CompTIA PenTest+ (PT0-001) — Question 104

A recently concluded penetration test revealed that a legacy web application is vulnerable to SQL injection. Research indicates that completely remediating the vulnerability would require an architectural change, and the stakeholders are not in a position to risk the availability on the application. Under such circumstances, which of the following controls are low-effort, short-term solutions to minimize the SQL injection risk? (Choose two.)

Answer options

• A. Identity and eliminate inline SQL statements from the code.
• B. Identify and eliminate dynamic SQL from stored procedures.
• C. Identify and sanitize all user inputs.
• D. Use a whitelist approach for SQL statements.
• E. Use a blacklist approach for SQL statements.
• F. Identify the source of malicious input and block the IP address.

Correct answer: C, D

Explanation

Options C and D are effective short-term controls as they focus on sanitizing user inputs and using a whitelist approach, which significantly reduces SQL injection risks. Options A, B, E, and F involve more extensive modifications or are less effective in minimizing immediate risks compared to sanitizing inputs and whitelisting.