Threats and Vulnerabilities MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: May 27, 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
These 60 Threats & Vulnerabilities MCQs cover the complete attack-side knowledge required by every working security professional β from understanding what a vulnerability is through to exploiting cryptographic weaknesses and Active Directory misconfigurations. Topics are tested across CompTIA Security+, CEH, OSCP, CISSP, and university cybersecurity syllabi.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering malware taxonomy, ransomware, rootkits, social engineering, and zero-days), Concepts (covering SQLi, XSS, CSRF, CVE/CVSS, buffer overflows, and session hijacking), and Advanced (covering memory corruption, ROP, deserialization, Spectre/Meltdown, and Active Directory Kerberoasting). Each question includes a verified, in-depth explanation to reinforce learning.
Use Study Mode to learn with instant explanations, or switch to Exam Mode for a timed, scored session simulating real exam conditions.
Contents
- 1.Basics (20 Questions)Vulnerability Β· threat Β· worms Β· ransomware Β· rootkits Β· zero-day Β· social engineering
- 2.Concepts (20 Questions)SQLi Β· XSS Β· CVE/CVSS Β· buffer overflow Β· CSRF Β· rainbow tables Β· fileless malware Β· MitM
- 3.Advanced (20 Questions)SSRF Β· Pass-the-Hash Β· ROP Β· TOCTOU Β· ASLR Β· LotL Β· Spectre Β· Kerberoasting
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Threats & Vulnerabilities β Basics
1In cybersecurity, what is the strict definition of a "vulnerability"?
CorrectB: A weakness or flaw in a system, application, or network that can be exploited
A vulnerability is a weakness or flaw in a system, application, network, or process that can be exploited by a threat actor to gain unauthorized access or cause harm. Vulnerabilities can arise from software bugs, misconfigurations, weak passwords, or poor design. The Risk equation is: Risk = Threat Γ Vulnerability Γ Impact.
IncorrectB: A weakness or flaw in a system, application, or network that can be exploited
A vulnerability is a weakness or flaw in a system, application, network, or process that can be exploited by a threat actor to gain unauthorized access or cause harm. Vulnerabilities can arise from software bugs, misconfigurations, weak passwords, or poor design. The Risk equation is: Risk = Threat Γ Vulnerability Γ Impact.
2What is a "threat" in the context of information security?
CorrectB: Any potential danger that could exploit a vulnerability and compromise a system
A threat is any potential danger that could exploit a vulnerability to cause harm to a system or organization. Threats can be intentional (hackers, malware, APTs) or unintentional (user errors, natural disasters). Differentiating threats from vulnerabilities is foundational: a vulnerability is the weakness; a threat is the actor or event that exploits it.
IncorrectB: Any potential danger that could exploit a vulnerability and compromise a system
A threat is any potential danger that could exploit a vulnerability to cause harm to a system or organization. Threats can be intentional (hackers, malware, APTs) or unintentional (user errors, natural disasters). Differentiating threats from vulnerabilities is foundational: a vulnerability is the weakness; a threat is the actor or event that exploits it.
3How does a "Worm" fundamentally differ from a "Virus"?
CorrectB: A worm is self-replicating and spreads across networks without human intervention; a virus requires human action (like opening a file)
A virus attaches itself to a legitimate host file and requires a human action (opening the file, running the program) to execute and spread. A worm, in contrast, is self-contained and self-replicating β it spreads autonomously across networks by exploiting vulnerabilities, without needing to attach to a host file or waiting for user interaction. Notable worms: WannaCry, NotPetya, Morris Worm.
IncorrectB: A worm is self-replicating and spreads across networks without human intervention; a virus requires human action (like opening a file)
A virus attaches itself to a legitimate host file and requires a human action (opening the file, running the program) to execute and spread. A worm, in contrast, is self-contained and self-replicating β it spreads autonomously across networks by exploiting vulnerabilities, without needing to attach to a host file or waiting for user interaction. Notable worms: WannaCry, NotPetya, Morris Worm.
4What is the primary function of "Ransomware"?
CorrectB: To encrypt a victim's data and demand payment for the decryption key
Ransomware encrypts a victim's files or locks their system, then demands a ransom (typically cryptocurrency) in exchange for the decryption key. Modern ransomware gangs also practice double extortion: stealing data before encrypting it, then threatening to publish it if the ransom is unpaid. Notable examples: WannaCry, REvil, LockBit, Colonial Pipeline attack (DarkSide).
IncorrectB: To encrypt a victim's data and demand payment for the decryption key
Ransomware encrypts a victim's files or locks their system, then demands a ransom (typically cryptocurrency) in exchange for the decryption key. Modern ransomware gangs also practice double extortion: stealing data before encrypting it, then threatening to publish it if the ransom is unpaid. Notable examples: WannaCry, REvil, LockBit, Colonial Pipeline attack (DarkSide).
5Which type of malware is designed to grant an attacker continuous, stealthy, administrator-level access to a computer?
CorrectB: Rootkit
A rootkit is malware that provides an attacker with persistent, hidden root/admin-level access to a compromised system. Rootkits modify the operating system (or even firmware) to hide their own presence β concealing processes, files, and registry entries from standard security tools. Famous examples: Sony BMG rootkit, Necurs rootkit, firmware-level rootkits targeting UEFI.
IncorrectB: Rootkit
A rootkit is malware that provides an attacker with persistent, hidden root/admin-level access to a compromised system. Rootkits modify the operating system (or even firmware) to hide their own presence β concealing processes, files, and registry entries from standard security tools. Famous examples: Sony BMG rootkit, Necurs rootkit, firmware-level rootkits targeting UEFI.
6What is a "Keylogger"?
CorrectB: Malware or hardware that secretly records every keystroke a user makes
A keylogger records every key a user presses β capturing passwords, credit card numbers, messages, and other sensitive data. Keyloggers can be software-based (malware running as a process) or hardware-based (physical devices plugged between the keyboard and computer). Captured keystrokes are typically exfiltrated to an attacker-controlled server.
IncorrectB: Malware or hardware that secretly records every keystroke a user makes
A keylogger records every key a user presses β capturing passwords, credit card numbers, messages, and other sensitive data. Keyloggers can be software-based (malware running as a process) or hardware-based (physical devices plugged between the keyboard and computer). Captured keystrokes are typically exfiltrated to an attacker-controlled server.
7Which attack involves overwhelming a target system with a flood of internet traffic to render it unusable?
CorrectA: Denial of Service (DoS)
A Denial of Service (DoS) attack overwhelms a target system β server, network, or service β with malicious traffic, exhausting its resources (CPU, memory, bandwidth) so that legitimate users cannot access it. A Distributed DoS (DDoS) amplifies this by using a botnet of thousands of compromised machines. Famous DDoS attacks: 2016 Mirai botnet (Dyn DNS), 2020 AWS Shield event (2.3 Tbps).
IncorrectA: Denial of Service (DoS)
A Denial of Service (DoS) attack overwhelms a target system β server, network, or service β with malicious traffic, exhausting its resources (CPU, memory, bandwidth) so that legitimate users cannot access it. A Distributed DoS (DDoS) amplifies this by using a botnet of thousands of compromised machines. Famous DDoS attacks: 2016 Mirai botnet (Dyn DNS), 2020 AWS Shield event (2.3 Tbps).
8What does a "Trojan Horse" do?
CorrectB: It disguises itself as legitimate or desirable software to trick users into installing it
A Trojan Horse (or simply "Trojan") masquerades as legitimate software β a free game, a utility, a PDF β to trick users into running it voluntarily. Unlike viruses and worms, Trojans do not self-replicate. Once installed, they deliver a malicious payload: creating backdoors, downloading additional malware, joining botnets, or enabling remote access. Named after the Trojan Horse of Greek mythology.
IncorrectB: It disguises itself as legitimate or desirable software to trick users into installing it
A Trojan Horse (or simply "Trojan") masquerades as legitimate software β a free game, a utility, a PDF β to trick users into running it voluntarily. Unlike viruses and worms, Trojans do not self-replicate. Once installed, they deliver a malicious payload: creating backdoors, downloading additional malware, joining botnets, or enabling remote access. Named after the Trojan Horse of Greek mythology.
9What is a "Zero-Day" vulnerability?
CorrectB: A newly discovered software flaw that the vendor is unaware of and for which no patch currently exists
A zero-day vulnerability is a software flaw unknown to the vendor β giving them "zero days" to prepare a fix before it can be exploited. Zero-day exploits are the most dangerous and valuable in offensive security: they work against fully patched, up-to-date systems. Nation-states and criminal groups pay millions for undisclosed zero-days (e.g., Zerodium brokers). Once the vendor is notified and releases a patch, the vulnerability is no longer zero-day.
IncorrectB: A newly discovered software flaw that the vendor is unaware of and for which no patch currently exists
A zero-day vulnerability is a software flaw unknown to the vendor β giving them "zero days" to prepare a fix before it can be exploited. Zero-day exploits are the most dangerous and valuable in offensive security: they work against fully patched, up-to-date systems. Nation-states and criminal groups pay millions for undisclosed zero-days (e.g., Zerodium brokers). Once the vendor is notified and releases a patch, the vulnerability is no longer zero-day.
10What is "Spyware"?
CorrectB: Malware that secretly observes the user's activities and steals sensitive information
Spyware is malware that covertly monitors a user's computer activity β collecting browsing history, login credentials, financial data, and communications β and transmits this data to a remote attacker. Unlike keyloggers (which focus on keystrokes), spyware may also take screenshots, record webcam/microphone, and track location. Nation-state spyware examples: Pegasus (NSO Group), FinFisher.
IncorrectB: Malware that secretly observes the user's activities and steals sensitive information
Spyware is malware that covertly monitors a user's computer activity β collecting browsing history, login credentials, financial data, and communications β and transmits this data to a remote attacker. Unlike keyloggers (which focus on keystrokes), spyware may also take screenshots, record webcam/microphone, and track location. Nation-state spyware examples: Pegasus (NSO Group), FinFisher.
11In a cyberattack, what does the term "Payload" refer to?
CorrectB: The part of the malware that performs the malicious action (e.g., deleting data, installing a backdoor)
The payload is the component of malware or an exploit that carries out the actual malicious function β encrypting files (ransomware), exfiltrating data (spyware), installing a remote access trojan, or destroying data (wiper malware). The payload is distinct from the delivery mechanism (which gets the malware onto the system) and the propagation mechanism (which spreads it further).
IncorrectB: The part of the malware that performs the malicious action (e.g., deleting data, installing a backdoor)
The payload is the component of malware or an exploit that carries out the actual malicious function β encrypting files (ransomware), exfiltrating data (spyware), installing a remote access trojan, or destroying data (wiper malware). The payload is distinct from the delivery mechanism (which gets the malware onto the system) and the propagation mechanism (which spreads it further).
12What is a "Botnet"?
CorrectB: A network of compromised computers infected with malware and controlled remotely by an attacker
A botnet is a network of internet-connected devices (PCs, servers, IoT devices) infected with malware and controlled by a threat actor (the "botmaster") via Command & Control (C2) infrastructure. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, cryptocurrency mining, and ransomware distribution. Famous botnets: Mirai (IoT), Emotet, TrickBot, Zeus.
IncorrectB: A network of compromised computers infected with malware and controlled remotely by an attacker
A botnet is a network of internet-connected devices (PCs, servers, IoT devices) infected with malware and controlled by a threat actor (the "botmaster") via Command & Control (C2) infrastructure. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, cryptocurrency mining, and ransomware distribution. Famous botnets: Mirai (IoT), Emotet, TrickBot, Zeus.
13What is a "Brute Force" attack?
CorrectB: An automated attack that tries every possible combination of characters until the correct password is guessed
A brute-force attack systematically tries every possible combination of characters β a, b, c β aa, ab, ac β β until the correct password is found. While guaranteed to eventually succeed, it is time-consuming. Defenses include account lockout policies, CAPTCHA, rate limiting, and multi-factor authentication. Dictionary attacks are faster variants using wordlists rather than exhaustive enumeration.
IncorrectB: An automated attack that tries every possible combination of characters until the correct password is guessed
A brute-force attack systematically tries every possible combination of characters β a, b, c β aa, ab, ac β β until the correct password is found. While guaranteed to eventually succeed, it is time-consuming. Defenses include account lockout policies, CAPTCHA, rate limiting, and multi-factor authentication. Dictionary attacks are faster variants using wordlists rather than exhaustive enumeration.
14What is the technical definition of an "Exploit"?
CorrectB: Code or a sequence of commands designed to take advantage of a specific software vulnerability
An exploit is a piece of code, a sequence of commands, or a technique designed to leverage a specific vulnerability in software or hardware to achieve an unintended or unauthorized outcome β such as gaining elevated privileges, executing arbitrary code, or bypassing authentication. Exploits can be local (require local access) or remote (work over a network). Collections of exploits are packaged in exploit kits (e.g., Metasploit).
IncorrectB: Code or a sequence of commands designed to take advantage of a specific software vulnerability
An exploit is a piece of code, a sequence of commands, or a technique designed to leverage a specific vulnerability in software or hardware to achieve an unintended or unauthorized outcome β such as gaining elevated privileges, executing arbitrary code, or bypassing authentication. Exploits can be local (require local access) or remote (work over a network). Collections of exploits are packaged in exploit kits (e.g., Metasploit).
15What is "Adware"?
CorrectB: Software that automatically displays or downloads unwanted advertising material
Adware automatically delivers unwanted advertisements β pop-ups, banners, redirects β often bundled with free software (PUPs: Potentially Unwanted Programs). While typically less malicious than ransomware or spyware, adware can degrade system performance, track browsing behaviour, and serve as a delivery vector for more serious malware. The adware business model monetizes user attention without consent.
IncorrectB: Software that automatically displays or downloads unwanted advertising material
Adware automatically delivers unwanted advertisements β pop-ups, banners, redirects β often bundled with free software (PUPs: Potentially Unwanted Programs). While typically less malicious than ransomware or spyware, adware can degrade system performance, track browsing behaviour, and serve as a delivery vector for more serious malware. The adware business model monetizes user attention without consent.
16Which of the following best describes an "Insider Threat"?
CorrectB: A security risk originating from within the organization, such as a disgruntled or negligent employee
An insider threat is a security risk posed by someone with legitimate access to an organization's systems β employees, contractors, business partners. Insiders can be malicious (intentionally stealing data or sabotaging systems), negligent (accidentally breaking security policy), or compromised (their credentials stolen and used by an outside attacker). Insider threats are particularly dangerous because they bypass perimeter defenses.
IncorrectB: A security risk originating from within the organization, such as a disgruntled or negligent employee
An insider threat is a security risk posed by someone with legitimate access to an organization's systems β employees, contractors, business partners. Insiders can be malicious (intentionally stealing data or sabotaging systems), negligent (accidentally breaking security policy), or compromised (their credentials stolen and used by an outside attacker). Insider threats are particularly dangerous because they bypass perimeter defenses.
17What is "Social Engineering" in the context of cybersecurity?
CorrectB: The psychological manipulation of people into performing actions or divulging confidential information
Social engineering exploits human psychology rather than technical vulnerabilities β manipulating people through deception, impersonation, urgency, and trust. Techniques include phishing (email), vishing (voice), smishing (SMS), pretexting (fabricating a scenario), baiting (leaving infected USB drives), and tailgating (following someone through a secure door). Security awareness training is the primary defense.
IncorrectB: The psychological manipulation of people into performing actions or divulging confidential information
Social engineering exploits human psychology rather than technical vulnerabilities β manipulating people through deception, impersonation, urgency, and trust. Techniques include phishing (email), vishing (voice), smishing (SMS), pretexting (fabricating a scenario), baiting (leaving infected USB drives), and tailgating (following someone through a secure door). Security awareness training is the primary defense.
18What is the process of applying software updates to fix known vulnerabilities called?
CorrectB: Patch Management
Patch management is the systematic process of identifying, acquiring, testing, and applying software patches (updates) to fix known vulnerabilities, bugs, and security flaws across an organization's systems. Timely patching is one of the most effective defenses against cyberattacks β the 2017 WannaCry ransomware attack exploited EternalBlue, a vulnerability for which Microsoft had already released a patch (MS17-010) two months earlier.
IncorrectB: Patch Management
Patch management is the systematic process of identifying, acquiring, testing, and applying software patches (updates) to fix known vulnerabilities, bugs, and security flaws across an organization's systems. Timely patching is one of the most effective defenses against cyberattacks β the 2017 WannaCry ransomware attack exploited EternalBlue, a vulnerability for which Microsoft had already released a patch (MS17-010) two months earlier.
19What is a "Logic Bomb"?
CorrectB: Malicious code inserted into software that executes only when specific conditions or dates are met
A logic bomb is dormant malicious code hidden within legitimate software that activates when a specific condition is met β a particular date/time (e.g., "if date = January 1"), a user action, or the absence of a condition (e.g., "if this employee's ID stops appearing in payroll"). Logic bombs are frequently planted by disgruntled insiders. Because the code is dormant, it can evade detection by standard antivirus scans for extended periods.
IncorrectB: Malicious code inserted into software that executes only when specific conditions or dates are met
A logic bomb is dormant malicious code hidden within legitimate software that activates when a specific condition is met β a particular date/time (e.g., "if date = January 1"), a user action, or the absence of a condition (e.g., "if this employee's ID stops appearing in payroll"). Logic bombs are frequently planted by disgruntled insiders. Because the code is dormant, it can evade detection by standard antivirus scans for extended periods.
20What is a "Backdoor"?
CorrectB: A hidden, undocumented method of bypassing normal authentication to access a system
A backdoor is a covert, undocumented access mechanism that bypasses normal authentication to provide unauthorized access to a system. Backdoors can be intentionally installed by developers (debugging purposes), planted by malware, or deliberately embedded by nation-state actors in software or hardware (supply chain backdoors). Famous example: the XZ Utils backdoor (CVE-2024-3094) discovered in 2024, targeting SSH on Linux systems.
IncorrectB: A hidden, undocumented method of bypassing normal authentication to access a system
A backdoor is a covert, undocumented access mechanism that bypasses normal authentication to provide unauthorized access to a system. Backdoors can be intentionally installed by developers (debugging purposes), planted by malware, or deliberately embedded by nation-state actors in software or hardware (supply chain backdoors). Famous example: the XZ Utils backdoor (CVE-2024-3094) discovered in 2024, targeting SSH on Linux systems.
Threats & Vulnerabilities β Concepts
1How does a SQL Injection (SQLi) attack work?
CorrectB: The attacker inputs malicious SQL queries into web forms to manipulate the backend database
SQL Injection exploits insufficient input validation: when user-supplied data is embedded directly into a SQL query without sanitization, an attacker can inject malicious SQL syntax (e.g., ' OR '1'='1) to manipulate the query. This can bypass authentication, extract the entire database, modify or delete data (UPDATE/DROP), and in some configurations execute OS commands via xp_cmdshell. SQLi consistently appears in the OWASP Top 10.
IncorrectB: The attacker inputs malicious SQL queries into web forms to manipulate the backend database
SQL Injection exploits insufficient input validation: when user-supplied data is embedded directly into a SQL query without sanitization, an attacker can inject malicious SQL syntax (e.g., ' OR '1'='1) to manipulate the query. This can bypass authentication, extract the entire database, modify or delete data (UPDATE/DROP), and in some configurations execute OS commands via xp_cmdshell. SQLi consistently appears in the OWASP Top 10.
2What is Cross-Site Scripting (XSS)?
CorrectB: An attack where malicious JavaScript is injected into a trusted website and executed in the victim's browser
XSS (Cross-Site Scripting) injects malicious client-side scripts (usually JavaScript) into web pages viewed by other users. Because the script executes in the context of a trusted site, it can steal session cookies (leading to session hijacking), redirect users to phishing pages, log keystrokes, and perform actions on behalf of the victim. Three types: Reflected (non-persistent), Stored (persistent), and DOM-based.
IncorrectB: An attack where malicious JavaScript is injected into a trusted website and executed in the victim's browser
XSS (Cross-Site Scripting) injects malicious client-side scripts (usually JavaScript) into web pages viewed by other users. Because the script executes in the context of a trusted site, it can steal session cookies (leading to session hijacking), redirect users to phishing pages, log keystrokes, and perform actions on behalf of the victim. Three types: Reflected (non-persistent), Stored (persistent), and DOM-based.
3What does CVE stand for in vulnerability management?
CorrectB: Common Vulnerabilities and Exposures (a standardized dictionary of publicly known vulnerabilities)
CVE (Common Vulnerabilities and Exposures) is a dictionary maintained by MITRE (sponsored by CISA/DHS) that assigns a unique identifier (e.g., CVE-2021-44228 for Log4Shell) to each publicly known vulnerability. CVE IDs enable consistent, unambiguous communication about vulnerabilities across security tools, advisories, and databases. The National Vulnerability Database (NVD) enriches CVE entries with CVSS scores and additional metadata.
IncorrectB: Common Vulnerabilities and Exposures (a standardized dictionary of publicly known vulnerabilities)
CVE (Common Vulnerabilities and Exposures) is a dictionary maintained by MITRE (sponsored by CISA/DHS) that assigns a unique identifier (e.g., CVE-2021-44228 for Log4Shell) to each publicly known vulnerability. CVE IDs enable consistent, unambiguous communication about vulnerabilities across security tools, advisories, and databases. The National Vulnerability Database (NVD) enriches CVE entries with CVSS scores and additional metadata.
4What is the purpose of the Common Vulnerability Scoring System (CVSS)?
CorrectB: To provide a standardized numerical score reflecting the severity and impact of a software vulnerability
CVSS (Common Vulnerability Scoring System) provides a standardized 0β10 numeric score measuring a vulnerability's severity. It uses three metric groups: Base (intrinsic characteristics β attack vector, complexity, privileges required, impact), Temporal (factors that change over time β exploit availability, patch maturity), and Environmental (organization-specific context). Scores: 0.0 = None, 0.1β3.9 = Low, 4.0β6.9 = Medium, 7.0β8.9 = High, 9.0β10.0 = Critical.
IncorrectB: To provide a standardized numerical score reflecting the severity and impact of a software vulnerability
CVSS (Common Vulnerability Scoring System) provides a standardized 0β10 numeric score measuring a vulnerability's severity. It uses three metric groups: Base (intrinsic characteristics β attack vector, complexity, privileges required, impact), Temporal (factors that change over time β exploit availability, patch maturity), and Environmental (organization-specific context). Scores: 0.0 = None, 0.1β3.9 = Low, 4.0β6.9 = Medium, 7.0β8.9 = High, 9.0β10.0 = Critical.
5What is a "Buffer Overflow" attack?
CorrectB: Sending more data to a computer program's memory buffer than it can hold, causing it to overwrite adjacent memory and execute malicious code
A buffer overflow occurs when a program writes more data into a fixed-size memory buffer than it was allocated, causing it to overwrite adjacent memory regions β including the return address on the stack. An attacker carefully crafts input to overwrite the return address with a pointer to their shellcode, hijacking program execution. Stack-based overflows are the classic form; heap overflows target dynamically allocated memory. Mitigations: ASLR, DEP/NX, stack canaries.
IncorrectB: Sending more data to a computer program's memory buffer than it can hold, causing it to overwrite adjacent memory and execute malicious code
A buffer overflow occurs when a program writes more data into a fixed-size memory buffer than it was allocated, causing it to overwrite adjacent memory regions β including the return address on the stack. An attacker carefully crafts input to overwrite the return address with a pointer to their shellcode, hijacking program execution. Stack-based overflows are the classic form; heap overflows target dynamically allocated memory. Mitigations: ASLR, DEP/NX, stack canaries.
6In a "Dictionary Attack," how does the attacker guess passwords?
CorrectB: By using a pre-compiled list of common words, phrases, and previously leaked passwords
A dictionary attack uses a wordlist β compiled from common passwords (password123, iloveyou), dictionary words, proper names, and historically leaked credential databases (e.g., RockYou, Collections #1β5) β to rapidly test candidate passwords against a hash. Much faster than pure brute-force because most users choose predictable passwords. Credential stuffing is a related variant using breached username/password pairs against other services.
IncorrectB: By using a pre-compiled list of common words, phrases, and previously leaked passwords
A dictionary attack uses a wordlist β compiled from common passwords (password123, iloveyou), dictionary words, proper names, and historically leaked credential databases (e.g., RockYou, Collections #1β5) β to rapidly test candidate passwords against a hash. Much faster than pure brute-force because most users choose predictable passwords. Credential stuffing is a related variant using breached username/password pairs against other services.
7What is "DNS Cache Poisoning" (DNS Spoofing)?
CorrectB: Altering the DNS records in a resolver's cache so that a legitimate domain name redirects traffic to a malicious IP address
DNS Cache Poisoning injects a forged DNS response into a resolver's cache, causing it to map a legitimate domain (e.g., bank.com) to an attacker-controlled IP. Victims who query the poisoned resolver are silently redirected to a malicious server without knowing β enabling credential theft, malware delivery, and man-in-the-middle attacks. The 2008 Kaminsky bug was a critical DNS poisoning vulnerability. DNSSEC (DNS Security Extensions) provides cryptographic validation to prevent this.
IncorrectB: Altering the DNS records in a resolver's cache so that a legitimate domain name redirects traffic to a malicious IP address
DNS Cache Poisoning injects a forged DNS response into a resolver's cache, causing it to map a legitimate domain (e.g., bank.com) to an attacker-controlled IP. Victims who query the poisoned resolver are silently redirected to a malicious server without knowing β enabling credential theft, malware delivery, and man-in-the-middle attacks. The 2008 Kaminsky bug was a critical DNS poisoning vulnerability. DNSSEC (DNS Security Extensions) provides cryptographic validation to prevent this.
8How does a Cross-Site Request Forgery (CSRF) attack function?
CorrectB: It tricks an authenticated user's browser into executing unwanted actions on a web application where they are currently logged in
CSRF exploits the trust a web application has in an authenticated user's browser. The attacker crafts a malicious request (e.g., a hidden image tag or auto-submitting form) on a site they control. When the victim (who is logged in to bank.com) visits the attacker's page, their browser automatically sends the forged request with their valid cookies, performing actions (fund transfers, email changes) without their knowledge. Mitigations: CSRF tokens, SameSite cookie attribute, re-authentication for sensitive actions.
IncorrectB: It tricks an authenticated user's browser into executing unwanted actions on a web application where they are currently logged in
CSRF exploits the trust a web application has in an authenticated user's browser. The attacker crafts a malicious request (e.g., a hidden image tag or auto-submitting form) on a site they control. When the victim (who is logged in to bank.com) visits the attacker's page, their browser automatically sends the forged request with their valid cookies, performing actions (fund transfers, email changes) without their knowledge. Mitigations: CSRF tokens, SameSite cookie attribute, re-authentication for sensitive actions.
9What is "Privilege Escalation"?
CorrectB: An attacker exploiting a bug or design flaw to gain elevated access to resources normally protected from an application or user
Privilege escalation allows an attacker to gain higher-level permissions than originally authorized. Vertical escalation goes from a standard user β administrator/root (e.g., exploiting a SUID binary on Linux). Horizontal escalation goes from one user account to another at the same privilege level (e.g., accessing another user's files). It's a critical step in the attack kill chain after initial access β enabling data exfiltration, persistence, and lateral movement.
IncorrectB: An attacker exploiting a bug or design flaw to gain elevated access to resources normally protected from an application or user
Privilege escalation allows an attacker to gain higher-level permissions than originally authorized. Vertical escalation goes from a standard user β administrator/root (e.g., exploiting a SUID binary on Linux). Horizontal escalation goes from one user account to another at the same privilege level (e.g., accessing another user's files). It's a critical step in the attack kill chain after initial access β enabling data exfiltration, persistence, and lateral movement.
10What is "Directory Traversal" (or Path Traversal)?
CorrectB: A web vulnerability allowing an attacker to read arbitrary files on the server running an application (e.g., using ../ to access /etc/passwd)
Directory (Path) Traversal occurs when user-supplied input is used to construct a file path without adequate sanitization, allowing an attacker to navigate outside the intended directory using sequences like ../../ to read sensitive server files (/etc/passwd, /etc/shadow, application config files, private keys). The attack exploits the file system hierarchy rather than application logic. Prevention: canonicalize paths, validate against an allowlist, use chroot jails.
IncorrectB: A web vulnerability allowing an attacker to read arbitrary files on the server running an application (e.g., using ../ to access /etc/passwd)
Directory (Path) Traversal occurs when user-supplied input is used to construct a file path without adequate sanitization, allowing an attacker to navigate outside the intended directory using sequences like ../../ to read sensitive server files (/etc/passwd, /etc/shadow, application config files, private keys). The attack exploits the file system hierarchy rather than application logic. Prevention: canonicalize paths, validate against an allowlist, use chroot jails.
11What is the difference between "Spear Phishing" and "Whaling"?
CorrectB: Spear phishing is highly targeted at specific individuals; Whaling is a subset of spear phishing targeting high-level executives (CEOs, CFOs)
Standard phishing casts a wide net with generic messages. Spear phishing is targeted and personalized β researching the victim's name, role, and relationships to craft a convincing pretext. Whaling is a further specialization targeting "big fish" β C-suite executives and board members β whose authority can authorize large wire transfers or access sensitive systems. Business Email Compromise (BEC) fraud combines whaling with impersonation to authorize fraudulent financial transactions.
IncorrectB: Spear phishing is highly targeted at specific individuals; Whaling is a subset of spear phishing targeting high-level executives (CEOs, CFOs)
Standard phishing casts a wide net with generic messages. Spear phishing is targeted and personalized β researching the victim's name, role, and relationships to craft a convincing pretext. Whaling is a further specialization targeting "big fish" β C-suite executives and board members β whose authority can authorize large wire transfers or access sensitive systems. Business Email Compromise (BEC) fraud combines whaling with impersonation to authorize fraudulent financial transactions.
12What is a "Rainbow Table" attack?
CorrectB: An attack that uses a massive precomputed table of cryptographic hashes to rapidly crack password hashes
A rainbow table is a precomputed data structure mapping candidate passwords to their hash values. Instead of computing a hash for each guess at runtime (as in a brute-force attack), an attacker simply looks up a stolen hash in the table to instantly find the corresponding password. Rainbow tables are orders of magnitude faster than live brute-forcing. The defense: cryptographic salting makes precomputed tables useless.
IncorrectB: An attack that uses a massive precomputed table of cryptographic hashes to rapidly crack password hashes
A rainbow table is a precomputed data structure mapping candidate passwords to their hash values. Instead of computing a hash for each guess at runtime (as in a brute-force attack), an attacker simply looks up a stolen hash in the table to instantly find the corresponding password. Rainbow tables are orders of magnitude faster than live brute-forcing. The defense: cryptographic salting makes precomputed tables useless.
13How does "Cryptographic Salting" defend against Rainbow Table attacks?
CorrectB: By adding random data (a "salt") to a password before hashing it, rendering precomputed hash tables useless
A salt is a random, unique value generated for each user and prepended or appended to their password before hashing: Hash(password + salt). Because the salt is unique per user, even two users with identical passwords produce different hashes β making precomputed rainbow tables useless (the table would need to be regenerated for every possible salt value, which is computationally infeasible). Modern password hashing algorithms (bcrypt, Argon2, scrypt) incorporate salts by design.
IncorrectB: By adding random data (a "salt") to a password before hashing it, rendering precomputed hash tables useless
A salt is a random, unique value generated for each user and prepended or appended to their password before hashing: Hash(password + salt). Because the salt is unique per user, even two users with identical passwords produce different hashes β making precomputed rainbow tables useless (the table would need to be regenerated for every possible salt value, which is computationally infeasible). Modern password hashing algorithms (bcrypt, Argon2, scrypt) incorporate salts by design.
14What is "Session Hijacking"?
CorrectB: An attacker obtaining a user's valid session ID (often via XSS or sniffing) and using it to impersonate the user on a web application
Web applications use session tokens (cookies) to identify authenticated users. Session hijacking steals a valid session token β via XSS (stealing the cookie via document.cookie), network sniffing on unencrypted HTTP, or session fixation (forcing a known session ID). With the token, the attacker impersonates the victim without knowing their password. Defenses: HTTPS-only cookies, HttpOnly and Secure flags, SameSite attribute, session timeout, and re-authentication for sensitive actions.
IncorrectB: An attacker obtaining a user's valid session ID (often via XSS or sniffing) and using it to impersonate the user on a web application
Web applications use session tokens (cookies) to identify authenticated users. Session hijacking steals a valid session token β via XSS (stealing the cookie via document.cookie), network sniffing on unencrypted HTTP, or session fixation (forcing a known session ID). With the token, the attacker impersonates the victim without knowing their password. Defenses: HTTPS-only cookies, HttpOnly and Secure flags, SameSite attribute, session timeout, and re-authentication for sensitive actions.
15What is the primary function of a "Honeypot"?
CorrectB: A decoy system deliberately set up to attract, detect, and study attackers and their methods
A honeypot is a deliberately vulnerable decoy system designed to lure attackers and detect unauthorized access. It serves multiple purposes: early detection (any access to the honeypot indicates an intrusion), threat intelligence (studying attacker tools and techniques), and deception (wasting attacker time). A honeynet is a network of honeypots. Production honeypots protect live systems; research honeypots gather threat intelligence.
IncorrectB: A decoy system deliberately set up to attract, detect, and study attackers and their methods
A honeypot is a deliberately vulnerable decoy system designed to lure attackers and detect unauthorized access. It serves multiple purposes: early detection (any access to the honeypot indicates an intrusion), threat intelligence (studying attacker tools and techniques), and deception (wasting attacker time). A honeynet is a network of honeypots. Production honeypots protect live systems; research honeypots gather threat intelligence.
16What does "Fileless Malware" do?
CorrectB: It operates entirely within the computer's RAM and uses legitimate system tools (like PowerShell) to avoid leaving a footprint on the hard drive
Fileless malware avoids writing executable files to disk β instead, it injects malicious code directly into the memory of legitimate running processes (e.g., PowerShell, wscript, mshta) or stores payloads in the Windows Registry. Because there is no malicious file on disk, traditional signature-based antivirus often misses it. Detection requires behavioural analysis and memory forensics. The "Living off the Land" (LotL) technique is a key component of fileless attacks.
IncorrectB: It operates entirely within the computer's RAM and uses legitimate system tools (like PowerShell) to avoid leaving a footprint on the hard drive
Fileless malware avoids writing executable files to disk β instead, it injects malicious code directly into the memory of legitimate running processes (e.g., PowerShell, wscript, mshta) or stores payloads in the Windows Registry. Because there is no malicious file on disk, traditional signature-based antivirus often misses it. Detection requires behavioural analysis and memory forensics. The "Living off the Land" (LotL) technique is a key component of fileless attacks.
17What is "MAC Spoofing"?
CorrectB: Altering the factory-assigned Media Access Control address of a network interface to bypass access control lists or hide identity
A MAC (Media Access Control) address is a hardware-assigned 48-bit identifier unique to each network interface. MAC spoofing changes a device's MAC address to impersonate another device, bypass MAC-based access control lists (ACLs), bypass Wi-Fi MAC filtering, or hide the attacker's true identity on the local network. It is simple to perform on most operating systems and does not require special hardware. It only works within the local network segment (MAC addresses are not routable).
IncorrectB: Altering the factory-assigned Media Access Control address of a network interface to bypass access control lists or hide identity
A MAC (Media Access Control) address is a hardware-assigned 48-bit identifier unique to each network interface. MAC spoofing changes a device's MAC address to impersonate another device, bypass MAC-based access control lists (ACLs), bypass Wi-Fi MAC filtering, or hide the attacker's true identity on the local network. It is simple to perform on most operating systems and does not require special hardware. It only works within the local network segment (MAC addresses are not routable).
18What is "Typosquatting" (URL Hijacking)?
CorrectB: Registering a domain name extremely similar to a popular website (e.g., goggle.com) to trick users who mistype the URL
Typosquatting exploits common keyboard typos and misspellings by registering domain names nearly identical to legitimate sites. Attackers monetize these domains via phishing pages (credential harvesting), drive-by malware downloads, or affiliate ad fraud. Variants include homograph attacks (using visually similar Unicode characters, e.g., Cyrillic "?" instead of Latin "a"), combosquatting (adding words like bank-services.com), and soundsquatting (using homophones).
IncorrectB: Registering a domain name extremely similar to a popular website (e.g., goggle.com) to trick users who mistype the URL
Typosquatting exploits common keyboard typos and misspellings by registering domain names nearly identical to legitimate sites. Attackers monetize these domains via phishing pages (credential harvesting), drive-by malware downloads, or affiliate ad fraud. Variants include homograph attacks (using visually similar Unicode characters, e.g., Cyrillic "?" instead of Latin "a"), combosquatting (adding words like bank-services.com), and soundsquatting (using homophones).
19Which vulnerability occurs when an application relies on client-side input to make security decisions without server-side validation?
CorrectB: Improper Input Validation / Broken Access Control
Trusting client-supplied data for security decisions is a fundamental design flaw: clients can trivially modify cookies, hidden form fields, URL parameters, and HTTP headers. Improper Input Validation / Broken Access Control (OWASP A01) occurs when the server fails to validate that the authenticated user is actually authorized to access the requested resource or action, relying on client-side controls (hidden fields, JavaScript checks) that can be easily bypassed with developer tools or a proxy like Burp Suite.
IncorrectB: Improper Input Validation / Broken Access Control
Trusting client-supplied data for security decisions is a fundamental design flaw: clients can trivially modify cookies, hidden form fields, URL parameters, and HTTP headers. Improper Input Validation / Broken Access Control (OWASP A01) occurs when the server fails to validate that the authenticated user is actually authorized to access the requested resource or action, relying on client-side controls (hidden fields, JavaScript checks) that can be easily bypassed with developer tools or a proxy like Burp Suite.
20What is a "Man-in-the-Middle" (MitM) attack?
CorrectB: An attacker secretly intercepting, reading, and potentially altering the communications between two parties who believe they are communicating directly
A Man-in-the-Middle (MitM) attack positions the attacker between two communicating parties, allowing them to eavesdrop on, capture, and/or modify communications in real time without either party knowing. Techniques include ARP spoofing (on local networks), SSL stripping (downgrading HTTPS to HTTP), rogue Wi-Fi hotspots, and BGP hijacking. TLS/SSL encryption and certificate pinning are primary defenses; HTTP Strict Transport Security (HSTS) prevents SSL stripping.
IncorrectB: An attacker secretly intercepting, reading, and potentially altering the communications between two parties who believe they are communicating directly
A Man-in-the-Middle (MitM) attack positions the attacker between two communicating parties, allowing them to eavesdrop on, capture, and/or modify communications in real time without either party knowing. Techniques include ARP spoofing (on local networks), SSL stripping (downgrading HTTPS to HTTP), rogue Wi-Fi hotspots, and BGP hijacking. TLS/SSL encryption and certificate pinning are primary defenses; HTTP Strict Transport Security (HSTS) prevents SSL stripping.
Threats & Vulnerabilities β Advanced
1What is "Server-Side Request Forgery" (SSRF)?
CorrectB: A vulnerability where an attacker forces the server to make requests to internal, restricted, or external resources on the attacker's behalf
SSRF exploits server-side functionality that fetches external URLs (e.g., webhooks, URL-based file parsers). An attacker provides a malicious URL that points to internal resources (http://169.254.169.254/latest/meta-data/ β the AWS EC2 metadata service), backend services (http://internal-redis:6379), or localhost endpoints normally inaccessible from the internet. Blind SSRF occurs when the server response is not returned to the attacker. SSRF was used in the 2019 Capital One breach. OWASP Top 10 A10:2021.
IncorrectB: A vulnerability where an attacker forces the server to make requests to internal, restricted, or external resources on the attacker's behalf
SSRF exploits server-side functionality that fetches external URLs (e.g., webhooks, URL-based file parsers). An attacker provides a malicious URL that points to internal resources (http://169.254.169.254/latest/meta-data/ β the AWS EC2 metadata service), backend services (http://internal-redis:6379), or localhost endpoints normally inaccessible from the internet. Blind SSRF occurs when the server response is not returned to the attacker. SSRF was used in the 2019 Capital One breach. OWASP Top 10 A10:2021.
2How does a "Pass-the-Hash" attack work in Windows environments?
CorrectB: By extracting a hashed credential from memory and using it to authenticate to other network resources without ever needing the plaintext password
Windows NTLM authentication can accept a password hash directly without requiring the plaintext password. Pass-the-Hash (PtH) exploits this: an attacker with admin privileges uses tools like Mimikatz to extract NTLM hashes from the LSASS process memory, then uses those hashes to authenticate laterally to other systems on the network. Defenses: Credential Guard, Protected Users security group, disabling NTLM in favour of Kerberos, principle of least privilege.
IncorrectB: By extracting a hashed credential from memory and using it to authenticate to other network resources without ever needing the plaintext password
Windows NTLM authentication can accept a password hash directly without requiring the plaintext password. Pass-the-Hash (PtH) exploits this: an attacker with admin privileges uses tools like Mimikatz to extract NTLM hashes from the LSASS process memory, then uses those hashes to authenticate laterally to other systems on the network. Defenses: Credential Guard, Protected Users security group, disabling NTLM in favour of Kerberos, principle of least privilege.
3What is "Return-Oriented Programming" (ROP)?
CorrectB: An advanced exploit technique that bypasses Data Execution Prevention (DEP) by chaining together small snippets of existing executable code (gadgets) already in memory
DEP/NX marks memory regions as non-executable, preventing injected shellcode from running. ROP bypasses this by not injecting new code β instead, it chains together short instruction sequences ("gadgets") already present in the program's legitimate code (ending in RET instructions). By carefully controlling the stack, the attacker sequences these gadgets to perform arbitrary computations entirely using existing code. Combining ROP with ASLR bypass is a hallmark of sophisticated exploits.
IncorrectB: An advanced exploit technique that bypasses Data Execution Prevention (DEP) by chaining together small snippets of existing executable code (gadgets) already in memory
DEP/NX marks memory regions as non-executable, preventing injected shellcode from running. ROP bypasses this by not injecting new code β instead, it chains together short instruction sequences ("gadgets") already present in the program's legitimate code (ending in RET instructions). By carefully controlling the stack, the attacker sequences these gadgets to perform arbitrary computations entirely using existing code. Combining ROP with ASLR bypass is a hallmark of sophisticated exploits.
4What is a "Time-of-Check to Time-of-Use" (TOCTOU) vulnerability?
CorrectB: A race condition where a system verifies an access condition but the state changes maliciously before the system actually performs the authorized action
TOCTOU is a race condition vulnerability: there is a window of time between when a system checks a condition (e.g., "does this file path point to a legitimate file?") and when it uses that result to take action (e.g., "open and read the file"). An attacker can swap the resource during this window β replacing the legitimate file with a symlink to /etc/shadow, for example. TOCTOU attacks are particularly dangerous in privileged programs (SUID binaries) and file system operations on multi-threaded systems.
IncorrectB: A race condition where a system verifies an access condition but the state changes maliciously before the system actually performs the authorized action
TOCTOU is a race condition vulnerability: there is a window of time between when a system checks a condition (e.g., "does this file path point to a legitimate file?") and when it uses that result to take action (e.g., "open and read the file"). An attacker can swap the resource during this window β replacing the legitimate file with a symlink to /etc/shadow, for example. TOCTOU attacks are particularly dangerous in privileged programs (SUID binaries) and file system operations on multi-threaded systems.
5What is the primary risk of "Insecure Deserialization"?
CorrectB: Untrusted data is used to recreate an object, allowing an attacker to tamper with the serialized data to achieve Remote Code Execution (RCE) or bypass authentication
Serialization converts an object to a byte stream for storage or transmission; deserialization reconstructs it. Insecure deserialization occurs when an application deserializes untrusted, user-controlled data without validation. An attacker crafts a malicious serialized payload that, when deserialized, triggers a gadget chain invoking arbitrary method calls β leading to RCE, privilege escalation, or authentication bypass. Famous example: Apache Commons Collections gadget chains in Java. OWASP Top 10 A08:2021.
IncorrectB: Untrusted data is used to recreate an object, allowing an attacker to tamper with the serialized data to achieve Remote Code Execution (RCE) or bypass authentication
Serialization converts an object to a byte stream for storage or transmission; deserialization reconstructs it. Insecure deserialization occurs when an application deserializes untrusted, user-controlled data without validation. An attacker crafts a malicious serialized payload that, when deserialized, triggers a gadget chain invoking arbitrary method calls β leading to RCE, privilege escalation, or authentication bypass. Famous example: Apache Commons Collections gadget chains in Java. OWASP Top 10 A08:2021.
6What does "ASLR" (Address Space Layout Randomization) do to mitigate vulnerabilities?
CorrectB: It randomly arranges the memory positions of key data areas of a program, making it incredibly difficult for an attacker to predict where to inject or execute shellcode
ASLR randomizes the base addresses of the stack, heap, and loaded libraries (DLLs/shared objects) every time a program runs. This prevents an attacker from reliably predicting memory addresses needed to redirect execution (e.g., in ret2libc attacks or ROP chains). ASLR is most effective when combined with DEP/NX (no execution in data regions) and stack canaries. Bypasses include information leaks (revealing a real address) and brute-forcing 32-bit address spaces.
IncorrectB: It randomly arranges the memory positions of key data areas of a program, making it incredibly difficult for an attacker to predict where to inject or execute shellcode
ASLR randomizes the base addresses of the stack, heap, and loaded libraries (DLLs/shared objects) every time a program runs. This prevents an attacker from reliably predicting memory addresses needed to redirect execution (e.g., in ret2libc attacks or ROP chains). ASLR is most effective when combined with DEP/NX (no execution in data regions) and stack canaries. Bypasses include information leaks (revealing a real address) and brute-forcing 32-bit address spaces.
7In the context of Advanced Persistent Threats (APTs), what is "Living off the Land" (LotL)?
CorrectB: Attackers using pre-installed, legitimate administrative tools (like WMI, PowerShell, or PsExec) to execute attacks without downloading custom malware
Living off the Land (LotL) is a stealth technique where APT operators use tools already present on the victim's system β WMI, PowerShell, certutil, regsvr32, mshta, PsExec, BITSAdmin β to achieve objectives. Because these are legitimate admin tools, signature-based AV and EDR solutions struggle to distinguish malicious from legitimate use. Detection relies on behavioural analytics: unusual parent-child process relationships, abnormal PowerShell execution policies, and anomalous network connections spawned from desktop apps.
IncorrectB: Attackers using pre-installed, legitimate administrative tools (like WMI, PowerShell, or PsExec) to execute attacks without downloading custom malware
Living off the Land (LotL) is a stealth technique where APT operators use tools already present on the victim's system β WMI, PowerShell, certutil, regsvr32, mshta, PsExec, BITSAdmin β to achieve objectives. Because these are legitimate admin tools, signature-based AV and EDR solutions struggle to distinguish malicious from legitimate use. Detection relies on behavioural analytics: unusual parent-child process relationships, abnormal PowerShell execution policies, and anomalous network connections spawned from desktop apps.
8What is an "Integer Overflow"?
CorrectB: An arithmetic operation attempts to create a numeric value that is outside the range that can be represented with a given number of bits, causing unexpected behavior or memory corruption
Integer overflow occurs when an arithmetic operation produces a value exceeding the maximum for its data type β wrapping around to a small or negative number. In C/C++, an unsigned 8-bit integer holding 255 + 1 becomes 0. Attackers exploit this to cause incorrect size calculations in memory allocation: if a size variable overflows to a small number, the allocated buffer is much smaller than the data it receives β enabling a heap overflow. A famous example: the 2021 OpenSSL BN_mod_sqrt() integer overflow.
IncorrectB: An arithmetic operation attempts to create a numeric value that is outside the range that can be represented with a given number of bits, causing unexpected behavior or memory corruption
Integer overflow occurs when an arithmetic operation produces a value exceeding the maximum for its data type β wrapping around to a small or negative number. In C/C++, an unsigned 8-bit integer holding 255 + 1 becomes 0. Attackers exploit this to cause incorrect size calculations in memory allocation: if a size variable overflows to a small number, the allocated buffer is much smaller than the data it receives β enabling a heap overflow. A famous example: the 2021 OpenSSL BN_mod_sqrt() integer overflow.
9What is an "XML External Entity" (XXE) attack?
CorrectB: An attack against an application that parses XML input, allowing an attacker to view local files, interact with internal networks, or cause a DoS via malicious entity references
XXE exploits XML parsers that process external entity references. The attacker submits XML containing a declaration like <!ENTITY xxe SYSTEM "file:///etc/passwd">, causing the parser to read and return the local file content. Beyond file disclosure, XXE enables SSRF (by referencing internal network URLs), remote code execution (via PHP expect:// wrapper), and Billion Laughs DoS (nested entity expansion). OWASP Top 10 A05:2021. Prevention: disable external entity processing in the XML parser configuration.
IncorrectB: An attack against an application that parses XML input, allowing an attacker to view local files, interact with internal networks, or cause a DoS via malicious entity references
XXE exploits XML parsers that process external entity references. The attacker submits XML containing a declaration like <!ENTITY xxe SYSTEM "file:///etc/passwd">, causing the parser to read and return the local file content. Beyond file disclosure, XXE enables SSRF (by referencing internal network URLs), remote code execution (via PHP expect:// wrapper), and Billion Laughs DoS (nested entity expansion). OWASP Top 10 A05:2021. Prevention: disable external entity processing in the XML parser configuration.
10What is the difference between Reflected XSS and DOM-based XSS?
CorrectB: Reflected XSS involves the server bouncing the malicious script back to the client; DOM XSS occurs entirely within the browser's Document Object Model without server involvement
In Reflected XSS, the malicious script is included in the HTTP request (usually a URL parameter), reflected in the server's response, and executed by the victim's browser. In DOM-based XSS, the vulnerability lies entirely in client-side JavaScript: the script reads attacker-controlled data (from the URL hash, document.referrer, postMessage) and writes it unsafely to the DOM via innerHTML, document.write, or eval β the malicious payload never reaches the server, making server-side input filtering ineffective.
IncorrectB: Reflected XSS involves the server bouncing the malicious script back to the client; DOM XSS occurs entirely within the browser's Document Object Model without server involvement
In Reflected XSS, the malicious script is included in the HTTP request (usually a URL parameter), reflected in the server's response, and executed by the victim's browser. In DOM-based XSS, the vulnerability lies entirely in client-side JavaScript: the script reads attacker-controlled data (from the URL hash, document.referrer, postMessage) and writes it unsafely to the DOM via innerHTML, document.write, or eval β the malicious payload never reaches the server, making server-side input filtering ineffective.
11What is "Blind SQL Injection"?
CorrectB: An SQLi attack where the database does not return data to the web page, forcing the attacker to infer information by asking the database true/false questions or measuring response times
In Blind SQLi, the application does not display database error messages or query results, but the attacker can still extract data by inferring from indirect signals. Boolean-based blind SQLi sends true/false conditions (e.g., IF(1=1,SLEEP(5),0)) and infers results from differences in the response. Time-based blind SQLi uses database time-delay functions (SLEEP, WAITFOR DELAY) and measures response time. Though slow, automated tools like SQLmap can extract entire databases character by character.
IncorrectB: An SQLi attack where the database does not return data to the web page, forcing the attacker to infer information by asking the database true/false questions or measuring response times
In Blind SQLi, the application does not display database error messages or query results, but the attacker can still extract data by inferring from indirect signals. Boolean-based blind SQLi sends true/false conditions (e.g., IF(1=1,SLEEP(5),0)) and infers results from differences in the response. Time-based blind SQLi uses database time-delay functions (SLEEP, WAITFOR DELAY) and measures response time. Though slow, automated tools like SQLmap can extract entire databases character by character.
12What characterizes a "Supply Chain Attack"?
CorrectB: Compromising an organization by infiltrating a third-party vendor, software update mechanism, or trusted partner that has access to the target's systems (e.g., SolarWinds)
A supply chain attack targets a less-secure element in an organization's supply chain rather than the organization directly. The SolarWinds SUNBURST attack (2020) compromised SolarWinds' build pipeline to inject malicious code into legitimate software updates, reaching 18,000+ customers including US government agencies. The XZ Utils backdoor (2024) was a two-year social engineering effort to inject a backdoor into a widely used compression library. Supply chain attacks are devastating because victims trust signed updates from known vendors.
IncorrectB: Compromising an organization by infiltrating a third-party vendor, software update mechanism, or trusted partner that has access to the target's systems (e.g., SolarWinds)
A supply chain attack targets a less-secure element in an organization's supply chain rather than the organization directly. The SolarWinds SUNBURST attack (2020) compromised SolarWinds' build pipeline to inject malicious code into legitimate software updates, reaching 18,000+ customers including US government agencies. The XZ Utils backdoor (2024) was a two-year social engineering effort to inject a backdoor into a widely used compression library. Supply chain attacks are devastating because victims trust signed updates from known vendors.
13What is a "Format String Vulnerability"?
CorrectB: A bug where user input is passed directly to formatting functions (like printf in C), allowing an attacker to read from or write to arbitrary memory locations
C's printf family (printf, sprintf, fprintf) accept a format string with specifiers (%s, %x, %n). If user input is passed directly as the format string (printf(user_input) instead of printf("%s", user_input)), an attacker can inject their own format specifiers. %x reads values off the stack (leaking memory), %s reads strings from attacker-specified addresses (arbitrary read), and %n writes the count of characters printed to an attacker-specified address (arbitrary write) β enabling RCE. A classic but still-encountered C programming error.
IncorrectB: A bug where user input is passed directly to formatting functions (like printf in C), allowing an attacker to read from or write to arbitrary memory locations
C's printf family (printf, sprintf, fprintf) accept a format string with specifiers (%s, %x, %n). If user input is passed directly as the format string (printf(user_input) instead of printf("%s", user_input)), an attacker can inject their own format specifiers. %x reads values off the stack (leaking memory), %s reads strings from attacker-specified addresses (arbitrary read), and %n writes the count of characters printed to an attacker-specified address (arbitrary write) β enabling RCE. A classic but still-encountered C programming error.
14What is the mechanism behind hardware side-channel attacks like Spectre and Meltdown?
CorrectB: They exploit speculative execution in modern CPUs, allowing an attacker to read protected data from the processor's cache memory
Modern CPUs use speculative execution β predicting likely code paths and executing them before confirming the prediction β to improve performance. Spectre and Meltdown (discovered 2017) exploit this: although speculative execution results are discarded when a branch misprediction is detected, they leave measurable side effects in the CPU cache. An attacker uses Flush+Reload or Prime+Probe cache timing attacks to infer the discarded values β reading kernel memory (Meltdown) or cross-process memory (Spectre) without authorization. Mitigations involve costly kernel patches (KPTI) and microcode updates.
IncorrectB: They exploit speculative execution in modern CPUs, allowing an attacker to read protected data from the processor's cache memory
Modern CPUs use speculative execution β predicting likely code paths and executing them before confirming the prediction β to improve performance. Spectre and Meltdown (discovered 2017) exploit this: although speculative execution results are discarded when a branch misprediction is detected, they leave measurable side effects in the CPU cache. An attacker uses Flush+Reload or Prime+Probe cache timing attacks to infer the discarded values β reading kernel memory (Meltdown) or cross-process memory (Spectre) without authorization. Mitigations involve costly kernel patches (KPTI) and microcode updates.
15What is a "Downgrade Attack" (e.g., POODLE)?
CorrectB: Forcing a client and server to abandon a secure, modern cryptographic protocol (like TLS 1.3) and use an older, vulnerable one (like SSL 3.0)
Downgrade attacks exploit TLS/SSL backward compatibility: by interfering with the protocol negotiation handshake (using a MitM position), the attacker forces the client and server to agree on an older, vulnerable protocol version. POODLE (2014) exploited fallback to SSL 3.0, which has a CBC padding oracle vulnerability. BEAST and CRIME exploited TLS 1.0/1.1 weaknesses. Modern TLS 1.3 eliminates this by removing all backward compatible negotiation with insecure cipher suites.
IncorrectB: Forcing a client and server to abandon a secure, modern cryptographic protocol (like TLS 1.3) and use an older, vulnerable one (like SSL 3.0)
Downgrade attacks exploit TLS/SSL backward compatibility: by interfering with the protocol negotiation handshake (using a MitM position), the attacker forces the client and server to agree on an older, vulnerable protocol version. POODLE (2014) exploited fallback to SSL 3.0, which has a CBC padding oracle vulnerability. BEAST and CRIME exploited TLS 1.0/1.1 weaknesses. Modern TLS 1.3 eliminates this by removing all backward compatible negotiation with insecure cipher suites.
16What is "Server-Side Template Injection" (SSTI)?
CorrectB: An attacker injecting malicious input into a web template engine (like Jinja2 or Twig), leading to Server-Side Remote Code Execution
SSTI occurs when user-controlled input is embedded in a server-side template and evaluated by the template engine. In Flask/Jinja2, injecting {{{{7*7}}}} renders 49 β confirming injection. Escalating to RCE via Jinja2 sandbox escape allows accessing Python's os module and executing arbitrary OS commands. Every template engine has a different syntax and exploit chain, but the root cause is the same: treating user input as template code. Prevention: never pass user input to template render functions; validate strictly.
IncorrectB: An attacker injecting malicious input into a web template engine (like Jinja2 or Twig), leading to Server-Side Remote Code Execution
SSTI occurs when user-controlled input is embedded in a server-side template and evaluated by the template engine. In Flask/Jinja2, injecting {{{{7*7}}}} renders 49 β confirming injection. Escalating to RCE via Jinja2 sandbox escape allows accessing Python's os module and executing arbitrary OS commands. Every template engine has a different syntax and exploit chain, but the root cause is the same: treating user input as template code. Prevention: never pass user input to template render functions; validate strictly.
17What is "Web Cache Poisoning"?
CorrectB: Manipulating an application into saving a malicious, crafted response in its cache, which is then served to other legitimate users
Web cache poisoning (discovered/named by James Kettle, 2018) exploits how caches distinguish between requests. By identifying unkeyed inputs (HTTP headers or parameters the cache ignores when creating keys but the application uses in responses β like X-Forwarded-Host), an attacker can craft a request that poisons the cached response with injected content (XSS payloads, redirects). The poisoned response is then served to all users making the same keyed request, allowing mass exploitation without targeting individuals.
IncorrectB: Manipulating an application into saving a malicious, crafted response in its cache, which is then served to other legitimate users
Web cache poisoning (discovered/named by James Kettle, 2018) exploits how caches distinguish between requests. By identifying unkeyed inputs (HTTP headers or parameters the cache ignores when creating keys but the application uses in responses β like X-Forwarded-Host), an attacker can craft a request that poisons the cached response with injected content (XSS payloads, redirects). The poisoned response is then served to all users making the same keyed request, allowing mass exploitation without targeting individuals.
18How does a "Birthday Attack" compromise cryptographic hashes?
CorrectB: It uses the mathematical probability of collisions (the Birthday Paradox) to find two different inputs that produce the same hash output much faster than brute-forcing
The Birthday Paradox states that in a group of 23 people, there is a 50% probability that two share a birthday. Applied to cryptography: finding any two inputs that produce the same hash (a collision) requires only approximately βN operations, not N. For a 128-bit hash like MD5, finding a collision requires ~2^64 operations β feasible with modern hardware. This undermines hash-based digital signature schemes: an attacker can substitute a malicious document with the same hash as a legitimate signed document. SHA-256 and SHA-3 provide much larger collision resistance.
IncorrectB: It uses the mathematical probability of collisions (the Birthday Paradox) to find two different inputs that produce the same hash output much faster than brute-forcing
The Birthday Paradox states that in a group of 23 people, there is a 50% probability that two share a birthday. Applied to cryptography: finding any two inputs that produce the same hash (a collision) requires only approximately βN operations, not N. For a 128-bit hash like MD5, finding a collision requires ~2^64 operations β feasible with modern hardware. This undermines hash-based digital signature schemes: an attacker can substitute a malicious document with the same hash as a legitimate signed document. SHA-256 and SHA-3 provide much larger collision resistance.
19What is "DLL Hijacking"?
CorrectB: Tricking a Windows application into loading a malicious Dynamic Link Library (DLL) file by placing it in a specific directory with the name of a legitimate, required DLL
Windows applications load DLLs using a search order: the current directory is checked before System32 and other system directories. DLL hijacking exploits this by placing a malicious DLL with the same name as a required legitimate DLL in a directory earlier in the search order (typically the application's own directory). When the application loads, it inadvertently loads the malicious DLL, execute attacker code in the application's security context. DLL hijacking is a common persistence and privilege escalation technique in pentesting frameworks like Metasploit.
IncorrectB: Tricking a Windows application into loading a malicious Dynamic Link Library (DLL) file by placing it in a specific directory with the name of a legitimate, required DLL
Windows applications load DLLs using a search order: the current directory is checked before System32 and other system directories. DLL hijacking exploits this by placing a malicious DLL with the same name as a required legitimate DLL in a directory earlier in the search order (typically the application's own directory). When the application loads, it inadvertently loads the malicious DLL, execute attacker code in the application's security context. DLL hijacking is a common persistence and privilege escalation technique in pentesting frameworks like Metasploit.
20In an enterprise environment, what is the concept of "Kerberoasting"?
CorrectB: Extracting service account credential hashes from Active Directory via Kerberos tickets and cracking them offline
Kerberoasting exploits the Kerberos authentication protocol's ticket-granting mechanism. Any authenticated domain user can request a Kerberos TGS (Ticket-Granting Service) ticket for any service registered with an SPN (Service Principal Name). These tickets are encrypted with the associated service account's NTLM hash. An attacker requests tickets for service accounts (which often use weak, static passwords), extracts the encrypted portion, and cracks it offline using hashcat or John the Ripper. Mitigation: use 25+ character random service account passwords, enable AES encryption for Kerberos.
IncorrectB: Extracting service account credential hashes from Active Directory via Kerberos tickets and cracking them offline
Kerberoasting exploits the Kerberos authentication protocol's ticket-granting mechanism. Any authenticated domain user can request a Kerberos TGS (Ticket-Granting Service) ticket for any service registered with an SPN (Service Principal Name). These tickets are encrypted with the associated service account's NTLM hash. An attacker requests tickets for service accounts (which often use weak, static passwords), extracts the encrypted portion, and cracks it offline using hashcat or John the Ripper. Mitigation: use 25+ character random service account passwords, enable AES encryption for Kerberos.
Conclusion: Master Threats & Vulnerabilities
These 60 MCQs span the full offensive security knowledge stack β from recognizing the difference between a worm and a virus, through understanding how SQL injection manipulates database queries, to grasping how a Kerberoasting attack extracts offline-crackable hashes from Active Directory. Each question is designed to test the conceptual precision demanded by real certification exams.
After mastering these questions, continue building your cybersecurity foundation with the CIA Triad MCQs and the full theory notes for a complete understanding of both the attack landscape and the defensive frameworks that counter it.
Key Takeaways β Threats & Vulnerabilities
- Vulnerability = weakness in a system. Threat = potential danger that exploits it. Exploit = code that actively leverages a vulnerability.
- Worms self-replicate across networks autonomously; viruses need human action (opening a file) to spread.
- Zero-day = vendor-unknown flaw with no available patch; the most dangerous and valuable attack primitive.
- SQL Injection and XSS are the most persistently common web vulnerabilities (OWASP Top 10).
- CVSS scores vulnerabilities 0β10; CVE IDs (e.g., CVE-2021-44228) uniquely identify each public flaw.
- Buffer overflow ? overwrite return address ? execute shellcode. Mitigated by ASLR + DEP + stack canaries.
- ROP bypasses DEP/NX by chaining gadgets from existing executable code β no new shellcode needed.
- Pass-the-Hash uses stolen NTLM hashes directly; Kerberoasting extracts TGS tickets for offline cracking.
- Supply chain attacks (SolarWinds, XZ Utils) compromise trusted software delivery to reach thousands of targets at once.
- Spectre/Meltdown exploit CPU speculative execution side-channels β mitigated by kernel-level KPTI patches.
Quick Review & Summary
Use this table to consolidate key Threats & Vulnerabilities concepts before or after attempting the questions above.
| Concept | What It Is | Key Fact / Defence |
|---|---|---|
| Vulnerability | Weakness in a system that can be exploited | Risk = Threat Γ Vulnerability Γ Impact |
| Zero-Day | Unpatched, vendor-unknown flaw | NSA/GCHQ pay millions; Stuxnet used 4 zero-days |
| Ransomware | Encrypts data; demands ransom for key | Double extortion = encrypt + threaten to publish |
| Rootkit | Provides hidden root/admin persistent access | Hides in OS/firmware; evades standard AV |
| SQL Injection | Injects malicious SQL into web forms | Parameterised queries / prepared statements prevent it |
| XSS | Injects malicious JS into trusted web pages | Output encoding, CSP headers are defences |
| CVSS | 0β10 severity score for vulnerabilities | 9.0β10.0 = Critical; tracked via CVE IDs in NVD |
| Buffer Overflow | Overflows buffer ? overwrites return address | Mitigated by ASLR + DEP + stack canaries |
| ROP | Chains existing code gadgets to bypass DEP | Requires an info-leak to defeat ASLR too |
| Kerberoasting | Extracts TGS tickets ? offline hash cracking | 25+ char random SPN passwords; AES encryption |
Frequently Asked Questions
Q. How many Threats & Vulnerabilities MCQs are available on this page?
Q. What topics do these Threats & Vulnerabilities MCQs cover?
Q. Are these MCQs suitable for cybersecurity certification exams?
Q. What is the difference between a vulnerability and an exploit?
Q. What is the difference between Study Mode and Exam Mode?
Q. What are the most common advanced vulnerabilities tested in OSCP and CISSP?
Q. Can I practice these MCQs on my mobile phone?
Struggling with some questions? Re-read the full Theory Guide: Threats & Vulnerabilities