CompTIA PenTest+ (PT0-002) — Question 280

A penetration tester is conducting an engagement for a company and has identified a vulnerable web application. During the reconnaissance phase the tester discovers that the internal web application contains end-of-life components. Which of the following is the most appropriate next step?

Answer options

• A. Report the vulnerability to the company’s IT department and provide the department with detailed information for patching the application
• B. Perform a brute-force attack on the web application’s log-in page to test the strength of user passwords
• C. Launch a denial-of-service attack against the web application to disrupt its availability and expose potential vulnerabilities
• D. Exploit the vulnerability to gam access to the web application’s back-end systems

Correct answer: D

Explanation

The correct answer is D because exploiting the vulnerability allows the penetration tester to demonstrate the risks associated with the end-of-life components and provide valuable insights into the security posture of the application. Options A, B, and C do not align with the immediate next step in a penetration test after identifying a vulnerability, as they either involve reporting, testing password strength, or disrupting service without gaining access.