A vulnerability scan flags the id parameter of the internal endpoint /api/orders as possible SQL injection. Before including the finding in the final report, the tester wants to independently verify that the parameter is actually exploitable. Which of the following approaches BEST meets the goal of using scripting to validate the scan result?
Search the web framework's release notes to see whether SQL injection issues were recently patched.
Import the Nessus finding into Burp Suite and mark it confirmed because both tools report the same issue.
Create a Python script that loops through tailored SQL-injection payloads, sends them to /api/orders, and analyzes each HTTP response for errors, time delays, or leaked data.
Compare today's Nessus report with archived reports from the previous quarter to look for recurring findings.
Writing and running a short script that repeatedly sends crafted SQL-injection payloads allows the tester to observe error messages, time delays, or unexpected data in the responses-direct evidence that the endpoint is vulnerable. Reviewing old scan reports, vendor release notes, or assuming parity between two scanners does not actively prove exploitation in the current environment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of crafting a custom program for testing endpoints?
Open an interactive chat with Bash
Why are vendor bulletins not sufficient for confirming issues?
Open an interactive chat with Bash
What are the limitations of analyzing only existing logs or automated scan data?