Question 1

You want to discover hidden parameters influenced by a CDN.

What is the best initial approach in Burp?

Options :

A : Intruder Sniper with FUZZ in the query string

B : Use Param Miner extension with both “Guess headers” and “Add custom parameter names from traffic” enabled

C : Use Proxy → HTTP history and manually diff responses

D : Use Comparer to compare two baseline responses

Answer: B

Question 2

During a penetration test, you find a reflected XSS in a GET parameter ?q=. The web app sets a HttpOnly session cookie. Which of the following BEST allows you to hijack the victim’s authenticated session?

Options :

A : Steal cookies with document.cookie

B : Inject JS to perform CSRF requests using victim’s session

C :

D : Bruteforce the session token using ffuf

Answer: B

Question 3

During testing, you find a REST endpoint:

GET /api/v1/users/1234/profile

Authenticated as a normal user, you can access your own profile. Changing ID 1234 to 1001 retrieves another user’s data. Which methodology most reliably proves mass exploitation feasibility without detection?

Options :

A : Burp Intruder brute-forcing all IDs with 200 threads.

B : ffuf sequential fuzzing with -t 1 and rate limiting.

C : Using SQLMap to brute-force numeric IDs.

D : Writing a custom Python script with exponential backoff + anomaly detection bypass.

Answer: D

Question 4

A site implements CSRF protection via double-submit cookies. You notice that SameSite is set to Lax. Which crafted request bypasses protection?

Options :

A :

B :

C :

D : Both B and C

Answer: D

Question 5

You find:

POST /upload

{"filename":"invoice.pdf","path":"/users/123/docs/"}

Which exploitation demonstrates maximum impact?

Options :

A : Uploading to /users/456/docs/

B : Uploading a 0-byte file

C : Overwriting your own invoice.pdf

D : Sending malformed JSON to crash parser

Answer: A