What does the GCIH Web App Attacks domain cover?

GCIH Web App Attacks covers web application attacks — SQL injection, XSS, CSRF, the OWASP Top 10, command injection, and local/remote file inclusion. Expect scenario-based questions on SQL Injection, Cross-Site Scripting (XSS), CSRF, OWASP Top 10, Command Injection, File Inclusion (LFI/RFI).

How many Web App Attacks practice questions are on this page?

This free practice set includes 6 GCIH Web App Attacks questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Is this GCIH Web App Attacks practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free GCIH Web App Attacks Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Web App Attacks practice test covers web application attacks — SQL injection, XSS, CSRF, the OWASP Top 10, command injection, and local/remote file inclusion. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Web App Attacks

SQL Injection
Cross-Site Scripting (XSS)
CSRF
OWASP Top 10
Command Injection
File Inclusion (LFI/RFI)

6 Free GCIH Web App Attacks Practice Questions with Answers

Sample Question 1 — Web App Attacks

During a routine web application security assessment, you encounter a page that allows users to submit feedback. You suspect the page is vulnerable to SQL injection. Which of the following is the best initial test to confirm this vulnerability?

A. Insert a single quote (') into the input field and observe the response. (Correct answer)
B. Attempt to upload a large file to the server through the input field.
C. Use a web proxy tool to intercept and modify HTTP headers.
D. Run a port scan on the server hosting the application.

Correct answer: A

Explanation: Option A is correct because inserting a single quote (') is a common technique to test for SQL injection vulnerabilities. If the application is vulnerable, it may return a database error or behave unexpectedly, indicating improper handling of input. Option B is unrelated to SQL injection and more relevant to testing file upload vulnerabilities. Option C, while useful for various testing scenarios, is not a direct SQL injection test. Option D is irrelevant to SQL injection as it focuses on network-level scanning rather than application-level testing.

Sample Question 2 — Web App Attacks

An incident response team is investigating a suspected cross-site scripting (XSS) attack on a web application. Which of the following actions should be taken first to identify the vulnerability?

A. Review the application's source code for unescaped user input. (Correct answer)
B. Capture and analyze network traffic using Wireshark.
C. Check server logs for unusual login attempts.
D. Perform a vulnerability scan using Nmap.

Correct answer: A

Explanation: Option A is correct because reviewing the application's source code for unescaped user input is a direct method to identify XSS vulnerabilities. XSS occurs when an application includes untrusted data in a web page without proper validation or escaping. Option B, while useful in network investigations, is not directly related to identifying XSS. Option C is more relevant to identifying brute force or unauthorized access attempts. Option D, while useful for discovering open ports and services, is not applicable for detecting XSS vulnerabilities.

Sample Question 3 — Web App Attacks

During a routine security monitoring task, you notice unusual traffic patterns directed at your web application server. Initial logs suggest a potential SQL injection attack. As an incident handler, what is your best first step?

A. Immediately shut down the web server to prevent further damage.
B. Use Wireshark to capture and analyze network packets for further investigation.
C. Review web server logs to identify specific SQL queries that might indicate injection attempts. (Correct answer)
D. Deploy a web application firewall (WAF) to block potential SQL injection attempts.

Correct answer: C

Explanation: The best first step is to review the web server logs to identify specific SQL queries that might indicate injection attempts (Option C). This action provides immediate insights into the nature of the attack without disrupting the service. Shutting down the server (Option A) is too drastic and could impact business operations. Using Wireshark (Option B) is more suited for network-level analysis, whereas the issue is at the application layer. Deploying a WAF (Option D) is a preventive measure but doesn't help in understanding the current incident, making it less effective as an initial response.

Sample Question 4 — Web App Attacks

You are an incident handler responding to a suspected SQL injection attack on your company's web application. What is the first step you should take to begin your investigation?

A. Shut down the web server to prevent further attacks.
B. Review the web server logs to identify malicious queries. (Correct answer)
C. Deploy a web application firewall (WAF) to block further SQL injection attempts.
D. Notify the development team to patch the vulnerability immediately.

Correct answer: B

Explanation: The first step in responding to a suspected SQL injection attack is to review the web server logs to identify malicious queries. This helps in understanding the scope of the attack and the specific queries used by the attacker. Shutting down the web server (A) or deploying a WAF (C) might be necessary later, but they are not immediate investigative steps. Notifying the development team (D) is important, but understanding the attack details first is crucial.

Sample Question 5 — Web App Attacks

During an incident involving a cross-site scripting (XSS) attack, what is the most effective initial action to take?

A. Use Wireshark to capture network traffic for analysis.
B. Analyze the web application logs for suspicious input fields. (Correct answer)
C. Run a vulnerability scan using Nmap to identify other open ports.
D. Conduct a code review of the affected web application.

Correct answer: B

Explanation: The most effective initial action is to analyze the web application logs for suspicious input fields. This helps identify how the XSS payload was injected and which parts of the application are vulnerable. Wireshark (A) and Nmap (C) are not the best initial tools for this specific type of attack. Conducting a code review (D) is important but comes after identifying the attack vectors.

Sample Question 6 — Web App Attacks

An alert indicates a potential directory traversal attack on your web server. What is the first action you should take to confirm the attack?

A. Perform a full system scan with antivirus software.
B. Check the web server's access logs for unusual file requests. (Correct answer)
C. Immediately update the web server's software to the latest version.
D. Use Exiftool to examine any downloaded files for metadata anomalies.

Correct answer: B

Explanation: The first action to confirm a directory traversal attack is to check the web server's access logs for unusual file requests. This can reveal attempts to access sensitive files outside the web root. A full system scan (A) and updating software (C) are preventive measures, not initial investigative steps. Exiftool (D) is not relevant for this type of attack.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Web App Attacks practice test now | 10-question quick start | All GCIH domains