CompTIA PenTest+ (PT0-002) — Question 289

A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?

Answer options

• A. Include the findings in the final report.
• B. Notify the client immediately.
• C. Document which commands can be executed.
• D. Use this feature to further compromise the server.

Correct answer: B

Explanation

The correct answer is B, as notifying the client immediately is crucial for them to understand the severity of the vulnerability and take necessary actions. Option A is incorrect because while including findings in the report is important, it should not be the immediate action. Option C, documenting commands, is less urgent than alerting the client about the risk. Option D is unethical and could lead to further damage, making it an inappropriate choice.