CompTIA PenTest+ (PT0-002) — Question 208

A penetration tester is validating whether input validation mechanisms have been implemented in a web application.

Which of the following should the tester use to determine whether the application is vulnerable to path traversal attacks?

Answer options

• A. GET /image?filename-..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhosts
• B. GET /image?filename=lefitfe;pwd
• C. POST /image?filename -
• D. POST /image?filename =yhtak;ncat --ssl 192.168.0.1 2222

Correct answer: A

Explanation

The correct answer, A, uses a path traversal sequence to attempt to access sensitive files like /etc/hosts, which is a common method to exploit vulnerabilities in input validation. Option B does not utilize path traversal but instead tries to execute a command, while C does not provide a valid traversal attempt, and D mixes command execution with improper formatting, making them ineffective for this specific test.