CompTIA Updated PT0-002 Exam Questions and Answers by seb

When calculating the price of a penetration test service for a client, the most important aspect to consider is the required scope of work 1. The scope of work defines the objectives of the penetration test and the systems that will be tested. It is important to understand the scope of work to determine the resources required to complete the test and the time it will take to complete the test 2.

References: 2: CompTIA. (2021). CompTIA PenTest+ Certification Exam Objectives. Retrieved from https://www.comptia.org/content/dam/comptia/documents/certifications/Exam%20Objectives/CompTIA-PenTest%2B%20Exam%20Objectives%20PT0-002.pdf  1: O’Brien, D. (2021). The Official CompTIA PenTest+ Study Guide (Exam PT0-002). John Wiley & Sons.

The user-supplied data www.comptia.com/info.php?id=1 AND 1=1 is indicative of a Boolean-based SQL injection attack. In this attack, the attacker manipulates a SQL query by inserting additional SQL logic that will always evaluate to true (in this case, AND 1=1) to gain unauthorized access to database information. This type of attack exploits improper input validation in web applications to manipulate database queries. The other attack techniques listed (Time-based SQL injection, Stored cross-site scripting, Reflected cross-site scripting) involve different methodologies and are not demonstrated by the given user-supplied data.

A screenshot of a computer Description automatically generated

A static application-security test (SAST) is a type of software testing that analyzes the source code, bytecode or binary code of an application for potential vulnerabilities, such as injection flaws, cross-site scripting, buffer overflows and insecure data handling. A SAST report should provide the application developers with detailed information about the location, severity and impact of the identified vulnerabilities, as well as recommendations for remediation. One of the most important elements to include in a SAST report is the code context for each vulnerability, which shows the relevant code snippets where the issue occurs, as well as the data flow and control flow paths that lead to the vulnerability. This helps the developers understand the root cause of the problem and how to fix it. Code context is especially important for instances of unsafe typecasting operations, which are a common source of security weaknesses in applications. Typecasting is the process of converting one data type to another, such as from an integer to a string. Unsafe typecasting occurs when the conversion is done without proper validation or sanitization, which can lead to unexpected behavior, memory corruption, data loss or code execution. For example, in C/C++, casting a pointer to an incompatible type can result in undefined behavior or buffer overflows. Therefore, a SAST report should include the code context for instances of unsafe typecasting operations, so that the developers can review and correct them. References:

•The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 6: Analyzing and Reporting Pen Test Results, page 329-330.

•Static Application Security Testing (SAST) | GitLab1

•What Is Static Application Security Testing (SAST)?2

•APPLICATION SECURITY TESTING REPORT 2020 - Code Intelligence3

•On the combination of static analysis for software security assessment …4