The SecOps Group Certified AppSec Practitioner CAP Exam Practice Test

Answer : A

When multiple domain names (e.g., www.ironman.com and www.hulk.com) resolve to the same IP address (e.g., 1.3.3.7), a web server hosting multiple applications on that IP must determine which application to serve. This is achieved using the HTTP 'Host' header, which is part of the HTTP/1.1 protocol. The client (browser) includes the requested domain (e.g., Host: www.ironman.com) in the request, allowing the server to route the request to the appropriate virtual host or application configured for that domain. This is a standard practice in virtual hosting.

Option A ('The web server inspects the HTTP 'Host' header sent by the client'): Correct, as the Host header enables the server to distinguish between applications on the same IP.

Option B ('The web server inspects the cookies sent by the client'): Incorrect, as cookies are used for session management or personalization, not for identifying the requested application.

Option C ('The web server inspects the client's SSL certificate'): Incorrect, as SSL certificates are used for encryption and authentication, not for application routing (though they may include the domain name for validation).

Option D ('The web server uses a reverse DNS lookup of the client's IP address'): Incorrect, as reverse DNS lookup resolves an IP to a domain, which is irrelevant for the server determining the requested application.

The correct answer is A, aligning with the CAP syllabus under 'Web Server Configuration' and 'HTTP Protocol Security.'

Answer : C

A safe password must adhere to security best practices, including sufficient length, complexity, and resistance to common attacks (e.g., brute force, dictionary attacks). Let's evaluate each option:

Option A ('Monday@123'): This password is weak because it combines a common word ('Monday') with a simple number and symbol pattern. It is vulnerable to dictionary attacks and does not meet complexity requirements (e.g., mixed case, special characters, and randomness).

Option B ('abcdef'): This is a sequence of letters with no numbers, special characters, or uppercase letters. It is extremely weak and easily guessable, making it unsafe.

Option C ('Sq0Jh819%ak'): This password is considered safe because it is at least 10 characters long, includes a mix of uppercase letters (S, J, H), lowercase letters (q, h, a, k), numbers (0, 8, 9, 1), and a special character (%). It lacks predictable patterns and meets modern password policy standards (e.g., NIST SP 800-63B recommends at least 8 characters with complexity).

Option D ('1234567890'): This is a simple numeric sequence, highly predictable, and vulnerable to brute-force attacks, making it unsafe.

The correct answer is C, as it aligns with secure password creation guidelines, a key topic in the CAP syllabus under 'Authentication Security' and 'Secure Coding Practices.'

Answer : B

A JSON Web Token (JWT) consists of three parts separated by dots (.): Header, Payload, and Signature. Each part is Base64Url-encoded. The given JWT is:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJUYW1I1joiU2vjbB3ZiNo_mn0vNWT4G1-ATqOTmo7rm70VI12WCdkMI_S1_bPg_G8

The first part (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9) is the Header, which typically includes metadata like the algorithm (alg) and type (typ). Decoding it gives: {'alg':'HS256','typ':'JWT'}.

The second part (eyJUYW1I1joiU2vjbB3ZiNo_mn0vNWT4G1-ATqOTmo7rm70VI12WCdkMI_S1_bPg_G8) is the Payload, which contains claims (e.g., user data, expiration). The highlighted segment corresponds to this second part, making it the Payload. Decoding it (though incomplete due to truncation) would reveal claims in JSON format.

The third part (not fully shown) would be the Signature, used to verify the token's integrity.

Option A ('The highlighted segment of the token represents a JWT Header'): Incorrect, as the highlighted segment is the second part, which is the Payload.

Option B ('The highlighted segment of the token represents a JWT Payload'): Correct, as the highlighted segment is the Payload portion of the JWT.

Option C ('Both A and B are correct'): Incorrect, as only B is correct.

Option D ('None of the above'): Incorrect, as B is correct.

The correct answer is B, aligning with the CAP syllabus under 'JWT Security' and 'Token-Based Authentication.'

Answer : C

The HTTP request is a POST to /changepassword with a session cookie (JSESSIONID) and parameters new_password and confirm_password. Let's evaluate each option:

Option A ('The change password feature does not validate the user'): The request includes a JSESSIONID cookie, which typically indicates that the user is authenticated via a session. There's no evidence that user validation is absent, so this is not correct.

Option B ('The change password feature uses basic authorization'): Basic authorization would involve an Authorization: Basic header with a Base64-encoded username and password, which is not present here. The authentication appears to be session-based (via cookie), not basic auth, so this is incorrect.

Option C ('The change password feature is vulnerable to Cross-Site Request Forgery attack'): Cross-Site Request Forgery (CSRF) occurs when a malicious site tricks a user's browser into making an unintended request to another site where the user is authenticated. This request lacks a CSRF token (e.g., a unique, unpredictable token in the request body or header) to verify the request's legitimacy. The Sec-Fetch-Site: same-origin header indicates the request is currently from the same origin, but this is a browser feature, not a server-side CSRF protection. Without a CSRF token, the endpoint is vulnerable to CSRF, as an attacker could craft a malicious form on another site to submit this request on behalf of the user. This is the correct answer.

Option D ('All of the above'): Since A and B are incorrect, D cannot be correct.

The correct answer is C, aligning with the CAP syllabus under 'Cross-Site Request Forgery (CSRF)' and 'OWASP Top 10 (A08:2021 - Software and Data Integrity Failures).'

Answer : B

The HTTP request is a GET to /help.php with a parameter file=../../../etc/passwd. Let's analyze the vulnerability:

The file parameter includes ../ sequences, which are used to navigate up the directory structure (.. moves up one directory level). The request attempts to access /etc/passwd, a sensitive system file on Linux servers that contains user information.

This is indicative of a Path Traversal Vulnerability (also known as Directory Traversal), where an attacker manipulates file paths to access unauthorized files outside the intended directory. If the server does not sanitize or restrict the file parameter, it may serve the contents of /etc/passwd, leading to sensitive information disclosure.

Option A ('Cross-Site Request Forgery Vulnerability'): CSRF involves tricking a user into making an unintended request, typically via a malicious form or link. This request does not indicate CSRF; it's a direct attempt to manipulate file access, so this is incorrect.

Option B ('Path Traversal Vulnerability'): As explained, the ../ sequences in the file parameter are a clear attempt at path traversal, making this the correct answer.

Option C ('Code Injection Vulnerability'): Code injection involves executing malicious code (e.g., PHP, SQL), but this request aims to read a file, not execute code, so this is incorrect.

Option D ('All of the above'): Since only Path Traversal applies, this is incorrect.

The correct answer is B, aligning with the CAP syllabus under 'Path Traversal' and 'OWASP Top 10 (A05:2021 - Security Misconfiguration).'

Answer : A

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, particularly in the context of single sign-on (SSO). It is based on XML and is widely used to enable secure web-based authentication and authorization across different domains. The correct full form is Security Assertion Markup Language, where 'Assertion' refers to statements about a subject (e.g., identity, attributes), 'Markup' indicates the XML-based structure, and 'Language' denotes the defined syntax.

Option A ('Security Assertion Markup Language'): This is the correct and official full form of SAML as defined by OASIS (Organization for the Advancement of Structured Information Standards).

Option B ('Security Authorization Markup Language'): Incorrect, as 'Authorization' is not part of the acronym; SAML focuses on both authentication and authorization assertions.

Option C ('Security Assertion Management Language'): Incorrect, as 'Management' is not part of the acronym; SAML is about markup, not management.

Option D ('Secure Authentication Markup Language'): Incorrect, as 'Secure' is not part of the acronym, and SAML covers more than just authentication.

The correct answer is A, aligning with the CAP syllabus under 'Authentication and Authorization' and 'Single Sign-On (SSO) Standards.'

Answer : B

SQL injection vulnerabilities allow attackers to manipulate database queries, potentially accessing unauthorized data, including file contents, if the database supports such operations. In MySQL, the LOAD_FILE() function is specifically designed to read the contents of a file on the server where the database is hosted, provided the file exists, the database user has appropriate privileges (e.g., FILE privilege), and the file is readable. For example, SELECT LOAD_FILE('/etc/passwd') could extract the contents of the /etc/passwd file if exploitable.

Option A ('READ_FILE()'): This is not a valid MySQL function.

Option B ('LOAD_FILE()'): This is the correct function for reading file contents in MySQL, making it the right choice for exploitation.

Option C ('FETCH_FILE()'): This is not a recognized MySQL function.

Option D ('GET_FILE()'): This is also not a valid MySQL function.

The correct answer is B, aligning with the CAP syllabus under 'SQL Injection' and 'Database Security.'