CompTIA PenTest+ (PT0-002) — Question 220

While performing an assessment on a web application, a penetration tester notices the web browser creates the following request when clicking on the stock status for an item:

POST /product/stock HTTP/1.0 -
Content-Type: application/x-www-form-urlencoded

Content-Length: 118 -

stockApi=http://stock.shop.com:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

Which of the following types of attacks would the penetration tester most likely try NEXT?

Answer options

• A. Cross-site scripting
• B. Command injection
• C. Local file inclusion
• D. Server-side request forgery

Correct answer: D

Explanation

The correct answer is D, Server-side request forgery, because the request allows an attacker to manipulate the stockApi parameter and potentially send requests to internal services. Options A, B, and C do not directly relate to the exploitation of the observed behavior in the request, making them less likely next steps in this context.