CompTIA PenTest+ (PT0-002) — Question 299

A company developed a new web application to allow its customers to submit loan applications. A penetration tester is reviewing the application and discovers that the application was developed in ASP and used MSSQL for its back-end database. Using the application's search form, the penetration tester inputs the following code in the search input field:

IMG SRC=vbscript:msgbox("Vulnerable_to_Attack");>originalAttribute="SRC"originalPath="vbscript;msgbox ("Vulnerable_to_Attack ");>"

When the tester checks the submit button on the search form, the web browser returns a pop-up windows that displays "Vulnerable_to_Attack." Which of the following vulnerabilities did the tester discover in the web application?

Answer options

• A. SQL injection
• B. Command injection
• C. Cross-site request forgery
• D. Cross-site scripting

Correct answer: D

Explanation

The correct answer is D, Cross-site scripting, because the tester's input allows the execution of arbitrary code in the browser, which is characteristic of XSS vulnerabilities. The other options do not apply here: SQL injection targets database queries, command injection involves executing system commands, and cross-site request forgery deals with unauthorized actions performed on behalf of an authenticated user.