CompTIA CySA+ (CS0-003) — Question 392

An application security analyst needs to test a web application for input validation vulnerabilities. The analyst does not have the source code and does not have documentation for the APIs. Which of the following techniques will best aid the analyst in vulnerability testing?

Answer options

• A. Fuzzing operation
• B. Agentless scanning
• C. Reverse engineering
• D. Use of a SAST tool

Correct answer: A

Explanation

Fuzzing is a technique that involves sending a large amount of random data to the application to uncover input validation weaknesses, making it the best choice without source code or API documentation. Agentless scanning typically assesses vulnerabilities from a network perspective rather than application-level issues. Reverse engineering may not be feasible without access to the source code, and SAST tools are designed for static code analysis, which is not applicable here.