ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-003 All Questions

View all questions & answers for the CAS-003 exam
Go to Exam

Exam CAS-003 topic 1 question 480 discussion

Actual exam question from CompTIA's CAS-003
Question #: 480
Topic #: 1
[All CAS-003 Questions]

SIMULATION -
A product development team has submitted code snippets for review prior to release.

INSTRUCTIONS -
Analyze the code snippets, and then select one vulnerability, and one fix for each code snippet.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Code Snippet 1 -




Code Snippet 2 -



Show Suggested Answer Hide Answer
Suggested Answer: See explanation below.



by chris1025 at Sept. 28, 2021, 1:37 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
quagga
3 years, 3 months ago
The answers seem to be wrong!
upvoted 1 times
DrDoMe
3 years, 3 months ago
so whats your Answer
upvoted 2 times
quagga
3 years, 2 months ago
won't using prepared statements already protect against SQL injection? What's the vulnerability here in code snippet 1?
upvoted 1 times
AaronS1990
1 year, 8 months ago
You really haven't got a clue have you
upvoted 1 times
tefyayaydu
1 year, 4 months ago
Quagga is correct, that's exactly what bind parameters do with JDBC. Input sanitization is still the correct answer as all input from a user should be validated. This answer is not assuming the tester is a developer.
upvoted 1 times
...
...
...
...
...
arawaco
3 years, 5 months ago
Code sniped 1 Is a easy (and antique) way to pass parameter to the server, and the mosta basic way to do a SQL injection https://www.geeksforgeeks.org/sql-injection-2/ So the fix is perfom input sanitization Code sniped 2 Is a little harder to find than the sniped 1. The code seem writed on the client HTTP GET request method is used to request a resource from the server. but you can send any HTTP headers with your GET request and send user authentication data in the Authorization header So the fix is prevent the «authenticated» value from being overridden by GET parameter.
upvoted 1 times
arawaco
3 years, 5 months ago
As a complement: An HTTP GET request is allowing the data to be stolen. Sensitive data should never be requested using an HTTP GETrequest. An HTTP POST request should be used instead
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago