312-50V10 · Question #285
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
The correct answer is A. Injecting parameters into a connection string using semicolons as a separator. Connection Stream Parameter Pollution (CSPP) injects extra parameters into database connection strings by abusing the semicolon delimiter that separates connection string key-value pairs.
Question
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
Options
- AInjecting parameters into a connection string using semicolons as a separator
- BInserting malicious Javascript code into input parameters
- CSetting a user's session identifier (SID) to an explicit known value
- DAdding multiple parameters with the same name in HTTP requests
How the community answered
(14 responses)- A79% (11)
- C14% (2)
- D7% (1)
Why each option
Connection Stream Parameter Pollution (CSPP) injects extra parameters into database connection strings by abusing the semicolon delimiter that separates connection string key-value pairs.
CSPP targets backend connection strings (commonly used in database drivers and data sources) by appending crafted parameters using semicolons, which are the standard separator in many connection string formats. This allows an attacker to override intended parameters such as the target server or authentication credentials.
Injecting malicious JavaScript into input parameters describes Cross-Site Scripting (XSS), a completely different attack class targeting client-side rendering.
Setting a user's session identifier to a known value describes a Session Fixation attack, not CSPP.
Adding multiple parameters with the same name in HTTP requests describes HTTP Parameter Pollution (HPP), a distinct web-layer attack unrelated to connection strings.
Concept tested: Connection Stream Parameter Pollution attack technique
Source: https://owasp.org/www-community/attacks/HTTP_Parameter_Pollution
Topics
Community Discussion
No community discussion yet for this question.