CEH v13 Domain 5.2 Practice Test 001

Welcome to this CEH v13 practice test!

This practice test covers Domain 5 (Web Application Hacking) Subdomain 2 (Hacking Web Applications) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 5.2 Practice Test 001

10 questions • 8 single-answer, 2 multi-select

CEH v13 (312-50v13) • Domain 5: Web Application Hacking — Sub-Domain 5.2: Hacking Web Applications

Question 1

A penetration tester intercepts a web request and modifies a hidden form field value before submitting it to the server. The server processes the modified value without validation. What vulnerability is being exploited?

A. Cross-site scripting B. Parameter tampering C. SQL injection D. Session hijacking

Question 2

During testing, an attacker injects malicious JavaScript into a web application input field, which is then stored in the database and executed when other users view the page. What type of attack is this?

A. Reflected XSS B. Stored XSS C. DOM-based XSS D. CSRF

Question 3

A tester notices that a web application relies heavily on client-side validation using JavaScript. By disabling JavaScript, the tester bypasses validation and submits malicious input. What issue does this demonstrate?

A. Improper session management B. Lack of server-side validation C. Weak encryption D. Directory traversal

Question 4

An attacker tricks a logged-in user into clicking a malicious link that performs an unintended action on a web application using the user's session. What attack is this?

A. Cross-site scripting B. SQL injection C. Cross-site request forgery D. Session fixation

Question 5

A penetration tester uses Burp Suite to intercept and modify HTTP requests and responses during a web application assessment. What is the primary function of Burp Suite in this context?

A. Password cracking B. Web proxy and traffic manipulation C. Packet sniffing D. Port scanning

Question 6

Select all that apply

An ethical hacker is testing for input validation vulnerabilities in a web application. Which TWO techniques are commonly used to identify such issues? (Choose two)

A. Fuzzing input fields B. Manipulating cookies C. Performing SQL injection tests D. Running port scans E. Capturing packets with Wireshark

Question 7

A tester observes that session IDs in a web application are predictable and sequential. What vulnerability does this indicate?

A. Session prediction B. Cross-site scripting C. Directory listing D. DNS poisoning

Question 8

An attacker injects malicious code into a web page that is executed in the victim's browser by manipulating the DOM environment without sending data to the server. What type of XSS is this?

A. Stored XSS B. Reflected XSS C. DOM-based XSS D. Blind XSS

Question 9

A web application fails to invalidate session tokens after logout. An attacker reuses an old session token to gain access. What vulnerability is this?

A. Session replay B. SQL injection C. CSRF D. File inclusion

Question 10

Select all that apply

A penetration tester is assessing authentication mechanisms in a web application. Which TWO weaknesses could lead to authentication bypass? (Choose two)

A. Weak password policies B. Predictable session tokens C. Use of HTTPS D. Strong hashing algorithms E. Multi-factor authentication

Related Posts

Leave a Comment Cancel Reply