CompTIA Security+ Practice Test of the Day 260307

Question 1

A penetration tester is reviewing the source code of a custom web application deployed at a regional healthcare network. During the review, she notices that the application constructs database queries by directly concatenating user-supplied form input without any sanitization or parameterization. When she submits a single quote character into the patient search field, the application returns a verbose database error message revealing the underlying table structure. The application is running on a production server accessible from the public internet. What type of vulnerability has the penetration tester identified?

A. Cross-site scripting (XSS) B. Buffer overflow C. SQL injection (SQLi) D. Directory traversal

Question 2

A security analyst is reviewing logs from a Linux web server that hosts a financial reporting application. She notices that a process launched by the web server user account briefly accessed a configuration file owned by root, read its contents successfully, and then was denied access when it attempted the same operation 400 milliseconds later after a permission check was completed. The web server software had not been modified, and no patches are pending. Which vulnerability type BEST describes what the analyst has identified?

A. Memory injection B. Time-of-check/Time-of-use (TOC/TOU) race condition C. Privilege escalation via misconfiguration D. Malicious update

Question 3

During a red team engagement at a large manufacturing company, an attacker gains limited user-level access to a Windows workstation on the corporate network. The attacker identifies that a custom internal application runs as SYSTEM and periodically reads from a directory that the current user has write access to. The attacker places a specially crafted DLL file in that directory before the next scheduled execution of the application. Which vulnerability type is the attacker most likely exploiting?

A. Buffer overflow B. SQL injection C. Memory injection D. Privilege escalation

Question 4

A security engineer at a software company discovers that one of the organization's mobile applications allows users to install third-party application packages directly from unofficial sources outside of the approved app store. The organization's MDM policy prohibits this behavior, but the feature has not been technically blocked on corporate-enrolled devices. An analyst confirms that several employees have installed unvetted applications using this method on their COPE devices. Which mobile device vulnerability BEST describes this situation?

A. Jailbreaking B. Side loading C. Resource reuse D. Misconfiguration

Question 5

A cloud security architect reviews a recently deployed containerized microservices environment hosted on a public cloud platform. A developer reports that one of the container workloads was able to access environment variables and filesystem paths belonging to a different container running on the same underlying host. The containers are managed by a shared orchestration platform, and no explicit network communication occurred between them. Which vulnerability type does this scenario BEST represent?

A. VM escape B. Resource reuse C. Cloud-specific misconfiguration D. Supply chain vulnerability

Question 6

An analyst at a cybersecurity firm is reviewing vulnerability scan results for a client's enterprise environment. One of the flagged findings indicates that a network-connected HVAC controller embedded in the building management system is running firmware from 2014 and has no available vendor updates. The device vendor went out of business in 2019, and no patches have been issued since. The device is still actively monitoring environmental controls in a data center. Which TWO vulnerability types BEST describe the risks associated with this device? (Choose the answer option that captures both.)

A. Zero-day and supply chain vulnerability B. End-of-life hardware and legacy vulnerability C. Misconfiguration and cryptographic vulnerability D. Firmware vulnerability and resource reuse

Question 7

During a security assessment, a consultant discovers that an organization's internal developer portal accepts file uploads that are processed server-side. By uploading a PHP script disguised as an image file, the consultant is able to navigate directly to the uploaded file's URL and execute arbitrary commands on the web server. The application does not validate the MIME type or file extension on the server side, and the upload directory is within the web root. Which application vulnerability type does this scenario BEST represent?

A. Cross-site scripting (XSS) B. Directory traversal C. Web-based injection via malicious file upload D. Buffer overflow

Question 8

A threat intelligence analyst is reviewing a vendor advisory that describes a newly disclosed vulnerability in a widely used enterprise VPN client. The vendor has confirmed the vulnerability exists and is actively being exploited in the wild, but has not yet released a patch. The analyst's organization uses this VPN client across its entire remote workforce of 4,000 employees. Which vulnerability type BEST describes this situation from the perspective of SY0-701 objective 2.3?

A. Supply chain vulnerability B. OS-based vulnerability C. Zero-day vulnerability D. Cryptographic vulnerability

Question 9

A developer at a financial technology company is conducting a code review of a legacy C++ application that handles wire transfer requests. She notices a function that copies user-supplied transaction reference strings into a fixed-size stack buffer using strcpy() without any length validation. During testing, she confirms that supplying a reference string longer than 256 characters causes the application to crash and overwrites the return address on the stack. Which application vulnerability type does this BEST represent?

A. Memory injection B. Race condition C. Buffer overflow D. SQL injection

Question 10

An enterprise architect is designing a new cloud-hosted SaaS platform and raises a concern about the use of a third-party authentication library that was last updated 18 months ago. A recently published CVE indicates that an older version of this library contains a flaw that allows authentication tokens to be forged under specific conditions. The development team has not yet assessed whether the version in use is affected, and the library is deeply embedded in the application codebase. Which combination of vulnerability types from SY0-701 objective 2.3 is MOST applicable to this scenario?

A. Zero-day and OS-based vulnerability B. Supply chain (software provider) and cryptographic vulnerability C. Misconfiguration and resource reuse D. Web-based injection and memory injection

CompTIA Security+ Practice Test of the Day 260307

ByThe Test Master

Related Post

CompTIA Security+ Practice Test of the Day 260410

CompTIA Security+ Practice Test of the Day 260409

CompTIA Security+ Practice Test of the Day 260408

Leave a Reply Cancel reply

You missed

CEH v13 Domain 3.3 Practice Test 002

CEH v13 Domain 3.2 Practice Test 002

CEH v13 Domain 3.1 Practice Test 002

CEH v13 Domain 2.3 Practice Test 002