GFACT ACTUAL PAPER 2026
QUESTIONS WITH SOLUTIONS
GRADED A+
◉ (B3, Pg162) Which of the following is a common result of a
reflected cross-site scripting attack?
A)Tricking a user into making an authenticated transaction
B)Sending a website user's session cookie to an attacker
C) Embedding the attacker's malware in web application source code
D) Stealing password hashes from a website's back end database
*HINT* It may be under the session guessing section, but if you read
further into it, you will see where it mentions XSS attack.. Answer:
Sending a website user's session cookie to an attacker
◉ (B3, Pg90) What tool can be used to fingerprint the operating
system of a host?
A)netstat
B)dig
C)nslookup
,D)nmap. Answer: Nmap
◉ (B3, Pg151) What type of vulnerability is illustrated where there is
code in the web page?
A)File Inclusion
B) Clickjacking
C)Cross-Site Scripting
D) SQL injection
*HINT* While it doesn't exactly say "code in the web page", it
mentions how you can sometimes view a page that looks like PHP
code and how that code can gain you access to the access logs of the
server.. Answer: File Inclusion
◉ (B3, Pg88-89) An alert indicates that a compromised host was
used by an attacker to run the command below. What was the
attacker attempting to do?
$ nmap -sS 192.168.10.0/24
A)Map a network drive to a remote host
B)Identify services running on network hosts
C)Execute a script on a remote host
,D)Send Spoofed packets to network hosts. Answer: Identify services
running on network hosts
◉ What type of artifact can a blue team member use to identify the
name that is associated to the file?
A)Metadata
B)Windows security logs
C)Prefetch
D)File Ownership. Answer: Metadata
◉ (B3, Pg307-308) What is
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio
n\Run considered to be?
A)Domain Name
B)Log File Path
C) Registry Key
D) Yo Mama's Number. Answer: A Registry Key
◉ (B1, Pg236) If a user agent is used, where would it be found in the
HTTP Protocol?
A)In the response header
, B)In the response body
C)Delimited by an h1 tag
D) In a GET Request. Answer: In a GET Request
◉ What benefit does moving from local logging to using a log server
provide organizations?
A) Enables the use of network intrusion detection systems (NIDS)
B) Harder for attackers to overwrite logs
C) Attackers will have to pivot through an extra server to infiltrate the
network
D)Less complex logging infrastructure. Answer: Harder for attackers
to overwrite logs
◉ (B3, Pg187) What is the only way to mitigate an integer
overflow/underflow?
A) Takin the absolute value of negative results prior to running the
equation
B) Checking that the result of any change to a signed integer falls
within an allowed range
C) Randomizing salt values prior to hashing user content
D) Sanitizing user input to block special characters from being
entered. Answer: Checking that the result of any change to a signed
integer falls within an allowed range
QUESTIONS WITH SOLUTIONS
GRADED A+
◉ (B3, Pg162) Which of the following is a common result of a
reflected cross-site scripting attack?
A)Tricking a user into making an authenticated transaction
B)Sending a website user's session cookie to an attacker
C) Embedding the attacker's malware in web application source code
D) Stealing password hashes from a website's back end database
*HINT* It may be under the session guessing section, but if you read
further into it, you will see where it mentions XSS attack.. Answer:
Sending a website user's session cookie to an attacker
◉ (B3, Pg90) What tool can be used to fingerprint the operating
system of a host?
A)netstat
B)dig
C)nslookup
,D)nmap. Answer: Nmap
◉ (B3, Pg151) What type of vulnerability is illustrated where there is
code in the web page?
A)File Inclusion
B) Clickjacking
C)Cross-Site Scripting
D) SQL injection
*HINT* While it doesn't exactly say "code in the web page", it
mentions how you can sometimes view a page that looks like PHP
code and how that code can gain you access to the access logs of the
server.. Answer: File Inclusion
◉ (B3, Pg88-89) An alert indicates that a compromised host was
used by an attacker to run the command below. What was the
attacker attempting to do?
$ nmap -sS 192.168.10.0/24
A)Map a network drive to a remote host
B)Identify services running on network hosts
C)Execute a script on a remote host
,D)Send Spoofed packets to network hosts. Answer: Identify services
running on network hosts
◉ What type of artifact can a blue team member use to identify the
name that is associated to the file?
A)Metadata
B)Windows security logs
C)Prefetch
D)File Ownership. Answer: Metadata
◉ (B3, Pg307-308) What is
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio
n\Run considered to be?
A)Domain Name
B)Log File Path
C) Registry Key
D) Yo Mama's Number. Answer: A Registry Key
◉ (B1, Pg236) If a user agent is used, where would it be found in the
HTTP Protocol?
A)In the response header
, B)In the response body
C)Delimited by an h1 tag
D) In a GET Request. Answer: In a GET Request
◉ What benefit does moving from local logging to using a log server
provide organizations?
A) Enables the use of network intrusion detection systems (NIDS)
B) Harder for attackers to overwrite logs
C) Attackers will have to pivot through an extra server to infiltrate the
network
D)Less complex logging infrastructure. Answer: Harder for attackers
to overwrite logs
◉ (B3, Pg187) What is the only way to mitigate an integer
overflow/underflow?
A) Takin the absolute value of negative results prior to running the
equation
B) Checking that the result of any change to a signed integer falls
within an allowed range
C) Randomizing salt values prior to hashing user content
D) Sanitizing user input to block special characters from being
entered. Answer: Checking that the result of any change to a signed
integer falls within an allowed range
