nerdexam
EC-Council

312-50V11 · Question #285

What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

The correct answer is A. Injecting parameters into a connection string using semicolons as a separator. Connection String Parameter Pollution (CSPP) exploits how database drivers parse connection strings by injecting additional parameters using semicolons as delimiters to override or append values.

SQL Injection

Question

What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

Options

  • AInjecting parameters into a connection string using semicolons as a separator
  • BInserting malicious Javascript code into input parameters
  • CSetting a user's session identifier (SID) to an explicit known value
  • DAdding multiple parameters with the same name in HTTP requests

How the community answered

(24 responses)
  • A
    83% (20)
  • B
    4% (1)
  • C
    8% (2)
  • D
    4% (1)

Why each option

Connection String Parameter Pollution (CSPP) exploits how database drivers parse connection strings by injecting additional parameters using semicolons as delimiters to override or append values.

AInjecting parameters into a connection string using semicolons as a separatorCorrect

CSPP works by injecting parameters into a database connection string using semicolons, which many drivers use as parameter separators. This allows an attacker to override existing parameters such as credentials or server targets, or inject unauthorized values. The attack targets the parsing logic of the connection string handler, not the HTTP layer or JavaScript engine.

BInserting malicious Javascript code into input parameters

Inserting malicious JavaScript into input parameters describes Cross-Site Scripting (XSS), a completely different attack category targeting client-side execution.

CSetting a user's session identifier (SID) to an explicit known value

Setting a session identifier to a known value describes a session fixation attack, not a connection string manipulation technique.

DAdding multiple parameters with the same name in HTTP requests

Submitting multiple HTTP parameters with the same name describes HTTP Parameter Pollution (HPP), which targets web application parameter parsing, not database connection strings.

Concept tested: Connection String Parameter Pollution injection technique

Source: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution

Topics

#CSPP#connection string injection#parameter injection#semicolon separator

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice