CompTIA PenTest+ (PT0-001) — Question 115

Which of the following vulnerabilities are MOST likely to be false positives when reported by an automated scanner on a static HTML web page? (Choose two.)

Answer options

• A. Missing secure flag for a sensitive cookie
• B. Reflected cross-site scripting
• C. Enabled directory listing
• D. Insecure HTTP methods allowed
• E. Unencrypted transfer of sensitive data
• F. Command injection
• G. Disclosure of internal system information
• H. Support of weak cipher suites

Correct answer: F, G

Explanation

Command injection and disclosure of internal system information are often reported as false positives because static HTML pages typically do not support server-side processing or expose internal system details. In contrast, the other options are more likely to be genuine vulnerabilities that can be present in various web applications.