CompTIA
PT0-001 · Question #218
PT0-001 Question #218: Real Exam Question with Answer & Explanation
The correct answer is B: The penetration tester needs an OAuth bearer token.. The scan host cannot reach the web application while the client sees it working normally; the most likely cause is that the application requires an OAuth bearer token for access that the tester was not provided.
Question
A penetration tester is performing a black-box test of a client web application, and the scan host is unable to access it. The client has sent screenshots showing the system is functioning correctly. Which of the following is MOST likely the issue?
Options
- AThe penetration tester was not provided with a WSDL file.
- BThe penetration tester needs an OAuth bearer token.
- CThe tester has provided an incorrect password for the application.
- DAn IPS/WAF whitelist is in place to protect the environment.
Explanation
The scan host cannot reach the web application while the client sees it working normally; the most likely cause is that the application requires an OAuth bearer token for access that the tester was not provided.
Common mistakes.
- A. A WSDL file describes the interface of a SOAP web service; its absence would prevent the tester from understanding service endpoints but would not prevent the scan host from reaching the application.
- C. An incorrect password applies only to form-based or basic authentication scenarios and would result in a login failure response rather than a complete inability to access the application.
- D. An IPS/WAF whitelist blocking the scan host is possible but less likely in a formal engagement, as rules of engagement typically require the client to whitelist the tester's source IP before testing begins.
Concept tested. OAuth bearer token requirement blocking unauthenticated scanner access
Community Discussion
No community discussion yet for this question.