CompTIA
PT0-001 · Question #142
PT0-001 Question #142: Real Exam Question with Answer & Explanation
The correct answer is B: https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-. This scenario describes a Cross-Site Request Forgery (CSRF) attack where a crafted URL silently triggers a fund transfer using the victim's authenticated session.
Attacks and exploits
Question
Joe, an attacker, intends to transfer funds discreetly from a victim's account to his own. Which of the following URLs can he use to accomplish this attack?
Options
- Ahttps://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
- Bhttps://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
- Chttps://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
- Dhttps://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
Explanation
This scenario describes a Cross-Site Request Forgery (CSRF) attack where a crafted URL silently triggers a fund transfer using the victim's authenticated session.
Common mistakes.
- A. This URL variant does not correctly encode the transfer destination to route funds to the attacker's account, so the transaction would either fail or not benefit the attacker.
- C. This URL variant contains a parameter configuration that would not successfully authorize or direct the fund transfer to the attacker's controlled account.
- D. This URL variant does not properly specify the attacker's account as the transfer destination, meaning funds would not be redirected as intended.
Concept tested. Cross-Site Request Forgery (CSRF) fund transfer via crafted URL
Reference. https://owasp.org/www-community/attacks/csrf
Topics
#CSRF#web application attack#URL manipulation#fund transfer
Community Discussion
No community discussion yet for this question.