nerdexam
ExamsCAS-002Questions#268
CompTIA

CAS-002 · Question #268

CAS-002 Question #268: Real Exam Question with Answer & Explanation

The correct answer is C: Fuzzer and HTTP interceptor. Testing input validation in both free-form text fields and drop-down boxes requires a fuzzer to inject unexpected values and an HTTP interceptor to manipulate client-enforced drop-down constraints at the HTTP layer.

Question

An audit at a popular on-line shopping site reveals that a flaw in the website allows customers to purchase goods at a discounted rate. To improve security the Chief Information Security Officer (CISO) has requested that the web based shopping cart application undergo testing to validate user input in both free form text fields and drop down boxes. Which of the following is the BEST combination of tools and / or methods to use?

Options

  • ABlackbox testing and fingerprinting
  • BCode review and packet analyzer
  • CFuzzer and HTTP interceptor
  • DEnumerator and vulnerability assessment

Explanation

Testing input validation in both free-form text fields and drop-down boxes requires a fuzzer to inject unexpected values and an HTTP interceptor to manipulate client-enforced drop-down constraints at the HTTP layer.

Common mistakes.

  • A. Blackbox testing is a general methodology rather than a specific tool, and fingerprinting identifies technology versions; neither directly exercises or validates input handling logic in text fields or drop-downs.
  • B. Code review examines source for logical flaws but does not dynamically test runtime input handling, and a packet analyzer passively captures traffic without manipulating input to probe validation boundaries.
  • D. An enumerator identifies valid usernames or resources and a vulnerability assessment scans for known CVEs; neither targets custom application-level input validation logic in shopping cart fields.

Concept tested. Web application input validation testing with fuzzing and HTTP interception

Reference. https://owasp.org/www-project-web-security-testing-guide/

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice