Free OffSec OSWA Exam Questions

Question 1

A WAF blocks single quotes '. Which payload bypasses it to fetch database()?

A : 0x61646d696e AND database()=0x61646d696e

B : AND database()=HEX('admin')

C : AND database()=0x61646d696e

D : UNION SELECT 0x61646d696e

Answer: C

Question 2

An image thumbnailer service accepts a url and fetches the image server-side. The server runs inside AWS. You can supply gopher:// URIs.Which chain most likely yields temporary AWS credentials that let you enumerate S3 buckets in the same account?

A : Use SSRF to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and then fetch the role name and token.

B : Submit gopher://169.254.169.254:80/_GET%20/... to craft precise TCP requests to metadata endpoint.

C : Use SSRF to query http://metadata.google.internal instead.

D : Use SSRF to initiate a reverse shell back to you.

Answer: B

Question 3

An image thumbnailer service accepts a url and fetches the image server-side. The server runs inside AWS. You can supply gopher:// URIs.Which chain most likely yields temporary AWS credentials that let you enumerate S3 buckets in the same account?

A : Use SSRF to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and then fetch the role name and token.

B : Submit gopher://169.254.169.254:80/_GET%20/... to craft precise TCP requests to metadata endpoint.

C : Use SSRF to query http://metadata.google.internal instead.

D : Use SSRF to initiate a reverse shell back to you.

Answer: B

Question 4

An image thumbnailer service accepts a url and fetches the image server-side. The server runs inside AWS. You can supply gopher:// URIs.Which chain most likely yields temporary AWS credentials that let you enumerate S3 buckets in the same account?

A : Use SSRF to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and then fetch the role name and token.

B : Submit gopher://169.254.169.254:80/_GET%20/... to craft precise TCP requests to metadata endpoint.

C : Use SSRF to query http://metadata.google.internal instead.

D : Use SSRF to initiate a reverse shell back to you.

Answer: B

Question 5

You want to enumerate hidden admin panels on https://corp.example/ while avoiding common noise. Requirements:Ignore responses with status codes 302 and 403.Match only responses containing “Admin” or “Control Panel” (case-insensitive).Randomize User-Agent each request from ua.txt.Throttle requests to bypass rate-limiting.Which ffuf command lines satisfy all requirements? (Select all that apply)

A : ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://corp.example/FUZZ \-H "User-Agent: $(shuf -n1 ua.txt)" -fc 302,403 -mr "(?i)(Admin|Control Panel)" -p 0.2

B : ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://corp.example/FUZZ \-H "User-Agent: Mozilla/5.0" -fc 403 -mr "Admin|Control Panel" -p 0.2

C : ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://corp.example/FUZZ \-H "User-Agent: $(shuf -n1 ua.txt)" -fc 302,403 -mr "(?i)(Admin|Control Panel)" -p 0.3

D : ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://corp.example/FUZZ \-H "User-Agent: fuzz" -fc 302,403 -mr "Admin" -t 50

E : ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://corp.example/FUZZ \-H "User-Agent: $(shuf -n1 ua.txt)" -fc 302,403 -mr "(?i)(Admin|Control Panel)" -t 100

Answer: C