Free OffSec OSWA Exam Questions
Absolute Free OSWA Exam Practice for Comprehensive Preparation
-
OffSec OSWA Exam Questions
-
Provided By: OffSec
- Exam: OffSec Web Assessor (OSWA)
- Certification: Offensive Penetration Testing
-
Total Questions: 180
-
Updated On: May 23, 2026
-
Rated: 4.9 |
-
Online Users: 360
-
Question 1
-
You want to enumerate hidden admin panels on https://corp.example/ while avoiding common noise. Requirements:Ignore responses with status codes 302 and 403.Match only responses containing “Admin” or “Control Panel” (case-insensitive).Randomize User-Agent each request from ua.txt.Throttle requests to bypass rate-limiting.Which ffuf command lines satisfy all requirements? (Select all that apply)
Answer: C
-
You want to enumerate hidden admin panels on https://corp.example/ while avoiding common noise. Requirements:Ignore responses with status codes 302 and 403.Match only responses containing “Admin” or “Control Panel” (case-insensitive).Randomize User-Agent each request from ua.txt.Throttle requests to bypass rate-limiting.Which ffuf command lines satisfy all requirements? (Select all that apply)
-
Question 2
-
* * * * * tar -czf /root/backup.tar /home/user/*Which filenames trigger escalation? (Select all that apply)
Answer: A,B
-
* * * * * tar -czf /root/backup.tar /home/user/*Which filenames trigger escalation? (Select all that apply)
-
Question 3
-
You want to discover hidden parameters influenced by a CDN.What is the best initial approach in Burp?
Answer: B
-
You want to discover hidden parameters influenced by a CDN.What is the best initial approach in Burp?
-
Question 4
-
You want to enumerate hidden admin panels on https://corp.example/ while avoiding common noise. Requirements:Ignore responses with status codes 302 and 403.Match only responses containing “Admin” or “Control Panel” (case-insensitive).Randomize User-Agent each request from ua.txt.Throttle requests to bypass rate-limiting.Which ffuf command lines satisfy all requirements? (Select all that apply)
Answer: C
-
You want to enumerate hidden admin panels on https://corp.example/ while avoiding common noise. Requirements:Ignore responses with status codes 302 and 403.Match only responses containing “Admin” or “Control Panel” (case-insensitive).Randomize User-Agent each request from ua.txt.Throttle requests to bypass rate-limiting.Which ffuf command lines satisfy all requirements? (Select all that apply)
-
Question 5
-
An image thumbnailer service accepts a url and fetches the image server-side. The server runs inside AWS. You can supply gopher:// URIs.Which chain most likely yields temporary AWS credentials that let you enumerate S3 buckets in the same account?
Answer: B
-
An image thumbnailer service accepts a url and fetches the image server-side. The server runs inside AWS. You can supply gopher:// URIs.Which chain most likely yields temporary AWS credentials that let you enumerate S3 buckets in the same account?