50 pentest+ Practice Questions: Question Bank 2025

During planning, a client states the test must not impact a third-party SaaS provider that is accessed through the client’s environment. Which document element BEST ensures the tester stays compliant with this requirement?

A penetration tester is asked to identify the public IP address ranges owned by a target company before scanning. Which technique is MOST appropriate?

A tester captures traffic and observes credentials being sent in cleartext using the format "USER" and "PASS" over TCP port 21. Which finding should be reported?

A tester needs to ensure evidence collected from a compromised host can be defended if questioned later. Which action is MOST important to perform first?

A web application sets a session cookie without the HttpOnly flag. Which attack is MOST directly enabled by this misconfiguration?

A tester runs an internal scan and receives many results indicating hosts are "up" but most TCP ports appear "filtered." The network team confirms an IPS is inline. Which scan adjustment is MOST likely to improve accuracy while reducing blocks?

A tester successfully obtains a low-privileged shell on a Windows workstation joined to a domain. The tester’s goal is to access additional machines without knowing plaintext passwords. Which technique BEST supports this goal?

A tester is reviewing a Python proof-of-concept that uses: subprocess.run(cmd, shell=True) where cmd is built from unsanitized user input. What is the MOST likely risk if this code is used in a production tool?

A tester is conducting an authorized phishing assessment. The client requires that no employee credentials are collected or stored at any time, but the client still wants to measure susceptibility. Which approach BEST meets the requirement?

A tester finds an endpoint /api/v1/orders/12345 returns order details. Changing the ID to /api/v1/orders/12346 returns another customer’s order while authenticated as a normal user. What is the BEST classification of this issue?

During planning, a client authorizes external testing but states that any denial-of-service conditions are unacceptable. Which rule-of-engagement item BEST enforces this requirement?

A tester needs to quickly identify live hosts in a /24 network while minimizing noise and avoiding port scans. Which approach is MOST appropriate?

A security team wants a penetration test report that is understandable by executives and also actionable for engineers. Which deliverable structure BEST meets this goal?

A tester finds that an internal web application includes the following response header: "Access-Control-Allow-Origin: *" and "Access-Control-Allow-Credentials: true". What is the PRIMARY security concern?

A tester is performing credentialed vulnerability scanning in an enterprise. Several Windows hosts return incomplete results even though the credentials are valid. Which issue is the MOST likely cause?

A tester is assessing a Git repository and finds an API key committed in a configuration file. The key appears to be active. What is the BEST next step to minimize risk while preserving evidence?

A tester has a low-privileged shell on a Linux host and wants to find potential privilege escalation vectors without causing service disruption. Which action is MOST appropriate?

During a test, the client asks the tester to immediately stop all activity after detecting suspicious behavior. What is the BEST action for the tester to take FIRST?

A tester is exploiting an SSRF vulnerability in a cloud-hosted application. The goal is to obtain temporary credentials from the instance metadata service. Which control would MOST directly mitigate this attack pattern?

A tester is writing a custom proof-of-concept script to validate a suspected command injection. The app sometimes includes user-supplied input in a shell command. Which coding practice BEST reduces the risk of false negatives and improves reliability of the PoC?

During Planning and Scoping, a client states that testing must not disrupt a life-safety monitoring system that shares the same network as other servers. Which engagement control BEST reduces risk while still allowing meaningful testing?

A tester is performing internal reconnaissance and wants to identify likely Windows domain controllers using only unauthenticated network data. Which combination is the MOST indicative?

A web application returns user-supplied input in an HTML page. Which change is the BEST defense to prevent reflected XSS when displaying that input?

While conducting vulnerability scanning, a tester receives many false positives because multiple hosts respond with identical banner strings due to a reverse proxy. What is the BEST next step to improve accuracy without significantly increasing risk?

A client requests that any discovered credentials be handled securely and that the final report should not expose reusable secrets. Which reporting practice BEST meets this requirement?

A tester is reviewing a small Python script used by administrators to automate downloads from an internal site. The script sets verify=False for TLS requests and suppresses certificate warnings. What is the MOST significant risk introduced by this behavior?

After gaining an initial foothold on a Linux host, a tester wants to identify misconfigurations that could allow local privilege escalation with minimal noise. Which approach is BEST?

A tester is asked to perform a penetration test against a cloud-hosted application. The scope allows testing the application but forbids testing the cloud provider’s underlying infrastructure. Which action is MOST appropriate to ensure compliance with the rules of engagement?

A web app uses JWTs for session management. A tester notices the server accepts tokens where the header is modified to use the 'none' algorithm and still grants access. What is the BEST description of the vulnerability and its impact?

A tester needs to deliver evidence for a critical finding to support incident-response actions. The client may use the evidence in legal proceedings. Which practice BEST preserves evidentiary integrity?

During planning, a client requires the test team to avoid disrupting production but still validate patching effectiveness. Which approach BEST meets this requirement?

A tester finds a server responds to ICMP echo requests but shows all TCP ports as filtered. The client confirms a stateful firewall is in place. Which scan technique is MOST likely to identify allowed TCP services through the firewall?

A penetration tester is asked to provide evidence that a web application's session cookie is protected against client-side script access. Which attribute should the tester verify is set on the session cookie?

While gathering information, a tester wants to enumerate subdomains with minimal direct interaction with the target’s infrastructure. Which method BEST fits this goal?

A tester exploited an internal web app and wants to reduce the risk of command injection payloads being logged in plaintext. Which technique is MOST appropriate to limit log visibility of the command content while still executing it?

A vulnerability scan report includes multiple findings for the same host with varying severities. The client asks which should be prioritized FIRST for remediation. Which factor is MOST important to prioritize beyond CVSS score alone?

A tester is reviewing a shell script used in deployment and notices it runs: curl $URL | bash. Which risk is MOST directly introduced by this pattern?

After gaining access to a Windows host, a tester obtains a list of user accounts and NTLM password hashes. Which action is MOST appropriate to validate password strength without sending authentication attempts to a domain controller?

A client requests a pen test of a multi-tenant SaaS where the tester will be provided an isolated tenant account but no access to underlying infrastructure. Which rule should be documented MOST clearly to prevent an out-of-scope breach?

A tester suspects an application is vulnerable to SSRF and wants to safely confirm whether the server can reach internal metadata services without exposing real credentials in the report. Which validation method is BEST?

During pre-engagement planning, the client authorizes testing of one production web application but prohibits any actions that could impact availability. Which activity is MOST appropriate to include in the rules of engagement to support this requirement?

A penetration tester receives a client-provided list of in-scope IP ranges and a separate list of out-of-scope third-party networks. Which is the BEST initial step to reduce the chance of accidentally scanning an out-of-scope target?

While reviewing DNS records, a tester finds that a subdomain (app.example.com) is a CNAME to a cloud-hosted service that is no longer used. The host returns a default provider page. What is the MOST likely risk to report?

A tester needs to quickly identify which internal web servers are missing a required HTTP security header (e.g., Strict-Transport-Security) across hundreds of hosts. What is the MOST efficient approach?

A client uses a reverse proxy in front of multiple applications. The tester finds an endpoint that returns different content when the Host header is changed, suggesting host-header routing issues. Which vulnerability class is MOST relevant?

A tester captures an authenticated request in a mobile app and sees a JWT in the Authorization header. The tester modifies the payload to change "role":"user" to "role":"admin" and the server accepts it. Which control is MOST likely missing or misconfigured?

During an internal engagement, a tester discovers a file share containing offline copies of an employee password vault database. No master password is known. What is the BEST next step to remain effective while staying within typical ethical guidelines?

A penetration test report includes several high-risk findings. The client’s leadership is non-technical and wants to understand what to prioritize first. Which report component BEST addresses this need?

A tester is analyzing a Python script used in an internal tool and sees the following pattern: user input is concatenated into an OS command string and passed to a function that executes it. Which change is the BEST mitigation to recommend? Example: cmd = "ping -c 1 " + user_input os.system(cmd)

A tester obtains a low-privileged Linux shell inside a container. The host mounts the Docker socket (/var/run/docker.sock) into the container. Which action is MOST likely to lead to host compromise?