CompTIA PenTest+ (PT0-002) — Question 322

During an assessment of a web application, a penetration tester would like to test the application for blind SQL injection. Which of the following techniques should the penetration tester perform next?

Answer options

• A. 1' ORDER BY 1--+
• B. '; IF (1=1) WAITFOR DELAY '0:0:10'--
• C. xyz' AND '1' = '1
• D. xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a)

Correct answer: B

Explanation

The correct answer is B because using 'WAITFOR DELAY' allows the tester to determine whether the application is vulnerable to blind SQL injection by measuring the response time. The other options either test for error-based SQL injection or do not effectively demonstrate the ability to exploit a delay in response time, which is crucial for blind SQL injection assessments.