CAS-003 · Question #47
An internal penetration tester was assessing a recruiting page for potential issues before it was pushed to the production website. The penetration tester discovers an issue that must be corrected bef
The correct answer is B. CSRF. The attack vector used is CSRF (Cross-Site Request Forgery). CSRF tricks an authenticated user's browser into submitting a forged request to a web application on behalf of the attacker. A penetration tester assessing a recruiting page would look for forms or actions that can be t
Question
An internal penetration tester was assessing a recruiting page for potential issues before it was pushed to the production website. The penetration tester discovers an issue that must be corrected before the page goes live. The web host administrator collects the log files below and gives them to the development team so improvements can be made to the security design of the website. Which of the following types of attack vector did the penetration tester use?
Exhibit
Options
- ASQLi
- BCSRF
- CBrute force
- DXSS
- ETOC/TOU
How the community answered
(56 responses)- A7% (4)
- B75% (42)
- C2% (1)
- D14% (8)
- E2% (1)
Explanation
The attack vector used is CSRF (Cross-Site Request Forgery). CSRF tricks an authenticated user's browser into submitting a forged request to a web application on behalf of the attacker. A penetration tester assessing a recruiting page would look for forms or actions that can be triggered without proper origin validation. The log files would show requests originating from a different source than expected, confirming the forged request pattern. SQLi would show malformed database queries, XSS would involve injected scripts, brute force would show repeated login attempts, and TOC/TOU is a race condition attack - none of which match the described scenario.
Topics
Community Discussion
No community discussion yet for this question.
