Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA Exam PT0-003 Topic 2 Question 21 Discussion

Actual exam question for CompTIA's PT0-003 exam
Question #: 21
Topic #: 2
[All PT0-003 Questions]

A penetration tester is trying to get unauthorized access to a web application and executes the following command:

GET /foo/images/file?id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Which of the following web application attacks is the tester performing?

Show Suggested Answer Hide Answer
Suggested Answer: C

The attacker is attempting to access restricted files by navigating directories beyond their intended scope.

Directory Traversal (Option C):

The request uses encoded '../' sequences (%2e%2e%2f = ../) to move up directories and access /etc/passwd.

This is a classic directory traversal attack aimed at accessing system files.


Incorrect options:

Option A (Insecure Direct Object Reference - IDOR): IDOR exploits direct access to objects (e.g., changing user_id=123 to user_id=456), not directory navigation.

Option B (CSRF): CSRF forces users to execute unwanted actions, unrelated to directory access.

by Devorah at Mar 22, 2025, 06:34 AM

Limited Time Offer

25%

Off

Get Premium PT0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Veronika
2 months ago
Well, this is clearly a directory traversal attempt. The tester is trying to access a sensitive file by using the '../' syntax to move up the directory tree. Not a very subtle approach, but hey, sometimes the direct route works!
upvoted 0 times
Mose
28 days ago
Directory Traversal
upvoted 0 times
...
Matt
30 days ago
Cross-Site Scripting
upvoted 0 times
...
Ettie
1 months ago
SQL Injection
upvoted 0 times
...
...
Ciara
2 months ago
Haha, this tester is just messing around, trying to see what they can get away with. I bet they're hoping for some juicy information in that /etc/passwd file!
upvoted 0 times
Kaycee
13 days ago
Cross-site Request Forgery (CSRF)
upvoted 0 times
...
Yuki
19 days ago
Directory Traversal
upvoted 0 times
...
Denae
26 days ago
Cross-site Scripting (XSS)
upvoted 0 times
...
Salley
1 months ago
SQL Injection
upvoted 0 times
...
...
Ceola
2 months ago
I think this is a local file inclusion attack. The tester is trying to include a local file on the server, which could lead to unauthorized access or even remote code execution.
upvoted 0 times
...
Laurena
2 months ago
Hmm, I'm not so sure. It could also be an insecure direct object reference attack, where the tester is trying to access a sensitive file by manipulating the 'id' parameter.
upvoted 0 times
...
Elden
2 months ago
Whoa, the tester is definitely trying a directory traversal attack here. That URL looks like it's trying to access the /etc/passwd file on the server, which is a classic move.
upvoted 0 times
Latonia
25 days ago
The web application should have proper input validation to prevent these types of attacks. It's important to always be vigilant against security threats.
upvoted 0 times
...
Jamal
29 days ago
It's a common tactic to try to access the /etc/passwd file to gather information about the server and its users.
upvoted 0 times
...
Samuel
1 months ago
That's right, it's a directory traversal attack. The tester is trying to move up multiple directories to access sensitive files.
upvoted 0 times
...
...
Nobuko
2 months ago
I think it's important for the tester to report this vulnerability to the web application owner for proper mitigation.
upvoted 0 times
...
Gracia
2 months ago
I believe it could also be a Local File Inclusion attack, as the command includes the /etc/passwd file.
upvoted 0 times
...
Martha
2 months ago
I agree with Kristeen, the command looks like it's trying to access files outside the intended directory.
upvoted 0 times
...
Kristeen
2 months ago
I think the penetration tester is performing a Directory Traversal attack.
upvoted 0 times
...

Save Cancel