The Cybersecurity Trail

A path to cyber mastery

EC-Council CEH Practice Tests

CEH v13 Domain 5.2 Practice Test 002

ByThe Test Master

Apr 21, 2026 #CEH, #EC-Council, #web applications

This practice test covers Domain 5 (Web Application Hacking) Subdomain 2 (Hacking Web Applications) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 5.2 Practice Test 002
10 questions • 8 single-answer, 2 multi-select
Question 1
Clark is hired to perform a web application penetration test and begins by crawling the target's website using OWASP ZAP to map all accessible URLs, input fields, and hidden parameters, building a comprehensive inventory of the application's attack surface. He discovers several endpoints that accept user-supplied input without adequate validation and identifies outdated JavaScript libraries linked from the application's pages. Which phase of the web application hacking methodology did Clark perform?
    Question 2
    Jane is testing a web application that uses hidden HTML form fields to store item prices during the shopping checkout process, passing the price value from the client to the server without any server-side validation. She intercepts the POST request using Burp Suite and modifies the hidden 'price' field from 99.99 to 0.01, then submits the tampered form and successfully completes a purchase at the altered price. Which web application attack technique did Jane exploit?
      Question 3
      Elijah is performing a security assessment of a banking web application and uses Burp Suite's Intruder module to automatically cycle through a wordlist of common passwords against the application's login endpoint while monitoring HTTP response sizes to identify valid credentials. The application does not implement account lockout or CAPTCHA after repeated failed attempts, allowing Elijah to test thousands of password combinations without interruption. Which attack technique is Elijah using against the authentication mechanism?
        Question 4
        Select all that apply
        A penetration tester is evaluating a web application's session management and uses a Python script to collect 1,000 session tokens after repeated logins, analyzing them for patterns and discovering that tokens follow a sequential numeric value tied to the epoch timestamp at login. While reviewing Burp Suite proxy logs, she also notices that the server sends a Set-Cookie header with a new session token before authentication completes, meaning an attacker could pre-supply a victim with a known token value to hijack the session post-login. Which two session management vulnerabilities has she identified? (Choose two)
          Question 5
          Clark discovers that a web application's search feature reflects user-supplied input directly into the HTML response without encoding or sanitization, and he crafts a malicious URL containing a script tag that executes JavaScript in the victim's browser when the link is clicked. The injected script captures the victim's session cookie and transmits it to Clark's remote collection server, enabling him to impersonate the victim in subsequent requests. Which type of cross-site scripting attack did Clark perform?
            Question 6
            Jane is testing an e-commerce application and notices that order records are retrieved via a URL parameter such as 'order_id=1042'; she increments the parameter to adjacent values and successfully views complete order histories, shipping addresses, and payment details belonging to other customers without any authorization challenge. The application uses the predictable numeric identifier as the sole access control mechanism without verifying that the authenticated user is the resource owner. Which vulnerability is Jane exploiting?
              Question 7
              Elijah gains initial access to a target web server by exploiting an unrestricted file upload vulnerability that accepts PHP files renamed with a double extension such as 'shell.php.jpg', which he accesses via the browser's URL bar to execute arbitrary OS commands on the underlying server. He uses this persistent foothold to enumerate internal network segments, exfiltrate database credentials from configuration files, and maintain a covert command-and-control channel across sessions. Which web application attack technique did Elijah deploy?
                Question 8
                Select all that apply
                A security team is performing a threat assessment of a newly deployed REST API that handles financial transactions, and they observe that the API returns full user profile objects in responses — including fields such as SSN, credit score, and account balance — even when the client only requests a username lookup. During authorization testing, they also confirm that authenticated users can access other users' account records simply by substituting a different user ID in the endpoint path without receiving an authorization error. Which two attack techniques specifically target this API's security weaknesses? (Choose two)
                  Question 9
                  Clark is testing a subscription-based SaaS platform and discovers that the coupon validation endpoint does not use database-level locking, allowing him to exploit a race condition by sending ten parallel POST requests with a single-use coupon code before the server marks it as redeemed. He successfully applies the discount ten times on a single transaction, reducing a $500 invoice to $5 and demonstrating that the flaw allows unauthorized financial benefit. Which type of web application vulnerability did Clark exploit?
                    Question 10
                    A red team analyst uses Google dork queries such as 'site:target.com filetype:pdf' and 'inurl:admin' combined with Wayback Machine searches to uncover archived versions of the target web application that expose deprecated API endpoints, legacy administrative panels, and configuration files that were inadvertently crawled and indexed. She compiles these findings into a structured inventory of the application's publicly exposed infrastructure and technology stack before initiating any active interaction with the live application. Which web application hacking methodology phase does this activity represent?
                      Answered: 0/10

                      Related Post

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 7.1 Practice Test 002

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 6.1 Practice Test 002

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 5.3 Practice Test 002

                      Leave a Reply

                      Your email address will not be published. Required fields are marked *

                      You missed

                      EC-Council CEH Practice Tests

                      CEH v13 Domain 7.1 Practice Test 002

                      April 21, 2026 The Test Master
                      EC-Council CEH Practice Tests

                      CEH v13 Domain 6.1 Practice Test 002

                      April 21, 2026 The Test Master
                      EC-Council CEH Practice Tests

                      CEH v13 Domain 5.3 Practice Test 002

                      April 21, 2026 The Test Master
                      EC-Council CEH Practice Tests

                      CEH v13 Domain 5.2 Practice Test 002

                      April 21, 2026 The Test Master