The SecOps Group CAP Certified AppSec Practitioner Exam Practice Test

Answer : B

The scenario describes an e-commerce website where a user can view order details by manipulating the order_id parameter in the URL (e.g., https://example.com/order_id=53870). A security researcher found that changing the order_id allows access to arbitrary orders and sensitive data, indicating an authorization issue. This is not a simple input validation problem (e.g., SQL injection or path traversal), as the input (order_id) is processed, but the system fails to enforce proper access controls. This is a classic case of Insecure Direct Object Reference (IDOR), where an attacker can access resources by guessing or manipulating identifiers without proper authorization checks. The root cause is a weak authorization mechanism, likely tied to poor session management or privilege validation, allowing unauthorized users to view others' data.

Option A ('The root cause of the problem is a lack of input validation...'): Incorrect, as the issue is not about invalid input (e.g., malicious code) but about unauthorized access to valid data. Whitelisting might help sanitize input, but it doesn't address authorization.

Option B ('The root cause of the problem is a weak authorization (Session Management)...'): Correct, as the problem stems from inadequate authorization checks. Validating user privileges (e.g., ensuring the user can only access their own orders) or improving session management (e.g., tying orders to user sessions) can fix this IDOR vulnerability.

Option C ('The problem can be solved by implementing a Web Application Firewall (WAF)'): Incorrect as a standalone solution, as WAFs mitigate certain attacks (e.g., SQLi, XSS) but are not a substitute for fixing authorization logic. A WAF might detect patterns but won't enforce proper access control.

Option D ('None of the above'): Incorrect, as Option B accurately identifies the root cause and solution.

The correct answer is B, aligning with the CAP syllabus under 'Authorization and Access Control' and 'OWASP Top 10 (A04:2021 - Insecure Design).'

Answer : A

Salting is a security technique used in password hashing to enhance protection against specific types of attacks. A salt is a random value added to a password before hashing, ensuring that even if two users have the same password, their hashed outputs will differ. The primary objective of salting is to defend against dictionary attacks and rainbow table attacks. Dictionary attacks involve trying common passwords from a precomputed list, while rainbow table attacks use precomputed tables of hash values to reverse-engineer passwords quickly. By adding a unique salt to each password, the hash becomes unique, rendering precomputed rainbow tables ineffective, as an attacker would need to generate a new table for each salt, which is computationally impractical.

Option B ('To slow down the hash calculation process') is incorrect because while techniques like key stretching (e.g., using PBKDF2 or bcrypt) intentionally slow hashing to counter brute-force attacks, salting itself does not primarily aim to slow the process---it focuses on uniqueness. Option C ('To generate a long password hash that is difficult to crack') is a byproduct of salting but not the primary objective; the length and difficulty come from the hash function and salt combination, not salting alone. Option D ('To add a secret message to the password hash') is incorrect, as a salt is not a secret message but a random value, often stored alongside the hash. This aligns with best practices in authentication security, a key component of the CAP syllabus.

Answer : D

In WordPress, the file that stores database connection details, including the database name, username, password, and host, is wp-config.php. This file is located in the root directory of a WordPress installation and is critical for configuring the connection to the MySQL database. It contains constants like DB_NAME, DB_USER, DB_PASSWORD, and DB_HOST, which must be protected from unauthorized access to prevent database compromise.

Option A ('wp-configuration.php'): A common misspelling; the correct file name lacks the extra 'ation.'

Option B ('wp-conf.php'): This is not a valid WordPress file name.

Option C ('wp-secret.php'): This is not a standard WordPress file.

Option D ('wp-config.php'): The correct and official file name used by WordPress.

The correct answer is D, aligning with the CAP syllabus under 'Configuration Management' and 'Application Security.'

Answer : C

A safe password must adhere to security best practices, including sufficient length, complexity, and resistance to common attacks (e.g., brute force, dictionary attacks). Let's evaluate each option:

Option A ('Monday@123'): This password is weak because it combines a common word ('Monday') with a simple number and symbol pattern. It is vulnerable to dictionary attacks and does not meet complexity requirements (e.g., mixed case, special characters, and randomness).

Option B ('abcdef'): This is a sequence of letters with no numbers, special characters, or uppercase letters. It is extremely weak and easily guessable, making it unsafe.

Option C ('Sq0Jh819%ak'): This password is considered safe because it is at least 10 characters long, includes a mix of uppercase letters (S, J, H), lowercase letters (q, h, a, k), numbers (0, 8, 9, 1), and a special character (%). It lacks predictable patterns and meets modern password policy standards (e.g., NIST SP 800-63B recommends at least 8 characters with complexity).

Option D ('1234567890'): This is a simple numeric sequence, highly predictable, and vulnerable to brute-force attacks, making it unsafe.

The correct answer is C, as it aligns with secure password creation guidelines, a key topic in the CAP syllabus under 'Authentication Security' and 'Secure Coding Practices.'

Answer : C

GraphQL Introspection is a built-in feature of GraphQL that allows clients to query the schema of a GraphQL API at runtime. This process involves sending introspection queries (e.g., __schema or __type) to retrieve information about the API's structure, including available types, fields, queries, mutations, and their relationships. This capability is powerful for developers to explore and document APIs but poses a security risk if left enabled in production, as attackers can use it to map out the entire API structure and identify potential attack vectors.

Option A ('A technique for testing the compatibility of the GraphQL API with other systems'): Incorrect, as introspection is about schema discovery, not compatibility testing.

Option B ('A technique for testing the performance of the GraphQL API'): Incorrect, as performance testing involves load or stress testing, not schema exploration.

Option C ('A technique for discovering the structure of the GraphQL API'): Correct, as introspection is specifically designed to expose the API's schema and structure.

Option D ('A technique for testing the security of the GraphQL API'): Incorrect, as security testing is a separate process; introspection itself is a feature, not a security test.

The correct answer is C, aligning with the CAP syllabus under 'GraphQL Security' and 'API Introspection.'

Answer : A

The code snippet is a Python script that takes user input for a filename, constructs a path by concatenating it with /var/www/html/files/, reads the file content, and prints it. The vulnerability arises because the filename variable is directly used in the path without sanitization or validation, allowing an attacker to manipulate it.

Path Traversal Vulnerability: An attacker can input a value like ../../etc/passwd to navigate outside the intended /var/www/html/files/ directory and access sensitive system files (e.g., /etc/passwd). Since the open() function will attempt to access the resulting path, this is a clear case of Path Traversal if the application runs with sufficient permissions.

Remote Code Execution (RCE): RCE would require the ability to execute arbitrary code, which is not directly possible here. The script only reads files, not executes them, unless the file contains executable code and the server interprets it (e.g., a PHP file on a web server), but this is not implied by the code alone.

Option A ('Path Traversal'): Correct, as the lack of input validation makes the code vulnerable to Path Traversal attacks.

Option B ('Remote Code Execution'): Incorrect, as the code does not execute the file content; it only reads it.

Option C ('Both A and B'): Incorrect, as RCE is not applicable here.

Option D ('None of the above'): Incorrect, as Path Traversal is a valid vulnerability.

The correct answer is A, aligning with the CAP syllabus under 'Path Traversal Attacks' and 'Input Validation.'

Answer : B

The vulnerability described is an Insecure Direct Object Reference (IDOR), where manipulating the order_id (e.g., 53870) allows unauthorized access to other users' orders. The fixes proposed by Bob and John aim to obscure the numeric value of order_id to prevent easy guessing or manipulation:

Bob's Fix (SHA1 Hash): Replaces order_id=53870 with order_id=1ff0fe6f1599536d1326418124a261bc98b8ea1 (SHA1 hash of 53870). While this obscures the original value, an attacker can still attempt to hash potential order IDs (e.g., 53871, 53872) and test them in the URL. If the application directly uses the hash to look up the order without validating the user's authorization, the vulnerability persists. SHA1 is a one-way hash, but it does not inherently enforce access control.

John's Fix (Base64 Encoding): Replaces order_id=53870 with order_id=NTM4NzA= (Base64 encoding of 53870). Base64 is a reversible encoding, and an attacker can easily decode NTM4NzA= back to 53870 using standard tools. If the application decodes it and uses the original value to fetch orders without authorization checks, the IDOR vulnerability remains.

Evaluation: Both fixes address the symptom (disclosing the numeric value) but fail to address the root cause: lack of authorization validation. The application must ensure that only the authenticated user can access their own orders, regardless of the order_id format (numeric, hashed, or encoded). Neither fix includes such a check, so the vulnerability persists.

Option A ('Both solutions are adequate to fix the problem'): Incorrect, as neither solution enforces authorization.

Option B ('Both solutions are inadequate and the vulnerability is still not fixed'): Correct, as both SHA1 hashing and Base64 encoding are superficial changes that do not prevent unauthorized access.

Option C ('Only John's solution fixes the problem'): Incorrect, as John's Base64 encoding is reversible and does not fix the IDOR issue.

Option D ('Only Bob's solution fixes the problem'): Incorrect, as Bob's SHA1 hashing also does not address the authorization flaw.

The correct answer is B, aligning with the CAP syllabus under 'Insecure Direct Object Reference (IDOR)' and 'Access Control Best Practices.'