FlashGenius Logo FlashGenius
Login Sign Up

GWAPT Practice Questions: Authentication Attacks Domain

Published: September 28, 2025 | 20 min read

Test your GWAPT knowledge with 10 practice questions from the Authentication Attacks domain. Includes detailed explanations and answers.

GWAPT Practice Questions

Master the Authentication Attacks Domain

Test your knowledge in the Authentication Attacks domain with these 10 practice questions. Each question is designed to help you prepare for the GWAPT certification exam with detailed explanations to reinforce your learning.

Question 1

While testing a web application, you identify that the login form is vulnerable to a brute force attack. Which Burp Suite feature would you use to automate this attack and why?

A) Repeater, because it allows manual, repeated requests with modified parameters.

B) Intruder, because it enables automated, customized attacks with payloads.

C) Scanner, because it automatically identifies vulnerabilities.

D) Decoder, because it helps decode and encode data for analysis.

Show Answer & Explanation

Correct Answer: B

Explanation: Burp Suite's Intruder tool is specifically designed for automating attacks like brute force attacks. It allows testers to set payload positions and test multiple combinations of usernames and passwords efficiently. Option A is incorrect because Repeater is used for manual requests. Option C is incorrect because Scanner is for discovering vulnerabilities, not executing attacks. Option D is incorrect because Decoder is used for data transformation, not automated attacks.

Question 2

Using OWASP ZAP, you identify that a web application does not implement account lockout after multiple failed login attempts. What is a likely consequence of this vulnerability?

A) Increased risk of Cross-Site Scripting (XSS)

B) Increased risk of Brute Force Attacks

C) Increased risk of SQL Injection

D) Increased risk of Session Hijacking

Show Answer & Explanation

Correct Answer: B

Explanation: The correct answer is B, Increased risk of Brute Force Attacks. Without an account lockout mechanism, attackers can repeatedly attempt different password combinations without being stopped, making brute force attacks feasible. XSS (A) and SQL Injection (C) are unrelated to login attempts. Session Hijacking (D) involves taking over an active session, which is not directly related to login attempts.

Question 3

While performing a penetration test, you find that a web application uses a custom authentication token in a cookie. The token is structured as follows: ``` user=admin;timestamp=1678901234;signature=abc123 ``` You suspect the token is vulnerable to a replay attack. What characteristic of the token most contributes to this vulnerability?

A) The use of a static signature value.

B) The inclusion of the username in the token.

C) The presence of a timestamp in the token.

D) The storage of the token in a cookie.

Show Answer & Explanation

Correct Answer: A

Explanation: Option A is correct because a static signature value allows the token to be reused in a replay attack. Option B is incorrect as the username's presence does not contribute to replay vulnerability. Option C is incorrect because a timestamp can help prevent replay attacks if used correctly. Option D is incorrect as storing tokens in cookies is common practice and does not inherently lead to replay vulnerabilities.

Question 4

You intercepted the following HTTP request during a penetration test: ``` POST /login HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded username=admin&password=admin123 ``` Which tool would you use to test for credential stuffing attacks using this request, and what is the primary concern with this attack type?

A) OWASP ZAP, because it can automate SQL injection payloads.

B) Burp Suite Intruder, because it can test multiple credential combinations.

C) SQLMap, because it can automate database exploitation.

D) Wireshark, because it can capture and analyze network traffic.

Show Answer & Explanation

Correct Answer: B

Explanation: Burp Suite's Intruder is ideal for testing credential stuffing attacks as it allows you to automate the testing of multiple username and password combinations. Credential stuffing is a concern because it exploits users who reuse passwords across different sites. Option A is incorrect because OWASP ZAP is more suited for vulnerability scanning, not credential stuffing. Option C is incorrect as SQLMap is for SQL injection, not authentication attacks. Option D is incorrect because Wireshark is used for network traffic analysis, not executing attacks.

Question 5

During a security assessment, you find that a web application uses a custom authentication mechanism. The login form sends credentials over HTTP as a JSON payload. Which Burp Suite feature would best help you analyze and attempt to exploit this custom authentication?

A) Sequencer

B) Decoder

C) Repeater

D) Scanner

Show Answer & Explanation

Correct Answer: C

Explanation: The correct answer is C. Repeater allows you to manually manipulate and resend HTTP requests, which is ideal for testing custom authentication mechanisms. Sequencer is used for analyzing the randomness of tokens, Decoder is for encoding/decoding, and Scanner is for automated vulnerability scanning.

Question 6

You are testing a web application that uses JSON Web Tokens (JWT) for authentication. You observe the following token: ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.s5c7p7a6h8j9k5l3m4n8o9p0q1r2t3u4 ``` Which technique could you use to potentially bypass authentication if the server is vulnerable?

A) Brute force the JWT secret key

B) Use SQL injection

C) Perform Cross-Site Scripting (XSS)

D) Conduct a CSRF attack

Show Answer & Explanation

Correct Answer: A

Explanation: The correct answer is A. If the JWT is signed with a weak secret key, you can potentially brute force the key and generate valid tokens to bypass authentication. SQL injection, XSS, and CSRF are unrelated to exploiting JWT vulnerabilities directly.

Question 7

While testing a web application, you use Burp Suite to intercept a login request and notice the following response header: 'Set-Cookie: sessionid=abc123; HttpOnly'. What can you infer about the security of the session management?

A) The session cookie is protected against JavaScript access, reducing XSS risk.

B) The session cookie is encrypted, ensuring confidentiality.

C) The session cookie is vulnerable to SQL Injection.

D) The session cookie is using secure flag, protecting it over HTTP.

Show Answer & Explanation

Correct Answer: A

Explanation: Option A is correct because the HttpOnly attribute in the response header prevents JavaScript from accessing the session cookie, reducing the risk of session hijacking via XSS. Option B is incorrect as HttpOnly does not encrypt the cookie. Option C is incorrect because SQL Injection is unrelated to cookie attributes. Option D is incorrect because the secure flag is not mentioned; HttpOnly does not protect against transmission over HTTP.

Question 8

While testing a web application's authentication mechanism, you notice a login form that uses HTTP Basic Authentication. Using Burp Suite, you intercept the following request: ``` GET /secure-area HTTP/1.1 Host: example.com Authorization: Basic dXNlcjpwYXNzd29yZA== ``` What is a significant security weakness of this authentication method?

A) The credentials are sent in plain text, making them vulnerable to interception.

B) The credentials are sent in a base64 encoded format, which can easily be decoded.

C) The credentials are hashed using MD5, which is a weak hashing algorithm.

D) The credentials are sent using a secure channel, but the session management is weak.

Show Answer & Explanation

Correct Answer: B

Explanation: Option B is correct because HTTP Basic Authentication encodes the credentials in base64, which is not encryption and can be easily decoded. Option A is incorrect because while base64 is not encryption, the credentials are not sent in plain text. Option C is incorrect as MD5 is not used in Basic Authentication. Option D is incorrect because the question does not specify secure channel usage or session management.

Question 9

You are tasked with testing a web application for authentication vulnerabilities. You notice that the application uses a CAPTCHA on its login form. Which technique would best test the CAPTCHA's effectiveness against automated attacks?

A) Using a CAPTCHA-solving service to bypass the challenge.

B) Attempting to disable CAPTCHA through client-side manipulation.

C) Performing a dictionary attack without considering the CAPTCHA.

D) Testing with a proxy tool to intercept and modify CAPTCHA responses.

Show Answer & Explanation

Correct Answer: A

Explanation: Using a CAPTCHA-solving service is a practical way to evaluate the CAPTCHA's effectiveness against automated attacks. These services simulate how attackers might bypass CAPTCHA protections. Option B is incorrect because client-side manipulation may not affect server-side CAPTCHA validation. Option C is incorrect because ignoring CAPTCHA would not test its effectiveness. Option D is incorrect because modifying CAPTCHA responses without solving them does not test its security.

Question 10

You are using Burp Suite to test the login functionality of a web application. After entering incorrect credentials, you notice the response contains the following header: ``` Set-Cookie: sessionid=abc123; HttpOnly ``` What potential vulnerability should you investigate further?

A) Cross-Site Scripting (XSS)

B) Session Fixation

C) Cross-Site Request Forgery (CSRF)

D) Brute Force Attack

Show Answer & Explanation

Correct Answer: B

Explanation: The correct answer is B, Session Fixation. The presence of a session ID in the response after a failed login attempt could indicate a session fixation vulnerability, where an attacker sets a session ID value that the victim then uses. XSS (A) is not directly related to session management. CSRF (C) involves exploiting the trust of a web application in the user's browser, not session fixation. Brute Force Attack (D) involves guessing passwords, which is unrelated to session ID handling.

Ready to Accelerate Your GWAPT Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GWAPT domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GWAPT Certification

The GWAPT certification validates your expertise in authentication attacks and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Practice Tests — Focused, timed, domain-based

Sharpen skills with domain-specific practice questions and timed exam simulations tailored for GWAPT on FlashGenius. Below pages have some sample questions

Tip: use the domain practice tests for targeted drilling and the cheat sheet for quick remediation notes after each mock.