Free Top CompTIA Pentest+ PT0-003 Actual Exam Questions - Question 10 Discussion
During an assessment, a penetration tester sends the following request:
POST /services/v1/users/create HTTP/1.1
Host: target-application.com Content-Type:
application/json Content-Length: [dynamic]
Authorization: Bearer (FUZZ)
Which of the following attacks is the penetration tester performing?
B/D? The request targets an API endpoint with a fuzzed token, which fits API abuse. But if the tester aims to exploit token weaknesses to gain higher access, it edges toward privilege escalation.
B fuzzing the Authorization header is classic API abuse, trying to find weak tokens or bypass controls. It’s not about server-side request forgery or directory traversal since the path is straightforward.
Option B makes sense here because the tester is fuzzing the Authorization token in the header, which typically targets API access controls to find weaknesses. It’s not really about directory traversal since the path looks legit, and it’s not SSRF because there’s no indication of the server making an outgoing request. Privilege escalation would require a step further, like trying to use a valid token to gain higher rights, but this looks more like probing the API’s authentication mechanism itself.
Maybe B, since fuzzing the Authorization token points to testing API access controls.
B. The tester is fuzzing the Authorization header with different tokens to find flaws in API access control, which fits API abuse better than the other options.
B, looks like testing API endpoint with different tokens for abuse.