Chapter 44 Quiz: Web Application Penetration Testing¶

B — Classic (in-band) SQL injection — the unsanitized input modifies the query logic to return all rows by making the WHERE condition always true

String concatenation without parameterized queries allows attacker input to break out of the intended SQL context. The injected ' OR '1'='1' -- closes the original string literal, adds an always-true condition (OR '1'='1'), and comments out the rest of the query. This is in-band SQLi because results are returned directly in the application's response. Parameterized queries (prepared statements) prevent this by separating data from code.

B — Username enumeration through differential response analysis, classified under OWASP A07:2021 Identification and Authentication Failures

Different error messages for valid vs. invalid usernames allow attackers to enumerate valid accounts before attempting password attacks. This falls under OWASP A07:2021 (Identification and Authentication Failures). Secure applications should return a generic message like "Invalid credentials" regardless of whether the username or password was incorrect, and implement consistent response timing to prevent timing-based enumeration.

B — Reflected XSS requires the victim to click a crafted link containing the payload; Stored XSS persists in the application's database and executes for every user who views the affected page

Reflected XSS payloads are embedded in URLs or form submissions and reflected back in the response — they require victim interaction with a crafted link. Stored XSS payloads are persisted server-side (in databases, comments, profiles) and execute automatically when any user views the affected content. Stored XSS is generally higher impact because it affects all visitors without requiring individual targeting.

B — Server-Side Request Forgery (SSRF) targeting cloud instance metadata services

SSRF occurs when an application can be tricked into making HTTP requests to arbitrary destinations from the server side. The URL 169.254.169.254 is the AWS EC2 Instance Metadata Service (IMDS) endpoint. Successful SSRF to this endpoint can expose IAM role credentials, allowing the attacker to access AWS services with the instance's permissions. This is classified under OWASP A10:2021 (Server-Side Request Forgery).

B — XML External Entity (XXE) injection — the XML parser processes external entity declarations that reference local files or external resources

XXE exploits XML parsers configured to process Document Type Definitions (DTDs) and external entities. The SYSTEM keyword instructs the parser to fetch the contents of /etc/passwd and include it in the parsed document. Mitigation requires disabling DTD processing and external entity resolution in the XML parser configuration. XXE falls under OWASP A05:2021 (Security Misconfiguration).

B — JWT algorithm confusion — the server fails to enforce the expected signing algorithm and accepts unsigned tokens

The alg: none attack exploits JWT libraries that accept the algorithm specified in the token header without server-side validation. By changing the algorithm to "none" and removing the signature, the attacker creates a valid-looking token that bypasses signature verification. Secure implementations must enforce a whitelist of allowed algorithms server-side and reject tokens with unexpected algorithm values.

B — Broken Object Level Authorization (BOLA/IDOR) — the API does not verify that the authenticated user is authorized to access the requested resource

BOLA (Broken Object Level Authorization), also known as IDOR (Insecure Direct Object Reference), occurs when the API relies on client-supplied object IDs without verifying that the authenticated user has permission to access that specific object. This is the #1 vulnerability in the OWASP API Security Top 10 (API1:2023). Remediation requires server-side authorization checks on every object access.

B — CSP controls which sources of content (scripts, styles, images) the browser is allowed to load, primarily mitigating Cross-Site Scripting (XSS) attacks

Content Security Policy is an HTTP response header that instructs browsers to only load resources (JavaScript, CSS, images, fonts, frames) from explicitly whitelisted sources. Even if an attacker successfully injects a script tag via XSS, the browser will refuse to execute it if the script's source violates the CSP policy. Effective CSP configurations avoid unsafe-inline and unsafe-eval directives.

B — Server-Side Template Injection (SSTI) — user input is evaluated as template code on the server

SSTI occurs when user input is embedded directly into server-side template engine code rather than passed as data. The expression {{7*7}} being evaluated to 49 confirms that the template engine (Jinja2, Twig, Freemarker, etc.) is processing user input as executable code. SSTI can escalate to remote code execution through template engine-specific payload chains that access the underlying runtime environment.

B — A03:2021 — Injection

OWASP A03:2021 (Injection) encompasses all injection flaws including SQL injection, command injection, LDAP injection, and XPath injection. Command injection specifically occurs when user input is passed to operating system shell commands without proper sanitization. The primary defense is never passing user input directly to system commands; when unavoidable, use parameterized APIs, input validation, and least-privilege execution contexts.

B — Token leakage via browser history, server logs, proxy logs, and Referer headers, enabling account takeover if an attacker obtains the token

Sensitive tokens in URL parameters are exposed through multiple channels: browser history, web server access logs, proxy logs, analytics platforms, and Referer headers sent to third-party resources. Any of these leakage points could allow an attacker to obtain a valid reset token and take over the account. Secure implementations deliver tokens via POST bodies or short-lived, single-use tokens with Referrer-Policy headers set to no-referrer.

B — Mass Assignment (Excessive Data Exposure) — the API binds all client-supplied fields to the data model without filtering

Mass Assignment occurs when an API automatically binds client-supplied JSON/form parameters to internal data model properties without a whitelist. Attackers can inject additional fields (role, isAdmin, balance, permissions) that the API processes despite not being exposed in the UI. This is API6:2023 in the OWASP API Security Top 10. Remediation requires explicit property whitelisting on the server side.

B — Boolean-based infers data from true/false differences in application responses; time-based infers data from deliberate delays introduced by SQL sleep functions when conditions are true

In blind Boolean-based SQLi, the attacker crafts conditions (e.g., AND SUBSTRING(password,1,1)='a') and observes response differences (different content, status codes, or page behavior) for true vs. false conditions. In time-based blind SQLi, the attacker uses database-specific sleep functions (e.g., WAITFOR DELAY '0:0:5' in MSSQL, SLEEP(5) in MySQL) to introduce measurable delays when conditions are true, extracting data one bit at a time.

B — Clickjacking — where an attacker embeds the target site in a transparent iframe and tricks users into clicking invisible elements

Clickjacking (UI redressing) overlays a transparent iframe of the target application over an attacker-controlled page, tricking users into performing unintended actions (changing settings, transferring funds) by clicking what appears to be benign content. X-Frame-Options: DENY instructs browsers to refuse rendering the page inside any iframe. The modern replacement is the CSP frame-ancestors directive.

B — A05:2021 — Security Misconfiguration — verbose error messages expose implementation details that aid further attacks such as SQL injection refinement and infrastructure mapping

Verbose error messages are a classic security misconfiguration. Stack traces reveal framework versions, database types, file paths, and query structures. Internal IP addresses expose network architecture. This information helps attackers refine injection payloads, identify vulnerable components, and map internal infrastructure. Production applications should return generic error messages and log detailed errors server-side only.