nerdexam
CompTIA

CAS-003 · Question #47

An internal penetration tester was assessing a recruiting page for potential issues before it was pushed to the production website. The penetration tester discovers an issue that must be corrected bef

The correct answer is B. CSRF. The attack vector used is CSRF (Cross-Site Request Forgery). CSRF tricks an authenticated user's browser into submitting a forged request to a web application on behalf of the attacker. A penetration tester assessing a recruiting page would look for forms or actions that can be t

Enterprise Security Operations

Question

An internal penetration tester was assessing a recruiting page for potential issues before it was pushed to the production website. The penetration tester discovers an issue that must be corrected before the page goes live. The web host administrator collects the log files below and gives them to the development team so improvements can be made to the security design of the website. Which of the following types of attack vector did the penetration tester use?

Exhibit

CAS-003 question #47 exhibit

Options

  • ASQLi
  • BCSRF
  • CBrute force
  • DXSS
  • ETOC/TOU

How the community answered

(56 responses)
  • A
    7% (4)
  • B
    75% (42)
  • C
    2% (1)
  • D
    14% (8)
  • E
    2% (1)

Explanation

The attack vector used is CSRF (Cross-Site Request Forgery). CSRF tricks an authenticated user's browser into submitting a forged request to a web application on behalf of the attacker. A penetration tester assessing a recruiting page would look for forms or actions that can be triggered without proper origin validation. The log files would show requests originating from a different source than expected, confirming the forged request pattern. SQLi would show malformed database queries, XSS would involve injected scripts, brute force would show repeated login attempts, and TOC/TOU is a race condition attack - none of which match the described scenario.

Topics

#CSRF#web application attacks#penetration testing#attack vectors

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice