Exam CS0-003 topic 1 question 387 discussion

This is the same as question 17, but the answer is D. The vulnerable parameter and characters > and " with a reflected XSS attempt. But here in question 387, the answer is C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe. This option is also in question 17, but it's incorrect there, while here in question 387 it's correct, and option D. The vulnerable parameter and characters > and " with a reflected XSS attempt. It's not available, and the following appears: D. The vulnerable parameter id=2 with a SQL injection attempt. Which is incorrect in this case. Does anyone know why? Link to question: https://www.examtopics.com/exams/comptia/cs0-003/view/

The correct answer is: C. The vulnerable parameter and unfiltered or encoded characters passed > and “ as unsafe Explanation: The Nmap scan using the http-unsafe-output-escaping script found that the parameter id at http://172.31.15.2/1.php?id=2 reflects special characters like >, ", and ' in its output without proper escaping. This behavior is a key indicator of a potential Cross-Site Scripting (XSS) vulnerability, where user-supplied input is reflected back in the response and interpreted as executable code in the browser.

C. Because the parameters specific to XSS, have returned reflected - Correct A. Wrong, because it doesn't sepcify anywere that an output was observed B. Wrong, because it isn't specified anywhere that the parameters were returned D. Wrdong, SQLi could be identified by errors, or by delaied time because of the specific payload. Which was not observed here.

Answer is D

The answer is D. Not sure why this is marked at C. This is the exact same question for question 17 in the beginning of this practice exam and it was marked D as well.