nerdexam
EC-Council

312-50V10 · Question #285

What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

The correct answer is A. Injecting parameters into a connection string using semicolons as a separator. Connection Stream Parameter Pollution (CSPP) injects extra parameters into database connection strings by abusing the semicolon delimiter that separates connection string key-value pairs.

Hacking Web Applications

Question

What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

Options

  • AInjecting parameters into a connection string using semicolons as a separator
  • BInserting malicious Javascript code into input parameters
  • CSetting a user's session identifier (SID) to an explicit known value
  • DAdding multiple parameters with the same name in HTTP requests

How the community answered

(14 responses)
  • A
    79% (11)
  • C
    14% (2)
  • D
    7% (1)

Why each option

Connection Stream Parameter Pollution (CSPP) injects extra parameters into database connection strings by abusing the semicolon delimiter that separates connection string key-value pairs.

AInjecting parameters into a connection string using semicolons as a separatorCorrect

CSPP targets backend connection strings (commonly used in database drivers and data sources) by appending crafted parameters using semicolons, which are the standard separator in many connection string formats. This allows an attacker to override intended parameters such as the target server or authentication credentials.

BInserting malicious Javascript code into input parameters

Injecting malicious JavaScript into input parameters describes Cross-Site Scripting (XSS), a completely different attack class targeting client-side rendering.

CSetting a user's session identifier (SID) to an explicit known value

Setting a user's session identifier to a known value describes a Session Fixation attack, not CSPP.

DAdding multiple parameters with the same name in HTTP requests

Adding multiple parameters with the same name in HTTP requests describes HTTP Parameter Pollution (HPP), a distinct web-layer attack unrelated to connection strings.

Concept tested: Connection Stream Parameter Pollution attack technique

Source: https://owasp.org/www-community/attacks/HTTP_Parameter_Pollution

Topics

#CSPP#parameter injection#connection string#web attack

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice