CompTIA Pentest+ Chapter 9 Questions Flashcards
During a pentest engagement, the system developer approached you and asked if you could help figure out what was going on in one of the Apache HTTP log files on the server. The error.log file showed the following message: during an HTTP GET request. The developer knew that the request was not from the ongoing pentest, since the IP addresses were outside of the scope of engagement. Which type of attack was likely used against the target web server? A.DOM-based XSS attack B.Cross-site request forgery (CSRF) C.XXE injection D.SQL Injection
C.XXE injection
Explanation:
C. XML eXternal Entity (XXE) injection attacks target XML documents and attempt to manipulate the declaration of an internal or external entity that is parsed when the document is processed. The injection attempt captured in the log file was an attempt from an attacker to target the local SSH key for the User account. These types of attacks can lead to remote command execution as well.
These types of attacks can be mitigated by disabling external entities or sanitizing the user-supplied input and restricting where the document points its requests.
2.One of the members of your pentest team is trying to insert a malicious record in the MySQL database that will execute some proof-of-concept code to steal cookies from a user’s web browser. However, the INSERT statement is not working. Looking at the following syntax, what is the likely cause of the error?
mysql> INSERT into app.data (header, body, message, webForm) VALUES (“HACK”, 404, “HACK”);
A.The second column value is missing quotations.
B.The INSERT statement is missing a value for the fourth column and it can’t be null.
C.One of the field values exceeds the size limitation
D.There is no error in the INSERT statement
.
B.The INSERT statement is missing a value for the fourth column and it can’t be null.
Explanation:
B. The INSERT statement is missing a value for the fourth column. Each column identified within the INSERT statement needs to have a field value. If one of the fields is a required field, that field is not allowed to be null, such as an empty
A UDF can help facilitate command execution during a pentest if the compromised database user has admin rights (e.g., root) or elevated privileges and the database is configured with the sys_exec() and \_\_\_\_\_\_\_\_\_\_ functions. A.sys_eval() B.system_eval() C.exec_sys() D.sys_udf()
A.sys_eval()
Explanation: The sys_eval() and sys_exec() functions are required to be configured on the database server in order for a user-defined function (UDF) to be created, which can ultimately lead to command execution against the operating system with the privileges of the operating system user that owns the process.
Given the following URL, which two methods could be used to test for SQL injection against the database within the web parameters? (Select two.) http://example.com/page.php?id=1&acct=162;jsessionid=567323456798
A.?id=1’&acct=144;jsessionid=567323456798
B.?id=1’&acct=162’;jsessionid=567323456798
C.?id=1;–&acct=162;jsessionid=567323456798
D.?id=1’&acct=144’;jsessionid=567323456798
B.?id=1’&acct=162’;jsessionid=567323456798
D.?id=1’&acct=144’;jsessionid=567323456798
Explanation:
The “‘”, “–”, and “;” are all definitely ways to help trigger an error response from a database that lacks application or database filtering.
You come across a web page that requires authentication with a valid username and login. Using CeWL, you decide to build your own wordlist using content derived from the website. The website has many pages, and you decide to start from the index.html page and go five pages deeper into the site to identify word lengths that are a minimum of eight characters. Which command options will help you build the wordlist you are looking for? A.-d 5 -8 B.-w 8 -d 5 C.-m 8 -d 5 D. -a 8 -d 5
C.-m 8 -d 5
Explanation:
The -d option is used to specify how deep to traverse into the website, and -m is used to specify the minimum amount of words the tool identifies.
While testing a web application running on Windows Server 2016, you find a web parameter vulnerability to a path traversal attack. Which of the following choices would be the best choice at demonstrating a path traversal attack? A.?id=C:\Windows\system32\etc/passwd B.?id=../../../../C:/Windows/etc/passwd C.?id=%20.%20C:/Windows/boot.ini D.?id=..\..\..\..\C:/Windows/boot.ini
D.?id=........\C:/Windows/boot.ini
Explanation:
The best answer is D, as it can help escape a basic forward-slash content filter and potentially show the contents of the boot.ini file.
Which of the following are valid client-side attacks? (Select all that apply.)
A.Clickjacking
B.Command injection
C.Directory traversal
D.Reflected HTML injection E.DOM-based XSS
F.Session hijacking
A.Clickjacking
D.Reflected HTML injection
E.DOM-based XSS
F.Session hijacking
Explanation:
All the answers are correct, with the exception of command injection and directory traversal. Those types of attacks are for server-side vulnerabilities.
What is the purpose of the Document Object Model (DOM) within a user’s web browser?
A.Structuring content in the browser
B.Passing messages to other entities
C.Storing encrypted values followed by the “#” sign
D.Helping to mitigate against XSS attacks
A.Structuring content in the browser
Explanation:
During runtime, the application will pass down the DOM to help structure content within the browser. DOM modules may include JavaScript code that can execute locally within the user’s browser.
Which of the following options could be an IDOR, given the following URLs? (Select all that apply.)
A.http://example.com/index.php?emp_id=12345
B.http://example.com/index.php
C.http://example.com/sales.php?acct=4532345
D.http://example.com/profile.php?state=CA&zip=90001
A.http://example.com/index.php?emp_id=12345
C.http://example.com/sales.php?acct=4532345
Explanation:
The “acct=” and “emp_id=” parameters are somewhat of a dead giveaway, in that they may be linked to another user’s information that could be retrieved without the necessary access controls with the web application or database. Option B was simply a URL with nothing to infer, and option C provided what looked to be parameters associated with a state and ZIP code and nothing of potential value with regard to an insecure directory object reference.
