All Practice Exams
100+ Free PWPA Practice Questions
Practical Web Pentest Associate (TCM Security) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
What is a 'second-order SQL injection' (also called stored SQL injection) and why is it more difficult to detect than first-order injection?
A
B
C
D
to track
Same family resources
Explore More TCM Security Practical Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: PWPA Exam
2 days
Assessment Window
TCM Security
2 days
Report Submission Window
TCM Security
Practical
Exam Format
TCM Security
Zero flags
Real Vuln Exploitation Required
TCM Security
OWASP Top 10
Core Knowledge Domain
TCM Security PWPA page
Entry-Level
Difficulty Tier
TCM Security
The PWPA from TCM Security is a practical, hands-on web application penetration testing certification. Candidates have 2 days to find and exploit a required set of real vulnerabilities in a target web application, then 2 additional days to write a professional pentest report. The exam tests OWASP Top 10 skills (SQLi, XSS, IDOR, broken auth, misconfiguration), Burp Suite proficiency, authentication and authorization testing, WAF evasion, business logic flaws, and basic API testing. Preparation is through TCM's Practical Bug Bounty course. This practice test covers the theoretical knowledge — the real exam requires live exploitation.
Sample PWPA Practice Questions
Try these sample questions to test your PWPA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which HTTP response header is designed to prevent clickjacking attacks by controlling whether a page can be rendered inside an iframe?
A.X-Frame-Options
B.Content-Security-Policy
C.X-Content-Type-Options
D.Strict-Transport-Security
Explanation: X-Frame-Options instructs browsers to deny or restrict embedding the page in an iframe, directly preventing clickjacking. Values DENY and SAMEORIGIN are most common. Content-Security-Policy's frame-ancestors directive can also address this but X-Frame-Options is the dedicated header.
2A web application reflects user input in the page without encoding it. An attacker crafts the URL: `?name=<script>alert(1)</script>`. What type of XSS is this?
A.Stored XSS
B.DOM-based XSS
C.Reflected XSS
D.Universal XSS
Explanation: Reflected XSS occurs when user-supplied input is immediately echoed back in the server's HTTP response without sanitization. The malicious payload travels in the URL, hits the server, and the server reflects it in the HTML response. It requires the victim to click a crafted link.
3During a Burp Suite intercept session you notice the request: `GET /api/users/1234/profile`. You change `1234` to `1235` and receive another user's profile data. What vulnerability is this?
A.Insecure Direct Object Reference (IDOR)
B.SQL Injection
C.Broken Function Level Authorization
D.Mass Assignment
Explanation: IDOR occurs when an application uses user-controlled input (here the numeric user ID) to directly reference database objects without verifying the requesting user is authorized to access them. Changing 1234 to 1235 accesses another user's data.
4Which Burp Suite tool is best suited for automating brute-force of a login form's password field across a wordlist?
A.Burp Repeater
B.Burp Scanner
C.Burp Intruder
D.Burp Comparer
Explanation: Burp Intruder automates requests with parameterized payloads, making it ideal for brute-force and fuzzing attacks. You mark the password field as a payload position and supply a wordlist; Intruder iterates through each value. The community edition throttles this, but Intruder is the designated tool.
5A SQL injection payload `' OR '1'='1` is appended to a login form's username field. What is the goal of this payload?
A.Extract database column names via UNION
B.Trigger a time delay to confirm blind SQLi
C.Bypass authentication by making the WHERE clause always true
D.Enumerate database users with information_schema
Explanation: The payload closes the original string literal, appends OR '1'='1 which is always true, and comments out the rest of the query. This forces the WHERE condition to evaluate as true for every row, often returning the first user (frequently an admin) and bypassing the password check.
6Which cookie attribute prevents client-side JavaScript from reading a cookie, protecting session tokens from XSS theft?
A.Secure
B.SameSite=Strict
C.HttpOnly
D.Domain
Explanation: The HttpOnly flag instructs the browser to block JavaScript access to the cookie via document.cookie. Even if an XSS payload executes, it cannot exfiltrate an HttpOnly session token. This is a critical defense-in-depth control for session management.
7What does the Burp Suite Proxy's 'Intercept' function allow a pentester to do?
A.Pause HTTP requests between the browser and server to inspect and modify them in real time
B.Automatically fuzz all parameters in every request
C.Passively scan the web application for OWASP Top 10 vulnerabilities
D.Replay captured requests at configurable rates
Explanation: Burp Proxy sits between the browser and the target server. With Intercept enabled, each request is paused and displayed in the Intercept tab, where the tester can read, modify, or drop it before forwarding. This is the foundation of manual web app testing.
8An application displays the error message 'ORA-01756: quoted string not properly terminated' after you submit a single quote in a search field. What does this reveal?
A.The application is using an Oracle database and the parameter is injectable
B.The server runs a Linux operating system
C.The WAF has blocked the request and returned a custom error
D.The application uses parameterized queries and safely rejects the input
Explanation: ORA-01756 is a native Oracle database error. Its appearance in the response means the single quote broke out of a dynamically constructed SQL string, confirming both that the backend is Oracle and that the parameter is SQL injectable. This is a classic error-based SQLi indicator.
9You discover a login page with no account lockout after multiple failed attempts. Which attack does this misconfiguration most directly enable?
A.Credential stuffing and brute-force
B.CSRF
C.SQL injection
D.Stored XSS
Explanation: The absence of account lockout or rate limiting allows an attacker to make unlimited login attempts, enabling brute-force attacks (trying many passwords against one account) and credential stuffing (trying breached username/password pairs). These are broken authentication vulnerabilities per OWASP A07.
10Which ffuf command correctly fuzzes the path component of a URL to discover hidden directories?
A.ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
B.ffuf -u http://target.com -p FUZZ -w /usr/share/wordlists/dirb/common.txt
C.ffuf -target http://target.com -fuzz directory -w common.txt
D.ffuf -H FUZZ -u http://target.com -w common.txt
Explanation: ffuf uses the keyword FUZZ as a placeholder in the URL. Placing FUZZ after the slash in the path and supplying a wordlist with -w causes ffuf to substitute each wordlist entry into that position, iterating through candidate directory names. This is the standard ffuf directory brute-force syntax.
About the PWPA Practice Questions
Verified exam format metadata for Practical Web Pentest Associate (TCM Security) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.