Exam CS0-002 topic 1 question 92 discussion

Script = Java = Validate user input if it was SQL then it would have been D

The correct answer is C. This is a XSS issue D = Using parameterized queries, which are precompiled SQL that takes input variables before it is executed. This helps prevent SQL injection attacks. -- This is for a SQL vulnerability

The best option to fix a dynamic code evaluation script injection vulnerability in the source code is to validate user input before execution and interpretation. This involves implementing proper input validation and sanitization mechanisms to ensure that user-supplied data is free from malicious code or characters that could lead to code injection vulnerabilities.

It says in the source code answer is D

CHAT GPT Dynamic code evaluation or script injection vulnerabilities can be fixed by ensuring that user input is validated before it is executed or interpreted. Input validation can include sanitizing the input, restricting input characters, and ensuring that the input is in the expected format. This approach will help prevent malicious code from being executed on the server or client side. Deleting the vulnerable section of the code is not an ideal solution, as it can cause the web application to malfunction. Creating a custom rule on the web application firewall or using parameterized queries can help protect against known attack patterns but may not fully address the root cause of the vulnerability.

C. The BEST option is to validate user input before execution and interpretation, which means that input received from users should be checked and filtered before being executed or interpreted by the application.

Parameterized Queries Most secure websites with an SQL backend will incorporate a technique called parameterized queries to defend against code injection attacks and insecure object references. Official Comptia Cysa+ Course Material

This article will explain why it is C - https://securityboulevard.com/2019/09/what-is-code-injection-and-how-to-avoid-it/#:~:text=Regardless%20of%20language%2C%20you%20can%20avoid%20code%20injection,functions%20on%20raw%20user%20inputs.%20...%20More%20items

Explaining the wrong answers: A. Delete the vulnerable section of the code immediately: if you do it you have chances to inutilize the software, hence, not the BEST option. B. Create a custom rule on the web application firewall: also not the BEST option, this is a workaround. D. Use parameterized queries: it talks about a web server, not a database, for that reason i don't see how it can be associated to SQLi. C is the correct answer.

I would go with A. This is static code that was reviewed. Meaning it is not yet in prod. Developers might reuse code and the code might be having that vulnerability. I would suggest deleting that piece of vulnerable code section.

We have here tow things: A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time. The most important reason to use parameterized queries is to avoid SQL injection attacks. and Goals of Input Validation¶ Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the external party. So I thing D is the correct

C is correct.

Agree. C is correct