CompTIA PenTest+ (PT0-002) — Question 367

A penetration tester is testing a client's infrastructure and discovers an API that provides information about the infrastructure that can be used to configure or manage the instances. The penetration tester uses this API to obtain temporary credentials used to access the infrastructure. Which of the following types of attacks did the penetration tester use?

Answer options

• A. Direct-to-origin
• B. Side-channel
• C. Cloud malware injection
• D. Metadata service

Correct answer: D

Explanation

The correct answer is D, as the penetration tester is exploiting the metadata service to obtain temporary credentials. The other options, such as Direct-to-origin and Side-channel, do not accurately describe the method used to access sensitive information through the API, while Cloud malware injection refers to a different type of attack involving malicious code.