CompTIA PenTest+ (PT0-002) — Question 83
A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?
Answer options
- A. Cross-site request forgery
- B. Server-side request forgery
- C. Remote file inclusion
- D. Local code inclusion
Correct answer: B
Explanation
The correct answer is B, Server-side request forgery, as the tester was able to access sensitive information from the cloud provider's metadata service, which is indicative of exploiting SSRF. The other options, such as A (Cross-site request forgery), C (Remote file inclusion), and D (Local code inclusion), do not directly relate to accessing metadata or instance credentials in this context.