe for robots and common paths. Note redirects and status codes. Then run focused scripts or tools if allowed.
Example Code
httpx -l hosts.txt -title -status-code -tech-detect
curl -I https://site
nikto -h https://site (only if approved)
44. You get many open ports. How do you prioritize follow-up testing?
Difficulty: MediumType: SubjectiveTopic: Network Scan
Group by exposure and risk. First, auth surfaces like SSH, RDP, VPN, and web admin. Then legacy or risky services like SMBv1, Telnet, F T P, and outdated SSL. Check business-critical hosts next. Always validate with version detection and one proof.
Example Code
nmap -sV -p 21,22,80,139,445,3389 --script banner target
45. How do you reduce scan noise to avoid tripping rate limits and IDS while still learning enough?
Difficulty: HardType: SubjectiveTopic: Engagement Safety
Use smaller port sets and slower timing. Prefer host discovery first, then targeted version checks. Use safe NSE categories. Throttle concurrency. Split scans by subnet and time. Correlate with passive data to skip low-value hosts.
Example Code
nmap -sn 10.10.10.0/24
nmap -sS -p 22,80,443 -sV -T2 --max-rate 50 selective_hosts.txt
46. In the OWASP Top 10 (2021), which risk jumped to A01 and is now the most common cause of serious web issues?
Difficulty: EasyType: MCQTopic: Web Security
- Broken Access Control
- Cryptographic Failures
- Injection
- Security Misconfiguration
Broken access control is number one because many apps fail to enforce ownership checks and authorization rules consistently.
Typical signs are IDOR or BOLA issues, forced browsing to admin paths, and missing server-side checks. The OWASP Top 10 page highlights why this category moved to A zero one and why it maps to many CWEs across real apps.
Correct Answer: Broken Access Control
Example Code
GET /api/invoices/12345 // served without verifying the user owns 12345
47. What is the safest general defense pattern against SQL Injection in modern apps?
Difficulty: EasyType: MCQTopic: Web Security
- Use parameterized queries or ORM bindings and avoid string concatenation
- Sanitize by removing quotes only
- Block the word SELECT with a web firewall
- Store passwords with Base64 encoding
Prepared statements keep user input separate from the query plan, so the database treats it as data, not code. This is simpler and more reliable than trying to blacklist keywords.
OWASP’s SQL Injection materials stress parameterized queries, least privilege, and safe ORM patterns as primary defenses.
Correct Answer: Use parameterized queries or ORM bindings and avoid string concatenation
Example Code
db.query("SELECT * FROM users WHERE email = ?", [email])48. Which statement correctly contrasts Reflected or Stored XSS with DOM XSS?
Difficulty: MediumType: MCQTopic: Web Security
- Reflected or Stored is injected server-side; DOM XSS happens entirely in the browser at runtime
- Both only occur server-side during template rendering
- DOM XSS only occurs with images
- Reflected XSS cannot steal session tokens
Reflected and Stored XSS involve the server adding untrusted input into HTML. DOM XSS occurs when client-side JavaScript reads attacker-controlled data and sinks it into the DOM without safe handling.
OWASP’s DOM XSS guidance explains this difference and why output encoding and safe DOM APIs matter.
Correct Answer: Reflected or Stored is injected server-side; DOM XSS happens entirely in the browser at runtime
Example Code
const q = new URLSearchParams(location.search).get('q');
result.innerHTML = q; // DOM XSS sink49. Which example best fits OWASP A05: Security Misconfiguration?
Difficulty: MediumType: MCQTopic: Web Security
- Default admin console exposed on /admin with weak defaults
- Using prepared statements for database calls
- Hashing passwords with a strong K D F
- Returning only strict CSP and no inline scripts
Security misconfiguration covers things like verbose errors in production, open S three buckets, default accounts, and forgotten admin panels.
The OWASP Top 10 describes this risk as common and easy to exploit when safe defaults and hardening aren’t applied.
Correct Answer: Default admin console exposed on /admin with weak defaults
Example Code
# Example: nginx shows autoindex on prod
location /backup { autoindex on; }50. Which choice is a practical fix under A02: Cryptographic Failures?
Difficulty: EasyType: MCQTopic: Web Security
- Enforce HTTPS and HSTS, disable weak ciphers, and never log secrets
- Return stack traces to help debugging in production
- Build custom encryption instead of using libraries
- Store passwords with reversible encryption for support
Cryptographic failures are often about misusing crypto or leaking sensitive data. Use TLS everywhere, set HSTS, choose modern ciphers, and keep secrets out of logs and URLs.
OWASP’s Top 10 reframed this area from “Sensitive Data Exposure” to focus on root crypto and data handling mistakes.
Correct Answer: Enforce HTTPS and HSTS, disable weak ciphers, and never log secrets
Example Code
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
51. Under A07: Identification and Authentication Failures, which practice is most effective?
Difficulty: MediumType: MCQTopic: Auth Security
- Enforce MFA, rate-limit logins, and use secure session management
- Allow any password longer than 6 characters
- Store sessions in GET parameters
- Disable account lockout to improve UX
Modern apps should use multi factor authentication, throttle and monitor login attempts, set secure cookie flags, and rotate or revoke sessions on key events.
These are core defenses mapped in the Top 10 and WSTG authentication tests.
Correct Answer: Enforce MFA, rate-limit logins, and use secure session management
Example Code
Set-Cookie: sid=abc; HttpOnly; Secure; SameSite=Strict
52. What is the best high-level approach for A06: Vulnerable and Outdated Components?
Difficulty: MediumType: MCQTopic: Web Security
- Track SBOMs, pin versions, and patch regularly
- Rely on transitive dependencies to auto-fix
- Ignore minor version updates
- Use only private repositories
Keep an inventory of components, generate SBOMs, pin hashes, and apply timely updates. Add automated dependency scanning in CI.
OWASP puts this category in the Top 10 because unpatched libraries are an easy path to compromise.
Correct Answer: Track SBOMs, pin versions, and patch regularly
Example Code
npm ci # uses lock file
# add SCA step in pipeline
53. Which defense set most directly reduces SSRF risk (A10)?
Difficulty: MediumType: MCQTopic: Web Security
- Deny-list internal IP ranges by default, only allow explicit outbound hosts, and avoid fetching user-supplied URLs on the server
- Rely on client-side validation only
- Double URL-encode all inputs
- Add a CAPTCHA to every form
SSRF happens when the server fetches a URL that an attacker controls. Block access to internal networks and metadata services, prefer allow-lists, and move untrusted fetching to a hardened service if needed.
OWASP’s A10 page and the SSRF Prevention Cheat Sheet describe practical patterns like network egress rules and strict URL validation.
Correct Answer: Deny-list internal IP ranges by default, only allow explicit outbound hosts, and avoid fetching user-supplied URLs on the server
Example Code
ALLOWED_HOSTS = {"https://api.example-payments.com"}
// Block 169.254.169.254 and RFC1918 ranges54. What is the goal of A09: Security Logging and Monitoring Failures?
Difficulty: EasyType: MCQTopic: Logging
- Detect and respond to attacks quickly with meaningful, tamper-resistant logs
- Log every request body forever for deep analysis
- Disable logs in production to save space
- Rely only on client-side analytics
If you cannot see attacks, you cannot respond. Log important security events, protect the logs, and alert on patterns like many failed logins or access denials.
This category emphasizes detection and response as part of web app defense.
Correct Answer: Detect and respond to attacks quickly with meaningful, tamper-resistant logs
Example Code
Log: auth_failed, ip, user, reason, request_id; alert on spikes
55. When planning a web test, which OWASP resource provides step-by-step checks for common areas like auth, input, and config?
Difficulty: MediumType: MCQTopic: Pentest Flow
- OWASP Web Security Testing Guide (WSTG)
- Only the CWE list
- Random blog posts
- Vendor press releases
WSTG is a community handbook with testing objectives, how-to steps, and references. It covers everything from mapping the app to detailed checks for input handling and authentication.
Use it as a playbook for interviews and real projects.
Correct Answer: OWASP Web Security Testing Guide (WSTG)
Example Code
WSTG sections:
- Auth testing
- Input validation
- Config and deployment
56. During manual web testing, which Burp Suite tools pair helps you intercept then fine-tune a single request repeatedly?
Difficulty: MediumType: MCQTopic: Burp Suite
- Proxy Intercept and Repeater
- Scanner and Sequencer
- Logger and Comparer
- Extender and Collaborator
Use Proxy Intercept to capture and edit HTTP requests in flight. Then send interesting ones to Repeater to tweak parameters and resend over and over. This is the core loop for understanding behavior and confirming issues.
The official docs describe both features and common workflows.
Correct Answer: Proxy Intercept and Repeater
Example Code
Browser → Burp Proxy (Intercept on) → Send to Repeater → Modify → Send
57. What is the most reliable mitigation for CSRF on state-changing requests?
Difficulty: MediumType: MCQTopic: Web Security
- Use same-site cookies with CSRF tokens verified server-side
- Only hide the submit button with CSS
- Use GET for all requests
- Depend solely on the Referer header
CSRF protection should not rely on headers that can be absent or altered. Combine server-verified anti-CSRF tokens with SameSite cookies and check content type and origin on risky endpoints.
These checks are detailed across WSTG and related OWASP guidance on input and session management.
Correct Answer: Use same-site cookies with CSRF tokens verified server-side
Example Code
POST /transfer
X-CSRF-Token: e3f...
Cookie: sid=...; SameSite=Strict
58. Walk through a safe, step-by-step method to test for SQL Injection on a single parameter.
Difficulty: MediumType: SubjectiveTopic: Web Security
First, pick a harmless, non-destructive endpoint and make sure testing is in scope. Start with simple input toggles to look for syntax errors or behavior changes. Try changing quotes, numbers, or order by clauses to see if the response shifts in a way that hints at database parsing.
If the app looks injectable, switch to parameterized payloads that do not damage data, like boolean conditions or time delays. Watch status codes, response size, and timing. Stop if you see instability. Finally, recommend parameterized queries and least privilege. OWASP’s WSTG has a clear checklist for this workflow.
Example Code
id=1' OR '1'='1
id=1 ORDER BY 5--
id=1 AND SLEEP(2)
59. Explain a simple strategy to reduce XSS across a front-end and back-end stack.
Difficulty: MediumType: SubjectiveTopic: Web Security
Encode output based on context. For HTML, attribute, and JavaScript contexts, use the correct encoder. Avoid innerHTML with untrusted data. Prefer textContent or safe templating. On the server, validate and normalize input, but do not rely on filtering alone. Add a Content Security Policy to limit script execution and third-party sources.
Test with both reflected and DOM flows. Review risky sinks like eval, document.write, and innerHTML. OWASP’s XSS cheat sheets give concrete do and don’t rules you can follow.
Example Code
result.textContent = userInput; // safer than innerHTML
Content-Security-Policy: default-src 'self'
60. How would you responsibly use Burp Intruder during an interview-style exercise to test login throttling without harming users?
Difficulty: MediumType: SubjectiveTopic: Burp Suite
Agree on a test account and a very small, slow wordlist. Set long delays between attempts and a tight maximum on requests. Watch responses for lockout, captchas, or error messages. Stop at the first sign of impact.
Burp Intruder automates customized attacks, but you control speed and scope. Pair this with clear authorization and logging to keep the test safe.
Example Code
Intruder → Sniper/Grep-Match → rate limit 1 req per sec → max 20 attempts on test_user
61. You are reviewing a new feature. What secure design checks do you do up front to avoid A04: Insecure Design?
Difficulty: HardType: SubjectiveTopic: Security Design
Define the trust boundaries and data flows before coding. Identify assets, roles, and abuse cases. Decide what must never happen, like cross-tenant data reads, and set server-side controls to prevent it. Add defense in depth for each critical action: validate inputs, authorize every request, and log security events.
Use the OWASP Testing Guide’s sections on modeling and deriving tests to shape these controls early. This avoids bolting on fixes later.
Example Code
Checklist: assets, roles, entry points, authZ checks, logging, rate limits, error handling
62. In API security, what does BOLA (Broken Object Level Authorization) usually look like?
Difficulty: EasyType: MCQTopic: API Security
- Users can change an ID in the request and read or edit someone else’s data
- Tokens are signed with a strong key
- The API returns only public metadata
- Clients must always send a CSRF token
B O L A happens when the server does not check ownership for each object access. If the endpoint trusts a user supplied ID without verifying that the caller owns that object, attackers can simply swap the ID and access other users’ records.
The fix is simple in idea but hard in practice: enforce server side authorization on every object access. Do not rely on hidden fields or client logic.
Correct Answer: Users can change an ID in the request and read or edit someone else’s data
Example Code
GET /api/orders/123 // attacker swaps to /api/orders/124
// Server must check: does caller own order 124?
63. What is Broken Object Property Level Authorization (BOPLA) in APIs?
Difficulty: MediumType: MCQTopic: API Security
- Lack of checks on sensitive properties so a user can read or change fields they should not
- Redirecting to the wrong domain
- Forcing users to rotate passwords
- Returning only sanitized error messages
B O P L A focuses on the properties inside an object. Even if a user can access the object, they may not be allowed to view or edit all fields. If the API does not validate access per field, attackers can add or modify hidden or admin only properties by guessing their names.
Defend by using allow lists on what fields a role can read and write. Never bind request bodies to models without explicit field level rules.
Correct Answer: Lack of checks on sensitive properties so a user can read or change fields they should not
Example Code
PATCH /api/users/me { "role": "admin" } // server must ignore or block
// Use explicit field allow lists per role64. Which situation best describes Mass Assignment in an API?
Difficulty: MediumType: MCQTopic: API Security
- Framework auto binds JSON to a model so hidden or sensitive fields can be set by the client
- The API blocks all POST requests
- The server uses rate limits
- The response is compressed
Mass assignment is when incoming fields are mapped to object properties by default. Attackers add extra fields in the JSON body to set flags like isAdmin, isVerified, or discount. If the server does not filter fields, the change sticks.
Mitigate with allow lists for writable fields, separate DTOs from persistence models, and test by fuzzing unexpected property names.
Correct Answer: Framework auto binds JSON to a model so hidden or sensitive fields can be set by the client
Example Code
POST /api/profile { "email": "a@b.com", "isAdmin": true }
// Server must drop isAdmin and only accept allowed fields65. What is the safest default when returning objects from an API?
Difficulty: EasyType: MCQTopic: API Security
- Return a minimal, role based projection and never the entire database model
- Return the full object for convenience
- Return the model plus debug fields
- Return fields based on client request only
Many leaks happen because APIs serialize entire objects. This can expose internal IDs, flags, and private data. A better pattern is to map data to a view model for each role and endpoint. Only include what a given caller needs.
This also makes change control easier. New internal fields do not leak by accident because the projection is explicit.
Correct Answer: Return a minimal, role based projection and never the entire database model
Example Code
// Good: map to view
{ "id": 123, "name": "Ana", "plan": "pro" }66. What is a solid baseline for API authentication?
Difficulty: MediumType: MCQTopic: Auth Security
- Short lived access tokens, refresh tokens with rotation, and TLS everywhere
- Only long lived static tokens
- Plain session IDs in query strings
- Client IP allow list only
Short lived access tokens reduce blast radius. Refresh tokens allow smooth re auth. Rotation means every refresh returns a new token and invalidates the old one. This limits reuse if a token is stolen. Always use HTTPS so tokens are not exposed in transit.
Also add device binding or sender constraint if possible, and store tokens securely on the client.
Correct Answer: Short lived access tokens, refresh tokens with rotation, and TLS everywhere
Example Code
POST /oauth/token { grant_type: refresh_token, refresh_token: <old> }
// Server returns new access token and new refresh token67. Which JWT practice is most important for API safety?
Difficulty: MediumType: MCQTopic: Auth Security
- Verify signature and issuer, check expiration, and enforce an allow list of algorithms
- Trust the payload if it decodes without error
- Store JWTs in localStorage and also send in URL
- Use the none algorithm to speed up verification
A JWT is only useful if you verify it correctly. Check the signature with the correct key from the trusted issuer. Confirm the audience, issuer, and time based claims. Reject tokens with unexpected alg values. Do not accept unsigned tokens.
Keep tokens short lived. Rotate signing keys with a J W K S endpoint when possible.
Correct Answer: Verify signature and issuer, check expiration, and enforce an allow list of algorithms
Example Code
verify(jwt, { issuer: 'https://auth.example', audience: 'api', algorithms: ['RS256'] })68. Why do APIs need rate limiting and abuse controls?
Difficulty: EasyType: MCQTopic: API Security
- To slow down credential stuffing, scraping, and resource exhaustion attacks
- To remove the need for authentication
- To speed up all responses
- To hide error messages
Rate limits, bursts, and quotas protect both users and systems. They make brute force and automation expensive and noisy. Pair them with lockouts, IP reputation, and user specific limits for stronger defense.
Always communicate limits in headers so clients can handle retries gracefully.
Correct Answer: To slow down credential stuffing, scraping, and resource exhaustion attacks
Example Code
HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 42
Retry-After: 60
69. Which CORS configuration is safest for private APIs used by your web app?
Difficulty: MediumType: MCQTopic: API Security
- Use an allow list of known origins and do not use wildcard with credentials
- Set Access-Control-Allow-Origin: * and Allow-Credentials: true
- Allow all methods and headers for everyone
- Disable preflight requests
C O R S controls which browser origins can read responses. For private data, specify exact origins you trust and require credentials only when needed. The wildcard with credentials is not allowed and would be unsafe even if it worked.
Remember, CORS is a browser control. It is not an auth or firewall replacement.
Correct Answer: Use an allow list of known origins and do not use wildcard with credentials
Example Code
Access-Control-Allow-Origin: https://app.example
Access-Control-Allow-Credentials: true
70. Which error handling approach is best for APIs?
Difficulty: EasyType: MCQTopic: Web Security
- Return clear codes with generic messages and unique IDs, hide stack traces
- Return full stack traces to help clients debug production issues
- Return 200 OK for all errors to avoid alerts
- Silently drop invalid requests
Helpful errors do not have to leak internals. Use standard status codes, give a short human message, and include a correlation ID. Log the detailed stack trace on the server side. This helps incident response without helping attackers.
Consistent error shapes also make client code more robust.
Correct Answer: Return clear codes with generic messages and unique IDs, hide stack traces
Example Code
{ "error": "invalid_input", "message": "Check fields.", "traceId": "b3f9..." }71. Explain a safe, step-by-step API hacking workflow you would follow on a new target.
Difficulty: MediumType: SubjectiveTopic: Pentest Flow
First, map the surface. List hosts, versions, and documented endpoints. Capture requests from a proxy and save example calls. Keep this passive and read only at the start.
Next, probe with low risk checks: auth required, role rules, and object access. Try simple ID swaps to check for B O L A. Then review responses for extra fields and attempt property fuzzing to check for B O P L A or mass assignment. Finish with rate limit tests and error handling checks. Always stay within scope and use a test account.
Example Code
1) Map endpoints
2) Check auth and roles
3) ID swap
4) Field fuzz
5) Rate limits
6) Error model
72. How would you design token storage and rotation for a single page app and API?
Difficulty: MediumType: SubjectiveTopic: Auth Security
Keep access tokens short lived. Store them in memory, not in URL or localStorage if you can avoid it. Use refresh tokens with rotation on a secure path that uses same site cookies. Each refresh returns a new refresh token and invalidates the old one.
Bind tokens to the client context where possible, log refresh events, and revoke on logout or suspicion. This balances user experience with safety.
Example Code
Access: 5–15 min
Refresh: httpOnly, SameSite, rotated on use
Revoke: server side blacklist or version field
73. You must prevent mass assignment across many endpoints. What practical pattern would you apply?
Difficulty: MediumType: SubjectiveTopic: API Security
Create a request DTO that lists only allowed fields per role and endpoint. Validate and strip unknown fields before mapping to the model. Keep the mapping explicit and unit test it. This way, even if the database model adds new columns, they are not exposed automatically.
Review logs for blocked fields to spot probing. Document the allowed fields so both devs and testers know the contract.
Example Code
const allowed = pick(req.body, ['email','displayName']);
updateUser(userId, allowed);
74. How can an API gateway help reduce risk without hiding bugs?
Difficulty: MediumType: SubjectiveTopic: API Security
A gateway centralizes cross cutting controls: rate limits, authentication, TLS, request size caps, and basic schema checks. This reduces noise and protects fragile services. But it should not replace service side authorization and validation.
Keep business rules inside the service so each call is still checked properly. The gateway handles the front door; the service enforces the house rules.
Example Code
Gateway: authn, DDoS shield, size limits
Service: authZ, field rules, business logic
75. During testing you find sensitive data in responses. What is the right way to handle evidence and disclosure?
Difficulty: HardType: SubjectiveTopic: API Security
Stop and minimize exposure. Save only the smallest proof that shows the risk, and redact anything not needed. Use a secure vault for evidence with access logs. Note exact time, request, and response so the team can reproduce.
Report quickly to the authorized contact, explain the impact in plain words, and propose a short term containment like response filtering while a proper fix is built.
Example Code
Evidence log fields: time, endpoint, user role, request id, minimal redacted sample
76. What is a safe way to test rate limiting on a production API during an engagement?
Difficulty: MediumType: MCQTopic: API Security
- Use a small, agreed request pattern with long delays and a test account
- Blast thousands of requests at once to find the ceiling fast
- Change the client IP every second to avoid blocks
- Disable logging to reduce noise
Abuse tests can harm real users if not controlled. Agree on a test path and identity. Start with very low volume and watch behavior. Increase slowly only if owners approve.
Capture headers like Retry After and document how the API signals limits to clients.
Correct Answer: Use a small, agreed request pattern with long delays and a test account
Example Code
for i in {1..20}; do curl -s -o /dev/null -w "%{http_code}\n" https://api/test; sleep 2; done77. Why is strict schema validation important for APIs?
Difficulty: MediumType: MCQTopic: API Security
- It rejects unexpected types and fields early, stopping many injection and logic bugs
- It makes the JSON prettier
- It hides endpoints from attackers
- It replaces authentication
Strong validation is a cheap shield. If you only accept known fields with the right types and ranges, many attacks never reach business logic. This also simplifies logging and analytics because inputs are predictable.
Use the same schemas for docs, tests, and enforcement so drift does not creep in.
Correct Answer: It rejects unexpected types and fields early, stopping many injection and logic bugs
Example Code
POST /users { email: string, name: string } // extra fields rejected
// Implement with JSON Schema or framework validators78. What is an exploit chain in ethical hacking?
Difficulty: EasyType: MCQTopic: Exploitation
- A linked series of weaknesses used together to reach a bigger goal
- A list of random bugs with no relation
- A chain of encryption keys for TLS
- A firewall rule set
Think of it like dominos. One low-impact issue opens the door to the next issue, and so on. For example, info leak gives a secret, which lets you bypass auth, which then exposes an admin panel. Chaining small findings is how real attacks are built, so always ask, what does this enable next?
Correct Answer: A linked series of weaknesses used together to reach a bigger goal
Example Code
Example chain: info leak → weak token → admin panel → file upload → R C E
79. Before running any exploit PoC on a client system, what is the safest first step?
Difficulty: EasyType: MCQTopic: Engagement Safety
- Confirm written authorization, scope, and a rollback plan with an owner on standby
- Run the PoC quietly and tell the owner later
- Disable endpoint protection to avoid noise
- Force a reboot to clear memory
Never fire a PoC without clear permission, timing, and contingency steps. Get the owner ready, understand the impact, and know how to undo changes. Safe execution keeps trust and prevents outages.
Correct Answer: Confirm written authorization, scope, and a rollback plan with an owner on standby
Example Code
Plan: scope_ok=true; window=approved; owner_on_call; revert_steps=ready
80. Which symptom most strongly suggests server-side command injection?
Difficulty: MediumType: MCQTopic: Web Security
- Input with shell metacharacters changes response time or output
- A client-side alert box appears
- The page loads a large image
- The CSS fails to load
If adding characters like semicolon or pipe alters server behavior, you may be hitting the shell. Ethical tests use safe, low-impact checks like time delay or harmless commands. Stop at proof and avoid destructive actions.
Correct Answer: Input with shell metacharacters changes response time or output
Example Code
name=ana; echo test // look for the word test in the response or timing change
81. What makes unsafe deserialization so dangerous?
Difficulty: MediumType: MCQTopic: Web Security
- Untrusted data is turned into live objects that may run gadget code
- It only affects images
- It can be fixed by minifying JavaScript
- It happens only on mobile apps
If a server deserializes data from the user without strict checks, attacker-controlled objects can trigger dangerous code paths. Safer designs use signed tokens, strict formats like JSON with schema checks, or a deny-by-default type binder.
Correct Answer: Untrusted data is turned into live objects that may run gadget code
Example Code
Safer plan: JSON + schema validate → map to DTO → business object
82. Which control set best reduces malicious file-upload risk?
Difficulty: MediumType: MCQTopic: Web Security
- Allowlist MIME and extension, verify magic bytes, store outside web root, and use random names
- Check only the file extension
- Rename files to .txt and keep in /public
- Rely on client-side validation
Strong upload defense is layered. Validate type and content, never execute uploads, and isolate storage from direct web access. Scan files server-side and serve via a download endpoint, not straight from disk.
Correct Answer: Allowlist MIME and extension, verify magic bytes, store outside web root, and use random names
Example Code
accept: ['.jpg','.png'] + magic bytes check → store /data/blobs → GET /download/:id
83. Which input most clearly indicates a path traversal attempt?
Difficulty: EasyType: MCQTopic: Web Security
- ../etc/passwd
- /about
- index.html
- style.css
Dot dot slashes try to walk out of the intended folder. Servers should normalize paths, drop dot segments, and restrict to an allowlisted base directory. Never concatenate raw user paths to filesystem calls.
Correct Answer: ../etc/passwd
Example Code
safePath = join(BASE, normalize(userPath)); assert(safePath.startsWith(BASE))
84. What is the difference between LFI and RFI?
Difficulty: MediumType: MCQTopic: Web Security
- LFI reads local server files; RFI pulls a remote resource to the server
- They are the same attack
- LFI only affects images; RFI only affects videos
- RFI reads local server files; LFI pulls a remote resource
Local File Inclusion stays within the host, like reading logs or config files. Remote File Inclusion lets the server fetch and sometimes execute remote content. Tight include logic and allowlists prevent both.
Correct Answer: LFI reads local server files; RFI pulls a remote resource to the server
Example Code
LFI probe: ?page=../../../../var/log/app.log
85. How do Remote Code Execution and Local Privilege Escalation differ?
Difficulty: EasyType: MCQTopic: Exploitation
- RCE runs code on a target system; LPE raises rights on a system you already control
- RCE only changes CSS; LPE changes HTML
- Both are only client-side
- LPE runs code remotely; RCE raises local privileges
R C E gets you a foothold. L P E turns a low-privilege foothold into admin. In real work, attackers often do both: first land code, then escalate to broaden impact.
Correct Answer: RCE runs code on a target system; LPE raises rights on a system you already control
Example Code
Flow: foothold (R C E) → enumerate → privilege escalation (L P E)
86. What is black-box fuzzing during exploitation discovery?
Difficulty: MediumType: MCQTopic: Exploitation
- Sending many varied inputs without knowing the code, watching for crashes or odd behavior
- Reading source code to craft exact payloads
- Patching binaries to add logging
- Manually editing every request once
You treat the app as a black box. You mutate inputs, feed edge cases, and observe responses and timing. It is a fast way to spot weak parsing and boundary bugs before deeper analysis.
Correct Answer: Sending many varied inputs without knowing the code, watching for crashes or odd behavior
Example Code
ffuf -w params.txt -u https://app/item?FUZZ=1 -mc 200,500 -t 5
87. You found a likely command injection. Describe a safe proof approach that avoids harm.
Difficulty: MediumType: SubjectiveTopic: Engagement Safety
First, confirm scope and the approved window. Use a dedicated test account or non-production path if possible. Start with a harmless probe that changes only the response, like echoing a token or adding a very small time delay. Do not read sensitive files, do not spawn shells, and do not change system state.
Capture the exact request and response as evidence. Stop after minimal proof. Share impact, fix, and reproduction notes with the owner. Your goal is to prove risk, not to maximize it.
Example Code
color=blue; echo SAFE_TOKEN_123 // look for SAFE_TOKEN_123 in response or logs
88. Before running a public PoC exploit from the internet, what checklist should you follow?
Difficulty: MediumType: SubjectiveTopic: Engagement Safety
Verify written permission, scope, and the exact target list. Read the PoC code to understand actions and defaults. Test it in a lab first. Set rate limits and timeouts. Get a rollback plan and backups ready. Have the system owner and monitoring team on standby. Log everything you do and stop at first sign of instability.
Never run unknown binaries. Prefer reviewed source, and remove any destructive steps. Proof should be minimal and reversible.
Example Code
Checklist: scope ✔ lab test ✔ owner on-call ✔ backup ✔ revert steps ✔ logging ✔
89. You have a low-privilege shell on Linux in scope. How do you approach ethical privilege escalation?
Difficulty: MediumType: SubjectiveTopic: Priv Esc
Enumerate first. Check who you are, groups, sudo policy, kernel and OS, running services, cron jobs, SUID files, writable paths, and environment variables. Look for weak file permissions and leaked secrets in configs or history. Avoid noisy actions. If a path looks risky, pause and seek approval before trying it.
Document commands and outputs. If you gain higher rights, place a harmless marker file as proof and help the owner validate fixes after the test.
Example Code
id; uname -a; sudo -l; ls -la /etc/cron.*; find / -perm -4000 -type f 2>/dev/null
90. A site allows file uploads. Explain a safe way to test whether uploads could lead to code execution.
Difficulty: HardType: SubjectiveTopic: Web Security
Start by reviewing server responses and storage paths. Try only benign file types first. Check if uploads are served back from a public path. If you suspect execution, ask for explicit approval before attempting any dynamic file. Use a harmless marker file to see if the server interprets it or just stores it. Never attempt dangerous payloads without written consent, and never overwrite existing files.
If risk is confirmed, recommend strong controls: strict allowlist, magic-byte checks, storage outside web root, and a download proxy.
Example Code
1) Upload benign.jpg → fetch via random URL
2) Verify no execution, only download behavior
3) Report evidence and propose controls
91. How do you safely prove a blind vulnerability like blind command injection or blind SQL injection?
Difficulty: HardType: SubjectiveTopic: Engagement Safety
Use out-of-band or timing-based signals that do not touch sensitive data. For timing, use a tiny, bounded delay and run it once. For out-of-band, use a controlled collaborator endpoint to receive a single DNS ping. Keep the probe minimal, log the exact time, and stop after you observe the signal.
Share the smallest proof that demonstrates control, then focus on fixes. Avoid extra trials in production.
Example Code
Timing probe: add a two-second delay once and measure response time
O O B probe: resolve unique token.your-listener.example once
92. You have multiple medium findings. Which one should you try to chain first for highest impact?
Difficulty: MediumType: MCQTopic: Risk Rating
- The one that gives identity control or admin context
- The one with the prettiest UI issue
- The one that needs the most tooling
- The one that changes only CSS
Identity is a force multiplier. If a bug lets you act as another user or role, it can unlock panels, endpoints, and data that amplify impact. Start where access level jumps, then chain to sensitive actions.
Correct Answer: The one that gives identity control or admin context
Example Code
Priority: auth bypass → admin → sensitive actions → data impact
93. What best describes credential stuffing compared to brute force?
Difficulty: EasyType: MCQTopic: Password Attacks
- Stuffing reuses known username and password pairs from breaches; brute force guesses new passwords
- Stuffing guesses a password pattern; brute force reuses breach lists
- They are identical
- Stuffing only targets admin accounts
Credential stuffing is about replaying real pairs from past leaks. Brute force is about trying many guesses that the victim never used elsewhere. Defenses differ. For stuffing, use breach checks, rate limits, and multi factor. For brute force, use password policies and throttling.
Correct Answer: Stuffing reuses known username and password pairs from breaches; brute force guesses new passwords
Example Code
Defend: MFA + rate limit + breached-password check
94. What is password spraying?
Difficulty: EasyType: MCQTopic: Password Attacks
- Trying one or two common passwords across many users to avoid lockout
- Trying thousands of passwords on one user
- Resetting passwords through helpdesk
- Guessing security questions only
Spraying spreads attempts over many accounts. This dodges lockouts and alert thresholds. Good defenses are multi factor, unique password rules, alerts on many distinct users failing once, and smart lockout with delay.
Correct Answer: Trying one or two common passwords across many users to avoid lockout
Example Code
Detect: many users fail once with the same user agent or source
95. Which is a modern, memory hard password hashing function that is recommended for new systems?
Difficulty: MediumType: MCQTopic: Password Attacks
Argon two i d is designed to be slow and memory hard. That means attacks on GPUs and ASICs are more expensive. Bcrypt and scrypt are also strong. MD five, SHA one, and NT L M are fast and weak for password storage.
Correct Answer: Argon2id
Example Code
Argon2id params: memory=64–256 MB; iterations=2–4; parallelism>=1
96. Why do we add a unique salt to each stored password hash?
Difficulty: EasyType: MCQTopic: Password Attacks
- To stop rainbow table reuse and make each hash unique even for the same password
- To speed up verification
- To encrypt the database
- To allow password sharing
A per user salt makes identical passwords hash to different values. That kills precomputed tables and cross user comparisons. It does not replace a slow hash. You still need bcrypt, scrypt, or Argon two i d.
Correct Answer: To stop rainbow table reuse and make each hash unique even for the same password
Example Code
store: user, salt, argon2id_hash(salt + password)
97. What is a pepper in password storage?
Difficulty: MediumType: MCQTopic: Password Attacks
- A secret value stored outside the database and mixed into hashing
- A public salt stored with the hash
- A way to reset passwords
- An MFA device
A pepper is a server side secret. Even if the database is dumped, the attacker cannot verify guesses without the pepper. Keep the pepper in a key manager, not next to the hashes.
Correct Answer: A secret value stored outside the database and mixed into hashing
Example Code
hash = argon2id(salt || password || PEPPER_SECRET)
98. What does Kerberoasting target in Active Directory?
Difficulty: MediumType: MCQTopic: AD Attacks
- Service account TGS tickets encrypted with the service account password hash
- User cookies in browsers
- VPN pre shared keys
- TLS private keys
The idea is simple. Ask for a ticket for a service principal name. You get a blob that is crackable offline. If the service account has a weak password, the hash falls. Defend with strong, random service account passwords and managed service accounts.
Correct Answer: Service account TGS tickets encrypted with the service account password hash
Example Code
Ethical test: request TGS for SPN; crack offline with limited, approved rules
99. What is the difference between NTLM relay and pass the hash?
Difficulty: MediumType: MCQTopic: AD Attacks
- Relay forwards a live authentication to another service; pass the hash uses a captured hash to authenticate directly
- They are the same
- Relay only works on Linux; pass the hash only on macOS
- Pass the hash needs the user’s plaintext password; relay does not
In relay, the attacker sits in the middle and forwards the handshake to a target. In pass the hash, the attacker uses the NT L M hash as if it were the password. SMB signing, LDAP signing, and Kerberos only help reduce both risks.
Correct Answer: Relay forwards a live authentication to another service; pass the hash uses a captured hash to authenticate directly
Example Code
Mitigate: enforce SMB signing; restrict delegation; use Kerberos where possible
100. Which MFA option is the most resistant to phishing proxies?
Difficulty: MediumType: MCQTopic: Auth Security
- FIDO2 or WebAuthn hardware keys
- One time codes over SMS only
- TOTP copied from an app
- Email based magic links with no device binding
F I D O two uses origin bound cryptography. The key checks the real site and signs a challenge. Proxy pages cannot replay it easily. T O T P and SMS can be fooled by real time phishing.
Correct Answer: FIDO2 or WebAuthn hardware keys
Example Code
Policy: prefer platform authenticator or roaming key; fall back to TOTP only if needed
101. What is a safer alternative to strict account lockout after a few failures?
Difficulty: EasyType: MCQTopic: Auth Security
- Progressive delays and soft lockouts that rate limit the attacker but keep the user moving
- No limits at all
- Permanent lock after three failures
- Showing the correct password hint
Hard lockouts create easy denial of service. Progressive delays, captchas after risk checks, and alerts make attacks slower while keeping real users able to sign in.
Correct Answer: Progressive delays and soft lockouts that rate limit the attacker but keep the user moving
Example Code
Backoff: 1s, 2s, 4s…; captcha after risk score; notify user on spikes
102. You received password hashes during an approved engagement. Outline an ethical cracking workflow.
Difficulty: MediumType: SubjectiveTopic: Password Attacks
First, verify scope, storage rules, and the allowed time budget. Identify the hash type. Then start with a strong wordlist and a few proven rules. Move to masks for company patterns, like season plus year. Keep logs of every attempt. Stop when you reach the agreed limit. Report cracked samples with redaction and immediately rotate or reset them with the owner. The goal is to measure risk, not to collect secrets.
Example Code
hashcat -m 1000 hashes.txt rockyou.txt -r rules/best64.rule
hashcat -m 3200 hashes.txt ?l?l?l?l?l?d?d
103. Design a modern password policy that balances security and usability.
Difficulty: MediumType: SubjectiveTopic: Scope Rules
Prefer length over weird complexity. Allow passphrases. Block known breached passwords with a deny list. Require unique passwords per system. Encourage a password manager. Pair with strong multi factor. Remove forced frequent resets; do resets only after risk events. Give clear feedback at signup and show the user if the choice is in a breach corpus.
Example Code
Rules: min 12 chars; no frequent expiry; breach check; allow spaces; manager recommended; MFA required
104. How would you detect stuffing or spraying in authentication logs?
Difficulty: MediumType: SubjectiveTopic: Logging
Look for many usernames failing once or twice from the same source or network. Look for a single username failing many times from many sources. Track user agent reuse. Watch for spikes in failures around shift changes or campaigns. Correlate with registration and password reset flows. Add a simple rule that flags the same password guess across many accounts.
Example Code
Detect: group by src_ip, username, hour; alert on wide but shallow failure pattern
105. After a password reset, what session hygiene steps should the app enforce?
Difficulty: EasyType: SubjectiveTopic: Auth Security
Revoke all old sessions and tokens. Rotate refresh tokens. Invalidate magic links. Ask the user to sign in again on all devices. Notify the user by email or push so they can spot abuse. Log the event with a trace id so support can help quickly.
Example Code
onPasswordChange: revokeAllSessions(userId); rotateTokens(userId); sendSecurityNotice(userId)
106. Which mistake can lead to an OAuth or OIDC login bypass?
Difficulty: MediumType: MCQTopic: Auth Security
- Not validating the token audience, issuer, and nonce
- Using HTTPS for redirects
- Using short lived codes
- Using PKCE for public clients
If the client trusts any token that decodes, an attacker can use a token from a different app or a different identity provider. Always check issuer, audience, expiration, and the nonce for implicit and hybrid flows.
Correct Answer: Not validating the token audience, issuer, and nonce
Example Code
verify(id_token, { issuer, audience, nonce, exp })107. A company relies on one time codes. Propose a phased path toward phishing resistant auth.
Difficulty: HardType: SubjectiveTopic: Auth Security
Start by enforcing multi factor everywhere. Add number matching or device binding to cut push fatigue. Next, introduce WebAuthn for admins and high risk roles. Roll out platform authenticators on managed devices. Finally, default everyone to FIDO keys with passkeys as a friendly option. Keep backup codes safe and train users on lost device recovery. Measure success by drop in successful phishing and by user satisfaction.
Example Code
Phase 1: MFA everywhere
Phase 2: push number matching
Phase 3: WebAuthn for admins
Phase 4: org wide passkeys
108. After you gain an initial shell, what should you do first?
Difficulty: EasyType: MCQTopic: Engagement Safety
- Establish situational awareness and verify scope
- Immediately run privilege escalation exploits
- Start exfiltrating large datasets
- Disable antivirus to avoid alerts
Slow down and learn where you are. Confirm the host is in scope, note user, hostname, OS, network, and controls. This keeps the test safe and guides next steps.
Correct Answer: Establish situational awareness and verify scope
Example Code
whoami && hostname && ipconfig /all # Windows
whoami && hostname && ip a # Linux
109. Which is a safe, ethical principle for privilege escalation during tests?
Difficulty: MediumType: MCQTopic: Priv Esc
- Prove the path with minimal impact and stop at the first clear evidence
- Keep trying until the server crashes
- Install permanent rootkits to be sure
- Use any public exploit without review
Show that escalation is possible using the smallest, reversible action. Do not chase full control if a light proof already demonstrates risk.
Correct Answer: Prove the path with minimal impact and stop at the first clear evidence
Example Code
Proof file: echo POC_ONLY > /tmp/READ_ME_POC
110. What is the most responsible way to handle discovered credentials post-exploitation?
Difficulty: MediumType: MCQTopic: Auth Security
- Use only approved test accounts and handle any live creds as sensitive evidence
- Try them everywhere to see what breaks
- Paste them in chat for the whole team
- Ignore them entirely
Credentials are sensitive. Minimize viewing, store proofs securely, and limit any use to agreed test accounts or steps in scope.
Correct Answer: Use only approved test accounts and handle any live creds as sensitive evidence
Example Code
evidence.log: time, source, redacted_credential_hash, scope_id
111. Which describes lateral movement?
Difficulty: MediumType: MCQTopic: Post Exploit
- Moving from one compromised host to another to expand access
- Escalating privileges on the same host only
- Changing DNS records publicly
- Scanning the internet randomly
After a foothold, attackers pivot to new systems to reach targets. Ethical tests simulate this step with permissions and approvals in place.
Correct Answer: Moving from one compromised host to another to expand access
Example Code
Map paths: host A → share on host B → service token → host C
112. What is network pivoting in post-exploitation?
Difficulty: MediumType: MCQTopic: Post Exploit
- Routing or proxying traffic through a compromised host to reach internal assets
- Changing the default gateway on routers
- Switching to a different ISP
- Only scanning UDP ports
A pivot lets you access subnets not directly reachable from your machine. Use approved, low-impact tunnels and keep bandwidth small.
Correct Answer: Routing or proxying traffic through a compromised host to reach internal assets
Example Code
ssh -L 8080:10.0.2.10:80 tester@pivot # local port-forward
113. Which action improves tester OPSEC during post-exploitation?
Difficulty: EasyType: MCQTopic: OPSEC
- Use unique test artifacts and clear them during cleanup
- Run tools from random temp folders without notes
- Share one admin account across the team
- Disable logging to move quietly
Tag artifacts clearly, keep timestamps, and remove them at the end. Never weaken defenses. Good OPSEC is about traceability and minimal footprint.
Correct Answer: Use unique test artifacts and clear them during cleanup
Example Code
touch /tmp/POC_<ticket_id>; rm /tmp/POC_<ticket_id> # on close
114. “Living off the land” means what in post-exploitation?
Difficulty: MediumType: MCQTopic: Post Exploit
- Using built-in tools already on the system to reduce new artifacts
- Compiling custom kernels for every host
- Turning off built-in logging
- Copying gigabytes of tools to each server
Built-in commands like PowerShell, WMIC, net, bash, or curl can help you enumerate with less friction. Use them ethically and only as scoped.
Correct Answer: Using built-in tools already on the system to reduce new artifacts
Example Code
Windows: whoami; ipconfig; net use
Linux: id; ip r; ss -tuna
115. If you must demonstrate data exposure, what is the safest approach?
Difficulty: MediumType: MCQTopic: Post Exploit
- Collect the minimum sample with redaction and never bulk-download
- Mirror the whole database to analyze later
- Zip all home directories for review
- Email raw dumps to yourself
Proof should be minimal. Redact sensitive fields, store securely, and coordinate with owners. Massive copies increase risk and are unnecessary.
Correct Answer: Collect the minimum sample with redaction and never bulk-download
Example Code
SELECT id, LEFT(email,3)||'**' AS redacted FROM customers LIMIT 3
116. What is proper cleanup at the end of post-exploitation?
Difficulty: EasyType: MCQTopic: Post Exploit
- Remove test users, keys, files, tunnels, and restore any changed settings
- Leave artifacts for future testers
- Keep a backdoor for next time
- Only delete logs
Return systems to their original state. Validate with the owner. Document what was removed and provide verification steps.
Correct Answer: Remove test users, keys, files, tunnels, and restore any changed settings
Example Code
userdel pentest; rm /tmp/POC_; revoke test key; stop forwarding
117. You have a low-privilege shell. Outline a quick, low-risk host enumeration workflow.
Difficulty: MediumType: SubjectiveTopic: Service Enum
Confirm identity and host details. List users, groups, scheduled tasks, running services, and listening ports. Check patch level and installed software. Look for misconfigurations like writable service paths or weak permissions. Keep commands read-only when possible and avoid heavy scripts. Take notes with timestamps so others can replay your steps.
Example Code
Windows: whoami /all; systeminfo; tasklist; netstat -abno
Linux: id; uname -a; ps aux; ss -tuna; crontab -l
118. Describe a safe plan to pivot from a foothold host to reach a database in an internal subnet.
Difficulty: MediumType: SubjectiveTopic: Post Exploit
First, map routes and confirm the database and subnet are in scope. Choose a simple, reversible tunnel like SSH local or SOCKS through the foothold. Limit ports and bandwidth. Authenticate with a test account. Log start and stop times. When done, close the tunnel and confirm no processes are left behind. Share exact commands and evidence so the owner can verify.
Example Code
ssh -N -L 5432:10.0.2.25:5432 tester@foothold # then connect to localhost:5432
119. On Windows, how do you ethically check for credential exposure without dumping sensitive data?
Difficulty: MediumType: SubjectiveTopic: AD Attacks
Focus on configuration and risk signals, not secrets. Check for exposed shares, weak local admin reuse, and service accounts with high privileges. Review LSA protections, credential guard settings, and RDP restrictions. If a live dump is approved, use vetted enterprise tooling with masking and collect the smallest possible proof. Share remediation like unique local admin passwords and tiered admin accounts.
Example Code
whoami /groups; net localgroup administrators; reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
120. A blue team asks you to demonstrate one persistence vector safely. What do you do?
Difficulty: HardType: SubjectiveTopic: Post Exploit
Pick a low-impact, reversible method that is already approved, such as creating a disabled test user or a scheduled task that writes a harmless marker file. Document every step, set a short lifetime, and remove it during the same window. The goal is to help defenders validate detections, not to hide access.
Example Code
Windows demo: schtasks /Create /SC ONCE /TN POC_Task /TR "cmd /c echo POC> C:\POC.txt" /ST 23:00
Cleanup: schtasks /Delete /TN POC_Task /F; del C:\POC.txt
121. How do you communicate during post-exploitation to keep risk low and value high?
Difficulty: EasyType: SubjectiveTopic: Engagement Safety
Use the agreed channel. Share intent before big steps. Provide timestamps, hostnames, and expected impact. If anything looks unstable, stop and alert the owner. After each milestone, summarize findings, proof, and suggested fixes in plain language. Clear, timely notes help operations stay confident and responsive.
Example Code
Update format: time, host, action, expected effect, rollback, status
122. What makes a strong post-exploitation proof in your report?
Difficulty: MediumType: MCQTopic: Reporting
- Minimal reproducible steps, redacted evidence, clear business impact, and safe cleanup notes
- A long list of tool outputs with no context
- Screenshots only with no commands
- Raw logs copied into an appendix
Good proof is short and verifiable. It shows exactly how to reproduce, why it matters, and how to clean up. It avoids sensitive data when possible and keeps the focus on risk and fix.
Correct Answer: Minimal reproducible steps, redacted evidence, clear business impact, and safe cleanup notes
Example Code
Report block: Steps 1–3 → Evidence (redacted) → Impact → Remediation → Validation
123. What is the main goal of segmentation testing in an ethical hack?
Difficulty: EasyType: MCQTopic: Network Defense
- Verify that sensitive zones cannot be reached from less-trusted networks
- Measure Wi-Fi signal strength in the lobby
- Count how many switches are in the rack
- Tune quality of service for video calls
Segmentation testing checks that boundaries hold. Guest, user, server, and admin networks should be isolated. If a low-trust zone can touch a crown-jewel host or port, that is a high-risk finding.
Correct Answer: Verify that sensitive zones cannot be reached from less-trusted networks
Example Code
From guest → attempt TCP 1433 to DB
Expected: blocked
Observed: blocked or allowed → report
124. Which statement about VLANs is accurate in the context of security?
Difficulty: MediumType: MCQTopic: Network Defense
- VLANs provide logical separation but still rely on proper L3 and ACL controls
- VLANs encrypt traffic between ports by default
- VLANs prevent all broadcast traffic
- VLANs replace the need for firewalls
VLANs segment at layer two. Security enforcement still needs layer three routing, ACLs, and firewall policy. Do not treat VLAN tags as a full security boundary without controls.
Correct Answer: VLANs provide logical separation but still rely on proper L3 and ACL controls
Example Code
Policy: VLAN10(user) ↔ VLAN30(db) = deny by default; allow only app ports
125. What is the safest default firewall policy between network zones?
Difficulty: EasyType: MCQTopic: Network Defense
- Deny by default, allow only required ports and destinations
- Allow all by default, block if issues arise
- Mirror rules from production to guest
- Open all outbound traffic
Start closed, then open only what the business needs. This limits lateral movement and reduces blast radius when a host is compromised.
Correct Answer: Deny by default, allow only required ports and destinations
Example Code
Default: drop; Allow: tcp 443 to updates.example only
126. Which network feature best helps reduce ARP spoofing risk on switches?
Difficulty: MediumType: MCQTopic: MITM
- Dynamic ARP inspection with DHCP snooping
- Port mirroring
- Auto-MDIX
- Link aggregation
Dynamic ARP inspection checks ARP packets against trusted DHCP bindings. Combined with DHCP snooping and port security, it helps prevent simple spoofing on access segments.
Correct Answer: Dynamic ARP inspection with DHCP snooping
Example Code
Enable: dhcp snooping (trusted uplinks) → dynamic arp inspection on access
127. Which SNMP configuration is safest for modern networks?
Difficulty: MediumType: MCQTopic: Service Enum
- SNMPv3 with auth and privacy, limit to management VLAN
- SNMPv2c read-write community of public
- SNMPv1 on all interfaces
- Disable SNMP and rely only on ping
Use SNMPv3 with authentication and encryption. Restrict source IPs and interface exposure. Legacy community strings are easily sniffed and guessed.
Correct Answer: SNMPv3 with auth and privacy, limit to management VLAN
Example Code
snmp-server group SEC v3 priv
snmp-server user nms SEC v3 auth sha ... priv aes ...
128. Why does IPv6 increase lateral-movement risk if not considered in tests?
Difficulty: MediumType: MCQTopic: Network Scan
- Services may listen on IPv6 even if IPv4 is locked down
- IPv6 disables TLS by default
- IPv6 removes routing tables
- IPv6 blocks multicast traffic
Hosts often enable IPv6 by default. If firewalls and ACLs only cover IPv4, attackers may reach services over IPv6 paths. Always test both stacks.
Correct Answer: Services may listen on IPv6 even if IPv4 is locked down
Example Code
Check: ss -tulpen | grep -E ':::|v6'
Firewall: add IPv6 rules mirroring IPv4
129. Which choice is a strong baseline for enterprise Wi-Fi auth?
Difficulty: EasyType: MCQTopic: WiFi Security
- WPA3-Enterprise with 802.1X and strong EAP methods
- Open SSID with captive portal only
- WEP with hidden SSID
- WPA2-PSK shared across all users
Use 802.1X with per-user credentials or certificates. Prefer WPA3-Enterprise and robust EAP methods. Avoid shared PSKs and legacy ciphers.
Correct Answer: WPA3-Enterprise with 802.1X and strong EAP methods
Example Code
EAP-TLS or PEAP-MSCHAPv2 (with strong password policy and TLS checks)
130. How does an evil-twin attack typically work?
Difficulty: MediumType: MCQTopic: WiFi Security
- Attackers clone the SSID and lure clients to connect to their AP
- Attackers flood the switch MAC table
- Attackers disable DNSSEC on the resolver
- Attackers swap VLAN tags on trunks
A fake AP mimics a real SSID and often stronger signal. Clients may auto-join, exposing traffic or credentials. Wireless intrusion detection and client hardening help reduce this risk.
Correct Answer: Attackers clone the SSID and lure clients to connect to their AP
Example Code
Defend: 802.11w PMF, WIDS/WIPS, user prompts for new BSSIDs
131. What benefit does 802.1X network access control bring on wired ports?
Difficulty: MediumType: MCQTopic: Network Defense
- Ports stay unauthenticated until a device or user is validated
- It increases PoE power automatically
- It replaces DHCP
- It tunnels traffic over IPSec by default
802.1X checks identity before granting network access. It limits rogue plug-ins and helps enforce posture checks through NAC policies.
Correct Answer: Ports stay unauthenticated until a device or user is validated
Example Code
policy: unauth VLAN → 802.1X success → prod VLAN; failures → guest VLAN
132. Which switch feature helps reduce rogue device risks on access ports?
Difficulty: EasyType: MCQTopic: Network Defense
- Port security with limited MAC addresses
- Spanning-Tree PortFast only
- LLDP everywhere
- Enabling jumbo frames
Port security limits how many MACs can appear on a port and what to do if a violation occurs. It reduces casual piggybacking and unmanaged hubs.
Correct Answer: Port security with limited MAC addresses
Example Code
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
133. Outline a safe plan to test segmentation between user VLANs and a database subnet.
Difficulty: MediumType: SubjectiveTopic: Network Defense
First, confirm scope, target subnets, and allowed test ports. Coordinate a window with ops. From a test host in the user VLAN, try only the approved DB ports and record results. Use tiny, read-only connection checks if allowed. Do not run heavy scans. If any unexpected access is open, stop and report immediately with source, destination, port, and timestamp. Share remediation ideas like deny-by-default ACLs and service allow-lists.
Example Code
From VLAN20 host:
1) nc -vz db.example 1433
2) nc -vz db.example 3306
3) Record pass or block → report
134. During a wireless assessment, what low-risk checks do you perform first?
Difficulty: MediumType: SubjectiveTopic: WiFi Security
Start passive. Identify SSIDs, bands, channels, and security modes. Note WPA version, 802.11w, and whether open or captive portals exist. Look for obvious misconfigs like WPS. Map coverage and BSSID counts. Only after approval, perform light auth and certificate checks for enterprise SSIDs. Keep traffic minimal and avoid client disruptions.
Example Code
Checklist: SSIDs, auth type, PMF on, channel plan, WPS, captive portals, rogue SSIDs
135. How would you assess risky egress paths at the network edge without causing impact?
Difficulty: MediumType: SubjectiveTopic: Network Defense
Work with the owner to list approved destinations like updates, identity, and CDN hosts. Send a handful of small, benign requests to a few disallowed categories to verify blocks. Log results with timestamps and source IP. Check if DNS allows external resolvers or only the corporate resolver. Recommend egress allow-lists and DNS egress pinning if gaps are found.
Example Code
Test: curl https://blocked.example (expect deny)
DNS: dig @8.8.8.8 example.com (expect blocked)
136. What is a safe strategy for handling Wi-Fi credentials and certificates during testing?
Difficulty: MediumType: SubjectiveTopic: WiFi Security
Use test accounts created for the engagement. Never store real user passwords in notes. For EAP-TLS, use lab certificates or a throwaway client cert with a short lifetime. If you capture any credential material as evidence, redact secrets and keep the smallest proof. Share rotation steps with the owner before you finish.
Example Code
Evidence log: time, SSID, EAP method, non-secret proof, rotation plan
137. A client asks you to validate NAC controls ethically. How do you scope and execute this?
Difficulty: HardType: SubjectiveTopic: Network Defense
Define allowed test methods and devices. Start with posture checks using a clean, patched machine. Confirm 802.1X behavior: unauth, guest, quarantine, and production VLAN outcomes. Attempt only the agreed, low-risk checks like plugging an unmanaged device to see if it lands in guest. Do not spoof identities or disrupt neighbors without explicit permission. Document each state change and the policy result so owners can tune rules safely.
Example Code
States: unauth → guest; compliant → prod; non-compliant → quarantine; record switchport and VLAN
138. Why is cloud instance metadata a common target during tests?
Difficulty: EasyType: MCQTopic: Cloud Security
- It can expose short-lived credentials and config if not protected
- It speeds up CPUs automatically
- It encrypts disks by default
- It disables network access
Metadata services often hold tokens and role details for the instance. If an app allows server-side request forgery, attackers may reach metadata and fetch credentials. Lock down egress and use modern metadata protections.
Correct Answer: It can expose short-lived credentials and config if not protected
Example Code
AWS IMDSv2 example:
curl -X PUT http://169.254.169.254/latest/api/token -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'
TOKEN=...
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
139. What is the main benefit of AWS IMDSv2 compared to IMDSv1?
Difficulty: MediumType: MCQTopic: Cloud Security
- It requires a session token that blocks simple HTTP hop attacks
- It gives permanent keys instead of temporary ones
- It disables role assumption
- It allows public internet access to metadata
IMDSv2 adds a hop-count aware session token. This reduces basic SSRF and open-proxy abuse. Pair it with egress controls and least-privilege roles.
Correct Answer: It requires a session token that blocks simple HTTP hop attacks
Example Code
aws ec2 modify-instance-metadata-options --http-endpoint enabled --http-tokens required --instance-id i-123456
140. Which S3 posture is safest for sensitive data?
Difficulty: EasyType: MCQTopic: Cloud Security
- Block public access at account and bucket level, use least-privilege IAM
- Enable public read for faster downloads
- Rely only on object ACLs
- Store secrets in object metadata
Use the S3 Block Public Access settings to prevent accidental exposure. Grant narrow roles to apps. Avoid object ACL reliance for private buckets.
Correct Answer: Block public access at account and bucket level, use least-privilege IAM
Example Code
aws s3control put-public-access-block --account-id 123456789012 --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
141. In cloud networks, how do Security Groups differ from Network ACLs?
Difficulty: MediumType: MCQTopic: Cloud Security
- Security Groups are stateful at instance level; NACLs are stateless at subnet level
- Security Groups are stateless; NACLs are stateful
- Both are only for outbound rules
- Both always allow all traffic by default
Security Groups remember connections per host and simplify rules. Network ACLs work at the subnet boundary and require explicit inbound and outbound entries.
Correct Answer: Security Groups are stateful at instance level; NACLs are stateless at subnet level
Example Code
aws ec2 describe-security-groups
aws ec2 describe-network-acls
142. What is the best baseline for cloud IAM policies?
Difficulty: EasyType: MCQTopic: Cloud Security
- Grant least privilege with resource-level conditions and short-lived credentials
- Use AdministratorAccess on all roles
- Share one access key across teams
- Allow wildcards for actions and resources
Keep blast radius small. Scope each role to what it must do, add conditions like tags or source VPC, and favor temporary credentials via roles.
Correct Answer: Grant least privilege with resource-level conditions and short-lived credentials
Example Code
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::corp-bucket/reports/*",
"Condition": { "StringEquals": { "aws:PrincipalTag/team": "analytics" } }
}]
}143. Which Kubernetes setting helps prevent cluster-wide escalation from a single namespace role?
Difficulty: MediumType: MCQTopic: K8s Security
- Use Role and RoleBinding scoped to a namespace rather than ClusterRoleBinding
- Enable anonymous auth for testing
- Run all pods as privileged
- Mount the host root file system into pods
Prefer namespace-scoped permissions. ClusterRoleBinding grants rights across the cluster and can turn a small issue into full control.
Correct Answer: Use Role and RoleBinding scoped to a namespace rather than ClusterRoleBinding
Example Code
kubectl create role viewer --verb=get,list,watch --resource=pods -n dev
kubectl create rolebinding viewer-bind --role=viewer --serviceaccount=dev:app -n dev
144. Which control reduces risky containers in Kubernetes?
Difficulty: MediumType: MCQTopic: K8s Security
- Enforce Pod Security Standards (baseline or restricted)
- Run all pods as root with NET_ADMIN
- Allow hostPID and hostNetwork by default
- Disable admission controls
PSS policies block privileged containers, host mounts, and risky capabilities. Start with baseline and aim for restricted for most workloads.
Correct Answer: Enforce Pod Security Standards (baseline or restricted)
Example Code
kubectl label ns prod pod-security.kubernetes.io/enforce=restricted
145. What practice best reduces container image supply-chain risk?
Difficulty: EasyType: MCQTopic: Supply Chain
- Pin to trusted base images, scan on build and deploy, and sign images
- Always pull :latest from public hubs
- Disable scanning to speed builds
- Bake credentials into images
Use minimal, verified bases. Scan dependency layers and sign images so clusters can verify provenance before running them.
Correct Answer: Pin to trusted base images, scan on build and deploy, and sign images
Example Code
docker build -t registry/app:1.2.3 .
cosign sign registry/app:1.2.3
trivy image --exit-code 1 registry/app:1.2.3
146. What is a safer way to handle app secrets in cloud workloads?
Difficulty: MediumType: MCQTopic: K8s Security
- Use a managed secrets store and inject at runtime with short TTL
- Commit them to Git as environment files
- Pass in via container args and logs
- Store in world-readable S3
Keep secrets out of images and code. Fetch when needed, rotate often, and scope access with IAM or service accounts.
Correct Answer: Use a managed secrets store and inject at runtime with short TTL
Example Code
AWS: aws secretsmanager get-secret-value --secret-id app/db --query SecretString
K8s: CSI Secrets Store driver to mount ephemeral secrets
147. Which control helps stop container breakout paths that rely on calling external endpoints?
Difficulty: MediumType: MCQTopic: Network Defense
- Egress allow-lists with Kubernetes NetworkPolicies or cloud firewalls
- Always allow all outbound to simplify ops
- HostNetwork for every pod
- Mount /var/run/docker.sock into apps
Limit outbound so a compromised pod cannot freely reach metadata, unknown hosts, or exfil paths. Allow only the domains your app needs.
Correct Answer: Egress allow-lists with Kubernetes NetworkPolicies or cloud firewalls
Example Code
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
spec:
podSelector: {}
policyTypes: [Egress]
egress:
- to:
- namespaceSelector: { matchLabels: { name: dns } }148. You have access to a pod in scope. Outline a safe Kubernetes enumeration workflow.
Difficulty: MediumType: SubjectiveTopic: K8s Security
Check service account tokens and permissions with kubectl using in-cluster config. List only what is allowed: namespace, pods, services, and roles. Never modify resources. Confirm if the pod can talk to the API server and which verbs work. Record exact commands and outputs. Stop if you hit errors that suggest missing rights; do not try to bypass controls.
Example Code
kubectl auth can-i --list
kubectl get ns
kubectl get pods -A --field-selector=spec.nodeName=$(hostname)
149. Describe a low-risk cloud enumeration plan after you obtain a scoped role.
Difficulty: MediumType: SubjectiveTopic: Cloud Security
Start read-only. List identity context, account or project info, and regions. Enumerate storage, compute, and IAM policies with describe or list only. Do not create, modify, or delete any resource. Capture resource ARNs, tags, and attached policies. Map trust relationships to understand privilege paths. Keep the session short-lived and log every call.
Example Code
aws sts get-caller-identity
aws ec2 describe-regions
aws iam list-roles --max-items 50
150. What practices keep a container registry safe and tidy?
Difficulty: MediumType: SubjectiveTopic: Supply Chain
Require auth for pull and push. Enforce signed images. Scan on push and block critical findings. Use immutable tags or content digests. Prune old images on a schedule. Keep secrets out of build args and labels. Monitor download patterns to catch abuse.
Example Code
Policy: signed-only, immutable tags, block HIGH/CRITICAL, retention 90 days
151. You are reviewing a managed Kubernetes cluster. What quick security checks do you do first?
Difficulty: MediumType: SubjectiveTopic: K8s Security
Verify control-plane version and auto-upgrade. Check node OS patching and minimal images. Ensure RBAC is on and audit logs are shipped. Enforce Pod Security Standards and NetworkPolicies. Lock cloud metadata access from pods. Confirm private endpoints and restricted API access. Review IAM roles for service accounts and restrict wildcard permissions.
Example Code
kubectl version --short
kubectl get ns --show-labels
kubectl get networkpolicy -A
152. What logging and monitoring should you recommend for cloud and containers to speed detection?
Difficulty: HardType: SubjectiveTopic: Cloud Security
Collect API audit logs, IAM auth events, and network flow logs. In clusters, enable audit logs, admission logs, and container runtime logs. Correlate with workload labels and trace IDs. Alert on sensitive actions like role changes, public bucket policy changes, and creation of long-lived keys. Keep logs tamper-resistant with write-once storage and defined retention.
Example Code
Alerts: iam:UpdateAssumeRolePolicy, s3:PutBucketAcl public, k8s ClusterRoleBinding changes