試験PT0-003 トピック1 問題199 スレッド
CompTIA PT0-003のリアル試験問題集
問題 #: 199
トピック #: 1
問題 #: 199
トピック #: 1
In a file stored in an unprotected source code repository, a penetration tester discovers the following line of code:
sshpass -p donotchange ssh [email protected]
Which of the following should the tester attempt to do next to take advantage of this information? (Select two).
sshpass -p donotchange ssh [email protected]
Which of the following should the tester attempt to do next to take advantage of this information? (Select two).
おすすめの解答:B,C 解答を投票する
When a penetration tester discovers hard-coded credentials in a file within an unprotected source code repository, the next steps should focus on documentation and further investigation to identify additional security issues.
Taking a Screen Capture (Option B):
Documentation: It is essential to document the finding for the final report. A screen capture provides concrete evidence of the discovered hard-coded credentials.
Audit Trail: This ensures that there is a record of the vulnerability and can be used to communicate the issue to stakeholders, such as the development team or the client.
Investigating for Other Embedded Passwords (Option C):
Thorough Search: Finding one hard-coded password suggests there might be others. A thorough investigation can reveal additional credentials, which could further compromise the security of the system.
Automation Tools: Tools like truffleHog, git-secrets, and grep can be used to scan the repository for other instances of hard-coded secrets.
Pentest References:
Initial Discovery: Discovering hard-coded credentials often occurs during source code review or automated scanning of repositories.
Documentation: Keeping detailed records of all findings is a critical part of the penetration testing process.
This ensures that all discovered vulnerabilities are reported accurately and comprehensively.
Further Investigation: After finding a hard-coded credential, it is best practice to look for other security issues within the same repository. This might include other credentials, API keys, or sensitive information.
Steps to Perform:
Take a Screen Capture:
Use a screenshot tool to capture the evidence of the hard-coded credentials. Ensure the capture includes the context, such as the file path and relevant code lines.
Investigate Further:
Use tools and manual inspection to search for other embedded passwords.
Commands such as grep can be helpful:
grep -r 'password' /path/to/repository
Tools like truffleHog can search for high entropy strings indicative of secrets:
trufflehog --regex --entropy=True /path/to/repository
By documenting the finding and investigating further, the penetration tester ensures a comprehensive assessment of the repository, identifying and mitigating potential security risks effectively.
Taking a Screen Capture (Option B):
Documentation: It is essential to document the finding for the final report. A screen capture provides concrete evidence of the discovered hard-coded credentials.
Audit Trail: This ensures that there is a record of the vulnerability and can be used to communicate the issue to stakeholders, such as the development team or the client.
Investigating for Other Embedded Passwords (Option C):
Thorough Search: Finding one hard-coded password suggests there might be others. A thorough investigation can reveal additional credentials, which could further compromise the security of the system.
Automation Tools: Tools like truffleHog, git-secrets, and grep can be used to scan the repository for other instances of hard-coded secrets.
Pentest References:
Initial Discovery: Discovering hard-coded credentials often occurs during source code review or automated scanning of repositories.
Documentation: Keeping detailed records of all findings is a critical part of the penetration testing process.
This ensures that all discovered vulnerabilities are reported accurately and comprehensively.
Further Investigation: After finding a hard-coded credential, it is best practice to look for other security issues within the same repository. This might include other credentials, API keys, or sensitive information.
Steps to Perform:
Take a Screen Capture:
Use a screenshot tool to capture the evidence of the hard-coded credentials. Ensure the capture includes the context, such as the file path and relevant code lines.
Investigate Further:
Use tools and manual inspection to search for other embedded passwords.
Commands such as grep can be helpful:
grep -r 'password' /path/to/repository
Tools like truffleHog can search for high entropy strings indicative of secrets:
trufflehog --regex --entropy=True /path/to/repository
By documenting the finding and investigating further, the penetration tester ensures a comprehensive assessment of the repository, identifying and mitigating potential security risks effectively.
片冈** 2026-04-28 08:13:20
コメント
他人の解答コメントを賛成するのも、その解答に一票を入れることになります。したがって、すでに同じ意見の投票コメントが存在する場合、新規コメントをする代わりに賛成することもできます。
コメントを通報する
コメント中
今すぐ 新規登録 / ログイン (無料です)。