312-50V9 · Question #58
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
The correct answer is A. Injecting parameters into a connection string using semicolons as a separator. A Connection String Parameter Pollution (CSPP) attack injects extra parameters into a database connection string by appending them after a semicolon separator. This can override or add configuration values to manipulate how the application connects to the database.
Question
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
Options
- AInjecting parameters into a connection string using semicolons as a separator
- BInserting malicious Javascript code into input parameters
- CSetting a user's session identifier (SID) to an explicit known value
- DAdding multiple parameters with the same name in HTTP requests
How the community answered
(54 responses)- A74% (40)
- B4% (2)
- C15% (8)
- D7% (4)
Why each option
A Connection String Parameter Pollution (CSPP) attack injects extra parameters into a database connection string by appending them after a semicolon separator. This can override or add configuration values to manipulate how the application connects to the database.
CSPP attacks target database connection strings, which use semicolons as delimiters between key-value parameter pairs. By injecting a semicolon followed by crafted parameters (such as 'Server=attacker' or 'Trusted_Connection=yes'), an attacker can override legitimate connection string values or inject malicious configuration. This technique exploits how connection string parsers process duplicate or appended parameters, potentially redirecting database connections or escalating privileges.
Injecting malicious JavaScript into input parameters describes a Cross-Site Scripting (XSS) attack, which targets client-side script execution in browsers, not database connection strings.
Setting a user's session identifier to a known explicit value describes a session fixation attack, which targets authentication session management rather than database connection parameters.
Adding multiple parameters with the same name in HTTP requests describes HTTP Parameter Pollution (HPP), which exploits how web servers and frameworks parse query strings, not database connection strings.
Concept tested: Connection String Parameter Pollution attack technique
Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering
Topics
Community Discussion
No community discussion yet for this question.