New Year Special Sale Limited Time 70% Discount Offer - Ends in 1d 0h 41m 4s - Coupon code: scxmas70

PT0-003 Exam Dumps - CompTIA PenTest+ Exam

Go to page:
Question # 33

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

A.

SQL injection

B.

SSRF

C.

XSS

D.

Server-side template injection

Full Access
Question # 34

During an engagement, a penetration tester found some weaknesses that were common across the customer’s entire environment. The weaknesses included the following:

    Weaker password settings than the company standard

    Systems without the company's endpoint security software installed

    Operating systems that were not updated by the patch management system

Which of the following recommendations should the penetration tester provide to address the root issue?

A.

Add all systems to the vulnerability management system.

B.

Implement a configuration management system.

C.

Deploy an endpoint detection and response system.

D.

Patch the out-of-date operating systems.

Full Access
Question # 35

A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application. While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system. Which of the following attacks is the tester performing?

A.

Kiosk escape

B.

Arbitrary code execution

C.

Process hollowing

D.

Library injection

Full Access
Question # 36

In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?

A.

IAM

B.

Block storage

C.

Virtual private cloud

D.

Metadata services

Full Access
Question # 37

A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which of the following techniques should the tester use?

A.

Sniffing

B.

Banner grabbing

C.

TCP/UDP scanning

D.

Ping sweeps

Full Access
Question # 38

A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

A.

Smishing

B.

Impersonation

C.

Tailgating

D.

Whaling

Full Access
Question # 39

During a penetration test, the tester gains full access to the application's source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?

A.

Run TruffleHog against a local clone of the application

B.

Scan the live web application using Nikto

C.

Perform a manual code review of the Git repository

D.

Use SCA software to scan the application source code

Full Access
Go to page: