The Cybersecurity Trail

A path to cyber mastery

EC-Council CEH Practice Tests

CEH v13 Domain 5.1 Practice Test 002

ByThe Test Master

Apr 21, 2026 #CEH, #EC-Council, #web servers

This practice test covers Domain 5 (Web Application Hacking) Subdomain 1 (Hacking Web Servers) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 5.1 Practice Test 002
10 questions • 8 single-answer, 2 multi-select
Question 1
Kevin is conducting a black-box penetration test against a target web server and submits a crafted HTTP GET request to the server's default port to retrieve response headers including software type, version number, and installed modules. The server responds with headers revealing it runs Apache 2.4.49 on Ubuntu Linux, which Kevin cross-references against known CVE databases to identify unpatched vulnerabilities. Which web server reconnaissance technique did Kevin perform?
    Question 2
    Jane is assessing a web application hosted on a Windows IIS server and discovers that by appending path sequences such as '../../../../windows/system32/drivers/etc/hosts' to a URL parameter, she can read files located outside the web root directory. The web server fails to normalize and sanitize the path before resolving it to the filesystem, allowing Jane to retrieve sensitive configuration files. Which web server attack technique did Jane exploit?
      Question 3
      A penetration tester is fingerprinting a target web server whose administrator has suppressed all standard server banners and replaced default error pages to prevent easy version identification. The tester uses a tool that sends a series of malformed HTTP requests and statistically analyzes the response codes, header ordering, and behavioral deviations to match the server against a signature database without relying on banner content. Which tool is specifically designed for this behavioral web server fingerprinting technique?
        Question 4
        Elijah is testing an enterprise web application and discovers that a URL parameter value is directly reflected inside an HTTP response header without sanitization, allowing him to inject CRLF sequences that split the server's single response into two separate HTTP responses. The second injected response contains a malicious script payload that poisons the proxy cache and executes in victims' browsers when the cached response is served. Which web server attack technique is Elijah exploiting?
          Question 5
          Select all that apply
          A security analyst is reconstructing the methodology used by a threat actor who successfully compromised an enterprise web server and must identify which techniques were used during the initial information-gathering and footprinting phases before any exploitation occurred. The analyst reviews HTTP access logs, Shodan historical records, archived DNS data, and WHOIS history to map the attacker's pre-exploitation activity. Which two techniques are commonly used during the web server attack methodology's footprinting phase? (Choose two)
            Question 6
            A penetration tester runs Nikto against an externally facing web server and receives a detailed report listing outdated Apache software, the presence of default test files, the TRACE HTTP method enabled, and PHP version 5.6 with multiple publicly known critical vulnerabilities. The tester also notes verbose error messages that disclose the server's full internal directory path when an invalid request is submitted. Which category of tool does Nikto represent within the CEH web server attack methodology?
              Question 7
              During a red team engagement against an enterprise intranet, the team discovers that WebDAV is enabled on the target IIS 10 server and the HTTP PUT method is unrestricted, allowing file uploads to the web root without authentication. Using the Cadaver WebDAV client, the team uploads a malicious ASPX web shell to the server's document root directory and gains persistent remote code execution access while completely bypassing the organization's file upload restriction policy. Which web server attack technique does this scenario illustrate?
                Question 8
                Select all that apply
                A CISO reviewing the results of an external web server penetration assessment identifies critical findings related to information disclosure: the web server's response headers reveal its exact software version and operating system, and detailed stack-trace error pages expose internal file paths and database connection strings to unauthenticated users. The security team has been tasked with immediately implementing countermeasures to eliminate these information disclosure risks before the next compliance audit. Which two countermeasures directly address web server information disclosure? (Choose two)
                  Question 9
                  A threat actor targeting a financial institution's cloud-hosted application sends crafted HTTP requests to the organization's reverse proxy, manipulating cache key parameters so that the proxy stores a malicious response containing a redirect to a credential-harvesting page. All subsequent legitimate users requesting the same URL receive the poisoned cached response and are redirected to the phishing site before the security team detects the anomaly and purges the cache. Which web server attack technique does this scenario describe?
                    Question 10
                    A red team using Metasploit identifies an unpatched remote code execution vulnerability in an Apache module on a production web server and successfully delivers a payload that establishes a reverse shell session without requiring valid credentials. Following initial access, the team uploads a PHP web shell to the document root and uses it to pivot laterally to connected database servers and internal management systems. Which phase of the CEH web server attack methodology does the initial exploitation of the Apache module vulnerability represent?
                      Answered: 0/10

                      Related Post

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 7.1 Practice Test 002

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 6.1 Practice Test 002

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 5.3 Practice Test 002

                      Leave a Reply

                      Your email address will not be published. Required fields are marked *

                      You missed

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 7.1 Practice Test 002

                      April 21, 2026 The Test Master
                      EC-Council CEH Practice Tests

                      CEH v13 Domain 6.1 Practice Test 002

                      April 21, 2026 The Test Master
                      EC-Council CEH Practice Tests

                      CEH v13 Domain 5.3 Practice Test 002

                      April 21, 2026 The Test Master
                      EC-Council CEH Practice Tests

                      CEH v13 Domain 5.2 Practice Test 002

                      April 21, 2026 The Test Master