312-50V11 · Question #285
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
The correct answer is A. Injecting parameters into a connection string using semicolons as a separator. Connection String Parameter Pollution (CSPP) exploits how database drivers parse connection strings by injecting additional parameters using semicolons as delimiters to override or append values.
Question
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
Options
- AInjecting parameters into a connection string using semicolons as a separator
- BInserting malicious Javascript code into input parameters
- CSetting a user's session identifier (SID) to an explicit known value
- DAdding multiple parameters with the same name in HTTP requests
How the community answered
(24 responses)- A83% (20)
- B4% (1)
- C8% (2)
- D4% (1)
Why each option
Connection String Parameter Pollution (CSPP) exploits how database drivers parse connection strings by injecting additional parameters using semicolons as delimiters to override or append values.
CSPP works by injecting parameters into a database connection string using semicolons, which many drivers use as parameter separators. This allows an attacker to override existing parameters such as credentials or server targets, or inject unauthorized values. The attack targets the parsing logic of the connection string handler, not the HTTP layer or JavaScript engine.
Inserting malicious JavaScript into input parameters describes Cross-Site Scripting (XSS), a completely different attack category targeting client-side execution.
Setting a session identifier to a known value describes a session fixation attack, not a connection string manipulation technique.
Submitting multiple HTTP parameters with the same name describes HTTP Parameter Pollution (HPP), which targets web application parameter parsing, not database connection strings.
Concept tested: Connection String Parameter Pollution injection technique
Source: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
Topics
Community Discussion
No community discussion yet for this question.