100+ Free EC-Council CASE Practice Questions

Pass your EC-Council Certified Application Security Engineer (CASE .NET 312-95 / Java 312-96) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What does CSRF protection rely on in a SameSite=None cookie scenario, since SameSite no longer blocks cross-site sends?

Anti-CSRF token (synchronizer pattern) or double-submit cookie pattern

JavaScript reading the cookie value

Session timeout shorter than 1 minute

TLS only

to track

Same family resources

Explore More EC-Council Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

More From This Family

Videos and articles for deeper review.

ArticleCEH v13 in 2026: A 12-Week Study System That Balances Theory, Labs, and Exam Speed15 min read

2026 Statistics

Key Facts: EC-Council CASE Exam

Exam Questions

EC-Council CASE (312-95 / 312-96)

2 hours

Exam Duration

EC-Council CASE Blueprint

70%

Passing Score

EC-Council CASE

$550

Total Fee

$450 voucher + $100 application

Content Domains

CASE blueprint domains

3 years

Certification Validity

ECE 120 credits required

EC-Council CASE is a 50-question, 2-hour, 70% passing-score exam offered as two parallel tracks: CASE .NET (312-95) and CASE Java (312-96). The total fee is $550 USD ($450 exam voucher + $100 application fee for self-study candidates). The exam covers nine domains spanning AppSec threats, security requirements (NIST SSDF, ASVS, ISO 27001), secure design and architecture, secure coding (input validation, AuthN/Z, cryptography, session and error handling), SAST/DAST/IAST tooling, and secure deployment with security headers and supply-chain integrity. Most domains are language-agnostic; secure-coding questions diverge by track between .NET and Java.

Sample EC-Council CASE Practice Questions

Try these sample questions to test your EC-Council CASE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which OWASP Top 10 2021 category specifically replaced 'Sensitive Data Exposure' from the 2017 list to broaden the scope of cryptography-related risks?

A.A02:2021 Cryptographic Failures

B.A01:2021 Broken Access Control

C.A04:2021 Insecure Design

D.A07:2021 Identification and Authentication Failures

Explanation: OWASP renamed 'Sensitive Data Exposure' to 'A02:2021 Cryptographic Failures' to focus the category on the underlying cause — failures in cryptographic controls — rather than only the symptom of exposed data. This includes weak algorithms, missing encryption in transit/at rest, hardcoded keys, and improper key management.

2In STRIDE threat modeling, which threat category maps to the security property 'Non-Repudiation'?

A.Spoofing

B.Tampering

C.Repudiation

D.Information Disclosure

Explanation: STRIDE pairs each threat with the security property it violates. Repudiation maps to Non-Repudiation: an attacker performs an action and later denies it, defeated by audit logs and digital signatures. The full mapping is Spoofing→Authentication, Tampering→Integrity, Repudiation→Non-Repudiation, Information Disclosure→Confidentiality, Denial of Service→Availability, and Elevation of Privilege→Authorization.

3An attacker submits the input ' OR '1'='1' -- into a login form and bypasses authentication. Which OWASP Top 10 2021 category does this BEST illustrate?

A.A01:2021 Broken Access Control

B.A03:2021 Injection

C.A07:2021 Identification and Authentication Failures

D.A05:2021 Security Misconfiguration

Explanation: Classic SQL injection through unvalidated input is captured under A03:2021 Injection. Although authentication is bypassed, the root cause is the application interpreting attacker-controlled data as SQL code. The remediation is parameterized queries / prepared statements, not authentication hardening.

4Which threat-modeling deliverable is BEST used to systematically describe how an attacker might misuse a feature, rather than how a normal user uses it?

A.User stories

B.Use cases

C.Abuse cases

D.Acceptance criteria

Explanation: Abuse cases (also called misuse cases) describe attacker goals against a feature — for example, 'as an attacker, I will replay a stolen session token to access a victim's account.' They sit alongside positive use cases and feed security requirements and test cases.

5An application reflects user input into the HTML body of a response without encoding. Which attack class is MOST directly enabled?

A.Cross-Site Request Forgery (CSRF)

B.Server-Side Request Forgery (SSRF)

C.Reflected Cross-Site Scripting (XSS)

D.XML External Entity (XXE)

Explanation: Reflected XSS occurs when user input is echoed back into an HTML response unencoded, allowing the attacker to inject script that runs in the victim's browser. The fix is contextual output encoding (HTML body, attribute, JavaScript, URL contexts) and a strong Content Security Policy.

6DREAD risk rating uses Damage, Reproducibility, Exploitability, Affected users, and which fifth dimension?

A.Discoverability

B.Detectability

C.Disclosability

D.Distributability

Explanation: DREAD is Damage, Reproducibility, Exploitability, Affected users, and Discoverability. Each dimension is scored (commonly 1-10) and the average is the overall risk. DREAD is heuristic; STRIDE+CVSS or threat libraries are now preferred for objectivity.

7Which OWASP Top 10 2021 category was newly introduced to highlight gaps that arise BEFORE coding even begins, such as missing threat models?

A.A04:2021 Insecure Design

B.A06:2021 Vulnerable and Outdated Components

C.A08:2021 Software and Data Integrity Failures

D.A10:2021 Server-Side Request Forgery

Explanation: A04:2021 Insecure Design is a new 2021 category emphasizing missing or ineffective control design — issues you cannot fix by 'just patching code.' It promotes threat modeling, secure design patterns, and reference architectures up-front.

8An e-commerce site allows callers to fetch arbitrary internal URLs through a 'preview link' feature. An attacker uses it to read 169.254.169.254 metadata on AWS. Which OWASP Top 10 2021 category captures this issue?

A.A03:2021 Injection

B.A05:2021 Security Misconfiguration

C.A10:2021 Server-Side Request Forgery (SSRF)

D.A01:2021 Broken Access Control

Explanation: Reaching 169.254.169.254 (the AWS Instance Metadata Service) from a victim server through a user-controlled URL is the canonical SSRF scenario. A10:2021 SSRF was added in 2021 specifically because cloud metadata services made the impact much higher. Defenses include allow-lists, IMDSv2, and network egress controls.

9Which attack pattern is characterized by an attacker inducing the application to deserialize attacker-controlled data, leading to remote code execution?

A.Insecure Deserialization

B.Mass Assignment

C.HTTP Parameter Pollution

D.Open Redirect

Explanation: Insecure Deserialization (under A08:2021 Software and Data Integrity Failures) lets an attacker craft serialized payloads that cause RCE during deserialization. Java (ObjectInputStream), .NET (BinaryFormatter), Python (pickle), and PHP (unserialize) all have this risk; the fix is to avoid deserializing untrusted data and use signed, schema-bounded formats like JSON with strict types.

10Which threat-modeling tool is published by Microsoft and natively maps DFD elements to STRIDE categories?

A.OWASP Threat Dragon

B.Microsoft Threat Modeling Tool

C.IriusRisk Community Edition

D.PyTM

Explanation: The Microsoft Threat Modeling Tool is Microsoft's free desktop application that builds Data Flow Diagrams and auto-generates STRIDE-based threats per element type. OWASP Threat Dragon is the OWASP open-source equivalent; both are widely used in CASE-aligned programs.

About the EC-Council CASE Exam

The EC-Council Certified Application Security Engineer (CASE) certification validates secure software development skills across the SDLC: application security threats and attacks, security requirements gathering, secure design and architecture, secure coding (input validation, authentication/authorization, cryptography, session management, error handling), Static and Dynamic Application Security Testing, and secure deployment and maintenance. CASE has two parallel exam tracks — CASE .NET (312-95) and CASE Java (312-96) — with most domains language-agnostic and the secure-coding examples specific to each platform.

Assessment

50 multiple-choice questions covering AppSec threats, security requirements, secure design and architecture, secure coding (input validation, AuthN/Z, cryptography, session/error handling), SAST/DAST/IAST, and secure deployment.

Time Limit

2 hours

Passing Score

70%

Exam Fee

$550 ($450 voucher + $100 application fee) (EC-Council / ECC Exam Center)

EC-Council CASE Exam Content Outline

15%

Application Security, Threats, and Attacks

OWASP Top 10 2021 (A01-A10), STRIDE / DREAD / PASTA threat modeling, abuse cases, attack trees, SQLi, XSS, CSRF, SSRF, IDOR, deserialization, and supply-chain attacks.

10%

Security Requirements Gathering

OWASP ASVS L1/L2/L3, NIST SP 800-53, NIST SSDF (SP 800-218), ISO/IEC 27001, PCI DSS v4.0, GDPR Article 25 Data Protection by Design, traceability matrices.

15%

Secure Application Design and Architecture

Saltzer & Schroeder principles (Least Privilege, Fail-Secure, Complete Mediation, Economy of Mechanism), defense in depth, Zero Trust (NIST SP 800-207), service mesh, secrets managers.

10%

Secure Coding — Input Validation

Allow-list validation, parameterized queries (.NET SqlCommand, Java PreparedStatement), output encoding (HtmlEncoder, JavaScriptEncoder, OWASP Java Encoder, HtmlUtils), XXE prevention, command injection, mass assignment, path traversal.

10%

Secure Coding — Authentication and Authorization

OAuth 2.0 / OIDC, PKCE, JWT validation (alg=none, claims, audience), Spring Security, ASP.NET Core Identity, Argon2id and BCrypt, RBAC/ABAC, API object-level authorization (BOLA).

10%

Secure Coding — Cryptography

AES-256-GCM, RSA-2048+/ECC P-256, HMAC, HKDF, java.security.SecureRandom, .NET RandomNumberGenerator, TLS 1.2/1.3 cipher suites per NIST SP 800-52 Rev. 2, key management.

10%

Secure Coding — Session Management and Error Handling

Session-ID entropy, Secure/HttpOnly/SameSite cookies, session fixation rotation, anti-CSRF tokens, structured logging (Serilog, SLF4J), log injection prevention, Log4Shell awareness, generic error pages.

10%

Static and Dynamic Application Security Testing

SAST (SonarQube, Checkmarx, Veracode, Fortify, GitHub CodeQL), DAST (OWASP ZAP, Burp Suite, Acunetix), IAST agents, SCA (OWASP Dependency-Check, Snyk, Dependabot), fuzzing.

10%

Secure Deployment and Maintenance

CSP, HSTS, X-Content-Type-Options, frame-ancestors, Referrer-Policy, Permissions-Policy, signed builds (Sigstore), SBOM (CycloneDX/SPDX), SLSA, patch management, server hardening, SIEM monitoring.

How to Pass the EC-Council CASE Exam

What You Need to Know

Passing score: 70%
Assessment: 50 multiple-choice questions covering AppSec threats, security requirements, secure design and architecture, secure coding (input validation, AuthN/Z, cryptography, session/error handling), SAST/DAST/IAST, and secure deployment.
Time limit: 2 hours
Exam fee: $550 ($450 voucher + $100 application fee)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

EC-Council CASE Study Tips from Top Performers

1Memorize OWASP Top 10 2021 categories with their 2017 names — exam questions often reference both A04 Insecure Design (new), A08 Software and Data Integrity Failures (new), and A10 SSRF (new).

2For your chosen track, drill the canonical secure-coding APIs: .NET (SqlCommand parameters, HtmlEncoder/JavaScriptEncoder, RandomNumberGenerator, ASP.NET Core Identity); Java (PreparedStatement, OWASP Java Encoder, java.security.SecureRandom, Spring Security BCryptPasswordEncoder).

3Know JWT pitfalls cold: alg=none, algorithm confusion (RS256↔HS256), kid header injection, and the must-validate claims (exp, iss, aud).

4Practice STRIDE-per-element on a sample DFD and DREAD scoring on a vulnerability — both methods appear in CASE scenarios.

5Memorize the security headers grid (CSP, HSTS, X-Content-Type-Options, frame-ancestors, Referrer-Policy, Permissions-Policy) and what each one mitigates.

6Hands-on labs with OWASP ZAP, SonarQube, and OWASP Dependency-Check on a vulnerable target (e.g., Juice Shop or WebGoat) cement SAST/DAST/SCA differences.

Frequently Asked Questions

What is the EC-Council CASE exam?

CASE (Certified Application Security Engineer) is EC-Council's secure software development certification. It is offered as two parallel exam tracks — CASE .NET (312-95) and CASE Java (312-96) — covering application security threats, requirements, design, secure coding, SAST/DAST, and secure deployment. Both tracks share most domains; only the secure-coding specifics diverge by language.

How many questions are on the CASE exam and what is the passing score?

The CASE exam has 50 multiple-choice questions and a 2-hour time limit with a 70% passing score. The exam is delivered through ECC Exam Center (Pearson VUE network) or EC-Council's Remote Proctoring Service so you can test from home.

How much does CASE certification cost?

The CASE exam voucher costs $450 USD. Self-study candidates must additionally submit an eligibility application with a $100 non-refundable fee, bringing the total to $550. Official iLearn, iWeek, or MasterClass training packages typically range from $1,500 to $3,500 and include the voucher.

Should I take CASE .NET (312-95) or CASE Java (312-96)?

Choose the track that matches your day-to-day stack. The two exams share most domains (threat modeling, requirements, design, SAST/DAST, deployment) but diverge on secure-coding specifics: CASE .NET emphasizes ASP.NET Core, ADO.NET, System.Security.Cryptography, ASP.NET Core Identity, antiforgery, and Razor; CASE Java emphasizes Spring Security, JCE, java.security.SecureRandom, PreparedStatement, OWASP Java Encoder, and HttpSession.

What are the eligibility requirements for CASE?

Candidates must either complete official EC-Council CASE training (which waives the experience requirement), OR demonstrate at least 2 years of information security or software development experience and submit an approved eligibility application with a $100 fee. Working knowledge of Java or .NET is expected for the corresponding track.

How long is CASE certification valid?

CASE is valid for 3 years and is maintained through EC-Council Continuing Education (ECE) by earning 120 ECE credits during the cycle. Credits can come from training, conferences, publications, mentoring, and other eligible activities.

How should I prepare for the CASE exam?

Study OWASP Top 10 2021 and the OWASP Cheat Sheet Series, learn STRIDE and PASTA threat modeling with the Microsoft Threat Modeling Tool or OWASP Threat Dragon, drill secure-coding patterns for your track (parameterized queries, output encoding, OAuth/OIDC, JWT verification, AES-GCM, password hashing with Argon2id/BCrypt), and practice SAST/DAST tooling like SonarQube, GitHub CodeQL, OWASP ZAP, and Burp Suite. Review CSP, HSTS, and supply-chain controls (SBOM, SLSA) for the deployment domain.