Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA Exam PT0-002 Topic 1 Question 49 Discussion

Actual exam question for CompTIA's PT0-002 exam
Question #: 49
Topic #: 1
[All PT0-002 Questions]

A penetration tester managed to exploit a vulnerability using the following payload:

IF (1=1) WAIT FOR DELAY '0:0:15'

Which of the following actions would best mitigate this type ol attack?

Show Suggested Answer Hide Answer
Suggested Answer: B

The payload used by the penetration tester is a type of blind SQL injection attack that delays the response of the database by 15 seconds if the condition is true. This can be used to extract information from the database by asking a series of true or false questions. To prevent this type of attack, the best practice is to use parameterized queries, which separate the user input from the SQL statement and prevent the injection of malicious code. Encrypting passwords, encoding output, and sanitizing HTML are also good security measures, but they do not directly address the SQL injection vulnerability.Reference:

The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 5: Attacks and Exploits, Section 5.2: Perform Network Attacks, Subsection: SQL Injection, p. 235-237

Blind SQL Injection | OWASP Foundation, Description and Examples sections

Time-Based Blind SQL Injection Attacks, Introduction and Microsoft SQL Server sections


by Marvel at Jan 28, 2024, 12:28 PM

Limited Time Offer

25%

Off

Get Premium PT0-002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Eun
8 days ago
I agree with Margot. Parameterizing the queries is the best way to go. It's a rock-solid defense against SQL injection attacks like this. Plus, it's a lot more secure than, like, encoding the output or something.
upvoted 0 times
...
Margot
9 days ago
Okay, let's think this through. Based on the options, I'd say parameterizing the queries is the way to go. That way, even if the attacker tries something funky, the database will just treat it as regular input and not execute it.
upvoted 0 times
...
Colette
10 days ago
Yeah, no kidding. I remember learning about this in my security course. Definitely not something you want to mess with, especially in a production environment.
upvoted 0 times
...
Lawana
11 days ago
Whoa, that's a really tricky one! I mean, who would have thought a simple `IF` statement could cause so much trouble? This is some serious SQL injection stuff.
upvoted 0 times
...

Save Cancel