CompTIA PenTest+ (PT0-003) — Question 138

During an assessment, a penetration tester sends the following request:

POST /services/v1/users/create HTTP/1.1

Host: target-application.com -

Content-Type: application/json -
Content-Length: [dynamic]
Authorization: Bearer [FUZZE]

Which of the following attacks is the penetration tester performing?

Answer options

• A. Directory traversal
• B. API abuse
• C. Server-side request forgery
• D. Privilege escalation

Correct answer: B

Explanation

The penetration tester is attempting to create a user through an API, which suggests they are exploiting the API functionality, thus indicating API abuse. The other options, such as directory traversal and server-side request forgery, do not match the context of manipulating API requests for unauthorized user creation.