nerdexam
EC-Council

312-50V9 · Question #58

What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

The correct answer is A. Injecting parameters into a connection string using semicolons as a separator. A Connection String Parameter Pollution (CSPP) attack injects extra parameters into a database connection string by appending them after a semicolon separator. This can override or add configuration values to manipulate how the application connects to the database.

Hacking Web Applications

Question

What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

Options

  • AInjecting parameters into a connection string using semicolons as a separator
  • BInserting malicious Javascript code into input parameters
  • CSetting a user's session identifier (SID) to an explicit known value
  • DAdding multiple parameters with the same name in HTTP requests

How the community answered

(54 responses)
  • A
    74% (40)
  • B
    4% (2)
  • C
    15% (8)
  • D
    7% (4)

Why each option

A Connection String Parameter Pollution (CSPP) attack injects extra parameters into a database connection string by appending them after a semicolon separator. This can override or add configuration values to manipulate how the application connects to the database.

AInjecting parameters into a connection string using semicolons as a separatorCorrect

CSPP attacks target database connection strings, which use semicolons as delimiters between key-value parameter pairs. By injecting a semicolon followed by crafted parameters (such as 'Server=attacker' or 'Trusted_Connection=yes'), an attacker can override legitimate connection string values or inject malicious configuration. This technique exploits how connection string parsers process duplicate or appended parameters, potentially redirecting database connections or escalating privileges.

BInserting malicious Javascript code into input parameters

Injecting malicious JavaScript into input parameters describes a Cross-Site Scripting (XSS) attack, which targets client-side script execution in browsers, not database connection strings.

CSetting a user's session identifier (SID) to an explicit known value

Setting a user's session identifier to a known explicit value describes a session fixation attack, which targets authentication session management rather than database connection parameters.

DAdding multiple parameters with the same name in HTTP requests

Adding multiple parameters with the same name in HTTP requests describes HTTP Parameter Pollution (HPP), which exploits how web servers and frameworks parse query strings, not database connection strings.

Concept tested: Connection String Parameter Pollution attack technique

Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering

Topics

#CSPP#connection string injection#parameter pollution#web application attack

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice