CompTIA CASP+ (CAS-002) — Question 2

After being notified of an issue with the online shopping cart, where customers are able to arbitrarily change the price of listed items, a programmer analyzes the following piece of code used by a web based shopping cart.
SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT);
The programmer found that every time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The temporary file has a name which is generated by concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DD-YYYY, (e.g. smartphone-12-25-2013.tmp) containing the price of the item being purchased. Which of the following is MOST likely being exploited to manipulate the price of a shopping carts items?

Answer options

• A. Input validation
• B. SQL injection
• C. TOCTOU
• D. Session hijacking

Correct answer: C

Explanation

The correct answer is C, TOCTOU (Time of Check to Time of Use), which refers to a race condition where the file's state can change between the time it's checked and the time it's used, allowing the price to be manipulated. Option A, Input validation, is incorrect because the issue isn't about validating input but rather the timing of file access. Option B, SQL injection, does not apply here as the problem is not related to SQL queries. Option D, Session hijacking, is also irrelevant as it pertains to gaining unauthorized access to a user's session rather than manipulating item prices.