Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

CompTIA Exam PT0-002 Topic 1 Question 49 Discussion

Actual exam question for CompTIA's PT0-002 exam
Question #: 49
Topic #: 1
[All PT0-002 Questions]

A penetration tester managed to exploit a vulnerability using the following payload:

IF (1=1) WAIT FOR DELAY '0:0:15'

Which of the following actions would best mitigate this type ol attack?

Show Suggested Answer Hide Answer
Suggested Answer: B

The payload used by the penetration tester is a type of blind SQL injection attack that delays the response of the database by 15 seconds if the condition is true. This can be used to extract information from the database by asking a series of true or false questions. To prevent this type of attack, the best practice is to use parameterized queries, which separate the user input from the SQL statement and prevent the injection of malicious code. Encrypting passwords, encoding output, and sanitizing HTML are also good security measures, but they do not directly address the SQL injection vulnerability.Reference:

The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 5: Attacks and Exploits, Section 5.2: Perform Network Attacks, Subsection: SQL Injection, p. 235-237

Blind SQL Injection | OWASP Foundation, Description and Examples sections

Time-Based Blind SQL Injection Attacks, Introduction and Microsoft SQL Server sections


Contribute your Thoughts:

Eun
8 months ago
I agree with Margot. Parameterizing the queries is the best way to go. It's a rock-solid defense against SQL injection attacks like this. Plus, it's a lot more secure than, like, encoding the output or something.
upvoted 0 times
Laquanda
7 months ago
Plus, it's a lot more secure than encoding the output.
upvoted 0 times
...
Dean
7 months ago
I agree with Margot. It's a rock-solid defense against SQL injection attacks.
upvoted 0 times
...
Desire
8 months ago
Parameterizing the queries is the best way to go.
upvoted 0 times
...
Shawana
8 months ago
D) Sanitizing HTML
upvoted 0 times
...
Iola
8 months ago
C) Encoding output
upvoted 0 times
...
Justine
8 months ago
B) Parameterizing queries
upvoted 0 times
...
Ngoc
8 months ago
A) Encrypting passwords
upvoted 0 times
...
...
Margot
8 months ago
Okay, let's think this through. Based on the options, I'd say parameterizing the queries is the way to go. That way, even if the attacker tries something funky, the database will just treat it as regular input and not execute it.
upvoted 0 times
...
Colette
8 months ago
Yeah, no kidding. I remember learning about this in my security course. Definitely not something you want to mess with, especially in a production environment.
upvoted 0 times
...
Lawana
8 months ago
Whoa, that's a really tricky one! I mean, who would have thought a simple `IF` statement could cause so much trouble? This is some serious SQL injection stuff.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77