CompTIA CASP+ (CAS-003) — Question 216

An internal penetration tester finds a legacy application that takes measurement input made in a text box and outputs a specific string of text related to industry requirements. There is no documentation about how this application works, and the source code has been lost. Which of the following would BEST allow the penetration tester to determine the input and output relationship?

Answer options

• A. Running an automated fuzzer
• B. Constructing a known cipher text attack
• C. Attempting SQL injection commands
• D. Performing a full packet capture
• E. Using the application in a malware sandbox

Correct answer: A

Explanation

Running an automated fuzzer is the best method because it systematically tests various inputs to observe corresponding outputs, revealing the application's behavior. The other options, such as SQL injection or packet capture, do not directly relate to understanding the input-output relationship of the application.