Web Application Penetration Testing
Handbook. Latest 2026-2027.
Questions and Correct Answers.
Graded A
.jar - ANSjava archived files
.xap - ANSsilverlight bytecode object files
& - ANSHTML Encoding &
' - ANSHTML Encoding '
> - ANSHTML Encoding >
< - ANSHTML Encoding <
" - ANSHTML Encoding "
%00 - ANSURL Encoding Null byte
%0a - ANSurl encoding new line
%3d - ANSURL Encoding =
1
,%20 - ANSurl encoding space
%25 - ANSurl encoding %
404 Not Found - ANSindicates that the requested resource does not exist
405 Method Not Allowed - ANSIndicates that the method used in the
request is not supported for that specific URL (think PUT)
AJAX - ANSCollection of programming techniques used on the client side
to create user interfaces that aim to mimic smooth interaction and dynamic
behavior of traditional desktop applications
Analysis of Applications Steps - ANSthe application's core functionality- the
actions that can be taken that are intended
other peripheral behavior, including offsite links, error messages,
administrative and logging functions and use of redirects
core security mechanisms and how they function, session state, access
controls, authentication mechanisms, supporting logic ( user registration,
password change, and account recovery)
all locations where app processes user supplied input
technologies employed on the client side (scripts, forms, thick client
components (java Applets, activex controls, flash) and cookies
2
, any other detail that may glean about the internal structure and functionality
of the server side application
Application Pages - ANStypically unique URLs to describe a single function
ASP.NET Functions - ANSuses Microsofts .NET Framework which
provides a virtual machine and a powerful set of APIs. Hence ASP.NET
applications can be written in any .NET language
Authentication Technologies - ANSHTML Form-based authentication
Multifactor mechanisms
Client SSL certificates
HTTP basic and digest authentication
Windows integrated authentication using NTLM or Kerberos
Authentication services
Bad Password Types - ANSVery Short or blank
Common dictionary words or names
The same as the username
Still set to a default value
3
Handbook. Latest 2026-2027.
Questions and Correct Answers.
Graded A
.jar - ANSjava archived files
.xap - ANSsilverlight bytecode object files
& - ANSHTML Encoding &
' - ANSHTML Encoding '
> - ANSHTML Encoding >
< - ANSHTML Encoding <
" - ANSHTML Encoding "
%00 - ANSURL Encoding Null byte
%0a - ANSurl encoding new line
%3d - ANSURL Encoding =
1
,%20 - ANSurl encoding space
%25 - ANSurl encoding %
404 Not Found - ANSindicates that the requested resource does not exist
405 Method Not Allowed - ANSIndicates that the method used in the
request is not supported for that specific URL (think PUT)
AJAX - ANSCollection of programming techniques used on the client side
to create user interfaces that aim to mimic smooth interaction and dynamic
behavior of traditional desktop applications
Analysis of Applications Steps - ANSthe application's core functionality- the
actions that can be taken that are intended
other peripheral behavior, including offsite links, error messages,
administrative and logging functions and use of redirects
core security mechanisms and how they function, session state, access
controls, authentication mechanisms, supporting logic ( user registration,
password change, and account recovery)
all locations where app processes user supplied input
technologies employed on the client side (scripts, forms, thick client
components (java Applets, activex controls, flash) and cookies
2
, any other detail that may glean about the internal structure and functionality
of the server side application
Application Pages - ANStypically unique URLs to describe a single function
ASP.NET Functions - ANSuses Microsofts .NET Framework which
provides a virtual machine and a powerful set of APIs. Hence ASP.NET
applications can be written in any .NET language
Authentication Technologies - ANSHTML Form-based authentication
Multifactor mechanisms
Client SSL certificates
HTTP basic and digest authentication
Windows integrated authentication using NTLM or Kerberos
Authentication services
Bad Password Types - ANSVery Short or blank
Common dictionary words or names
The same as the username
Still set to a default value
3
