Situational Web

Question 1

What can you do if you want to find the language running on the back end?

Answer 1

Fuzz the file extension of index like index.FUZZ

Question 2

What vulnerabilities to look for in an exposed login page?

Answer 2

SQL Injection

Question 3

What tool to use for brute-forcing login credentials?

Answer 3

Hydra

Question 4

What tool to use to test for SQL injection?

Answer 4

sqlmap

Question 5

What attack to test when you find an exposed API?

Answer 5

Broken Access Control

Question 6

How to identify an IDOR vulnerability?

Answer 6

Modify parameters in requests (e.g.

Question 7

What tool to use for finding exposed sensitive files?

Answer 7

dirb

Question 8

What headers should be checked for security misconfigurations?

Answer 8

CSP

Question 9

What tool to use for testing Cross-Site Scripting (XSS)?

Answer 9

XSSHunter

Question 10

How to check if a website is vulnerable to CORS misconfiguration?

Answer 10

Test Access-Control-Allow-Origin headers with malicious origins

Question 11

What attack can be performed with unrestricted file upload?

Answer 11

Remote Code Execution (RCE)

Question 12

What tool to use for testing for Server-Side Request Forgery (SSRF)?

Answer 12

Burp Collaborator

Question 13

How to check for weak JWT signing keys?

Answer 13

Use jwt_tool or CrackJWT to brute-force signing key

Question 14

What attack can be performed with insecure JWT algorithms?

Answer 14

Switch algorithm from RS256 to None to bypass authentication

Question 15

What tool to use to enumerate subdomains?

Answer 15

Subfinder

Question 16

What attack can be performed with a vulnerable deserialization function?

Answer 16

Remote Code Execution (RCE)

Question 17

What tool to use for testing XML External Entity (XXE) vulnerabilities?

Answer 17

Burp Suite

Question 18

How to identify and exploit a Host Header attack?

Answer 18

Modify Host header to bypass authentication or perform cache poisoning

Question 19

What attack to test when you find an admin panel?

Answer 19

Brute-force login

Question 20

What tool to use for testing CSRF vulnerabilities?

Answer 20

Burp Suite CSRF PoC generator

Question 21

What vulnerabilities to test for in a GraphQL API?

Answer 21

Insecure Direct Object Reference (IDOR)

Question 22

What attack can be performed with a NoSQL Injection vulnerability?

Answer 22

Authentication Bypass

Question 23

How to check for rate limiting issues?

Answer 23

Send multiple requests rapidly and observe response behavior

Question 24

What tool to use for checking misconfigured S3 buckets?

Answer 24

AWS CLI

Question 25

How to bypass WAF protections?

Answer 25

Encode payloads

Question 26

What attack can be performed with improper session management?

Answer 26

Session Fixation

Question 27

How to check for hardcoded secrets in JavaScript files?

Answer 27

Review source code manually

Question 28

What vulnerabilities to test for in an OAuth implementation?

Answer 28

Token Reuse

Question 29

What tool to use for discovering web technologies?

Answer 29

Wappalyzer

Question 30

What attack can be performed with a misconfigured CORS policy?

Answer 30

Stealing authentication tokens

Question 31

How to find hidden endpoints in a web application?

Answer 31

Analyze JavaScript files

Question 32

What vulnerabilities to test for in a file download feature?

Answer 32

Path Traversal

Question 33

What tool to use for discovering vulnerable WordPress plugins?

Answer 33

WPScan

Question 34

What attack can be performed with a vulnerable redirect endpoint?

Answer 34

Open Redirect

Question 35

How to test for weak password policies?

Answer 35

Use common password lists with Hydra or Burp Intruder

Question 36

What tool to use for analyzing web socket security?

Answer 36

Burp Suite

Question 37

How to identify if a site is vulnerable to Clickjacking?

Answer 37

Check for missing X-Frame-Options header and use an iframe to embed the page

Question 38

What attack can be performed with an unrestricted GraphQL query?

Answer 38

Data Over-Extraction

Question 39

What tool to use for detecting CVEs in web applications?

Answer 39

Nuclei

Question 40

How to exploit a SSTI (Server-Side Template Injection) vulnerability?

Answer 40

Inject template payloads like {{7*7}}

Question 41

What tool to use for detecting JavaScript security issues?

Answer 41

Retire.js

Question 42

How to exploit weak object-level authorization in an API?

Answer 42

Modify resource IDs in API requests and check unauthorized access

Question 43

What tool to use for checking for CVEs in third-party libraries?

Answer 43

Dependency-Check

Question 44

How to bypass a login page using SQL Injection?

Answer 44

Use payloads like ' OR 1=1 --

Question 45

What vulnerabilities to test for in a multi-factor authentication system?

Answer 45

2FA Bypass via Response Manipulation

Question 46

How to detect web cache poisoning vulnerabilities?

Answer 46

Modify request headers (X-Forwarded-Host

Question 47

What attack can be performed with an open .git directory?

Answer 47

Source Code Disclosure

Question 48

What tool to use for finding secrets in leaked repositories?

Answer 48

TruffleHog

Question 49

What kind of PHP input sanitization is good for viewing source code?

Answer 49

Appended extensions (appending a .php)

Question 50

What are some sanitization methods to keep in mind when exploiting LFI?

Answer 50

Appended Extensions, Filename Prefix, Removing .., Approved Paths

Question 50

How can you bypass Appended Extension sanitization PHP LFI?

Answer 50

Truncation Bypass, Null Byte Injection, convert.base64-encode filter

Question 51

What do you need to make truncation bypas work for LFI?

Answer 51

< PHP 5.3/5.4 and payload prefixed with non-existant directory

Question 52

What version of PHP does Null byte injection bypass work for LFI?

Answer 52

< PHP 5.5

Question 53

How can we bypass filename prefix santitization PHP LFI?

Answer 53

sometimes by prefixing payload with / character (only if there is a directory with the prefix name)

Question 54

How to bypass .. removal sanitization PHP LFI?

Answer 54

using ....// and ..././ payloads

Question 55

How to bypass approved paths sanitization php

Answer 55

begin path with approved directory (if approved files in languages/ directory begin payload with ./languages/ or languages/)

Question 56

How can you tell if a server side include function is capable of executing PHP code?

Answer 56

Include a PHP code and see if the plain source or a generated page comes back.

Question 57

What is a .net web shell?

Answer 57

<% eval request('cmd') %>

Question 59

HTML forms parameters are normally well tested. How can you exploit other parameters.

Answer 59

Identify parameters not used in forms and fuzz for parameters