The SecOps Group Certified AppSec Practitioner CAP Exam Practice Test

Answer : B

The HTTP request is a GET to /help.php with a parameter file=../../../etc/passwd. Let's analyze the vulnerability:

The file parameter includes ../ sequences, which are used to navigate up the directory structure (.. moves up one directory level). The request attempts to access /etc/passwd, a sensitive system file on Linux servers that contains user information.

This is indicative of a Path Traversal Vulnerability (also known as Directory Traversal), where an attacker manipulates file paths to access unauthorized files outside the intended directory. If the server does not sanitize or restrict the file parameter, it may serve the contents of /etc/passwd, leading to sensitive information disclosure.

Option A ('Cross-Site Request Forgery Vulnerability'): CSRF involves tricking a user into making an unintended request, typically via a malicious form or link. This request does not indicate CSRF; it's a direct attempt to manipulate file access, so this is incorrect.

Option B ('Path Traversal Vulnerability'): As explained, the ../ sequences in the file parameter are a clear attempt at path traversal, making this the correct answer.

Option C ('Code Injection Vulnerability'): Code injection involves executing malicious code (e.g., PHP, SQL), but this request aims to read a file, not execute code, so this is incorrect.

Option D ('All of the above'): Since only Path Traversal applies, this is incorrect.

The correct answer is B, aligning with the CAP syllabus under 'Path Traversal' and 'OWASP Top 10 (A05:2021 - Security Misconfiguration).'

Answer : C

GraphQL Introspection is a built-in feature of GraphQL that allows clients to query the schema of a GraphQL API at runtime. This process involves sending introspection queries (e.g., __schema or __type) to retrieve information about the API's structure, including available types, fields, queries, mutations, and their relationships. This capability is powerful for developers to explore and document APIs but poses a security risk if left enabled in production, as attackers can use it to map out the entire API structure and identify potential attack vectors.

Option A ('A technique for testing the compatibility of the GraphQL API with other systems'): Incorrect, as introspection is about schema discovery, not compatibility testing.

Option B ('A technique for testing the performance of the GraphQL API'): Incorrect, as performance testing involves load or stress testing, not schema exploration.

Option C ('A technique for discovering the structure of the GraphQL API'): Correct, as introspection is specifically designed to expose the API's schema and structure.

Option D ('A technique for testing the security of the GraphQL API'): Incorrect, as security testing is a separate process; introspection itself is a feature, not a security test.

The correct answer is C, aligning with the CAP syllabus under 'GraphQL Security' and 'API Introspection.'

Answer : D

Let's evaluate the two statements about NoSQL injection:

Statement A: NoSQL databases (e.g., MongoDB, Cassandra) are designed for scalability and flexibility, often sacrificing strict consistency for performance (e.g., eventual consistency in distributed systems). Unlike traditional SQL databases, they do not enforce rigid relational constraints, which simplifies scaling but does not eliminate the risk of injection attacks. Even without SQL syntax, NoSQL databases are vulnerable to injection if user input is not sanitized (e.g., in MongoDB, injecting $where or $ne operators). This statement is true.

Statement B: NoSQL database queries are typically written in the application's programming language (e.g., JavaScript for MongoDB), using a custom API (e.g., MongoDB's query API), or formatted in standards like JSON, XML, or LINQ. For example, a MongoDB query might look like db.collection.find({ 'key': input }), where input is a JSON-like structure. This statement accurately describes how NoSQL queries are constructed and is true.

Option A ('A is true, and B is false'): Incorrect, as both statements are true.

Option B ('A is false, and B is true'): Incorrect, as both statements are true.

Option C ('Both A and B are false'): Incorrect, as both statements are true.

Option D ('Both A and B are true'): Correct, as both statements accurately describe NoSQL databases and their vulnerability to injection.

The correct answer is D, aligning with the CAP syllabus under 'NoSQL Injection' and 'Database Security.'

Answer : C

The HTTP request is a POST to /changepassword with a session cookie (JSESSIONID) and parameters new_password and confirm_password. Let's evaluate each option:

Option A ('The change password feature does not validate the user'): The request includes a JSESSIONID cookie, which typically indicates that the user is authenticated via a session. There's no evidence that user validation is absent, so this is not correct.

Option B ('The change password feature uses basic authorization'): Basic authorization would involve an Authorization: Basic header with a Base64-encoded username and password, which is not present here. The authentication appears to be session-based (via cookie), not basic auth, so this is incorrect.

Option C ('The change password feature is vulnerable to Cross-Site Request Forgery attack'): Cross-Site Request Forgery (CSRF) occurs when a malicious site tricks a user's browser into making an unintended request to another site where the user is authenticated. This request lacks a CSRF token (e.g., a unique, unpredictable token in the request body or header) to verify the request's legitimacy. The Sec-Fetch-Site: same-origin header indicates the request is currently from the same origin, but this is a browser feature, not a server-side CSRF protection. Without a CSRF token, the endpoint is vulnerable to CSRF, as an attacker could craft a malicious form on another site to submit this request on behalf of the user. This is the correct answer.

Option D ('All of the above'): Since A and B are incorrect, D cannot be correct.

The correct answer is C, aligning with the CAP syllabus under 'Cross-Site Request Forgery (CSRF)' and 'OWASP Top 10 (A08:2021 - Software and Data Integrity Failures).'

Answer : B

The scenario describes an e-commerce website where a user can view order details by manipulating the order_id parameter in the URL (e.g., https://example.com/order_id=53870). A security researcher found that changing the order_id allows access to arbitrary orders and sensitive data, indicating an authorization issue. This is not a simple input validation problem (e.g., SQL injection or path traversal), as the input (order_id) is processed, but the system fails to enforce proper access controls. This is a classic case of Insecure Direct Object Reference (IDOR), where an attacker can access resources by guessing or manipulating identifiers without proper authorization checks. The root cause is a weak authorization mechanism, likely tied to poor session management or privilege validation, allowing unauthorized users to view others' data.

Option A ('The root cause of the problem is a lack of input validation...'): Incorrect, as the issue is not about invalid input (e.g., malicious code) but about unauthorized access to valid data. Whitelisting might help sanitize input, but it doesn't address authorization.

Option B ('The root cause of the problem is a weak authorization (Session Management)...'): Correct, as the problem stems from inadequate authorization checks. Validating user privileges (e.g., ensuring the user can only access their own orders) or improving session management (e.g., tying orders to user sessions) can fix this IDOR vulnerability.

Option C ('The problem can be solved by implementing a Web Application Firewall (WAF)'): Incorrect as a standalone solution, as WAFs mitigate certain attacks (e.g., SQLi, XSS) but are not a substitute for fixing authorization logic. A WAF might detect patterns but won't enforce proper access control.

Option D ('None of the above'): Incorrect, as Option B accurately identifies the root cause and solution.

The correct answer is B, aligning with the CAP syllabus under 'Authorization and Access Control' and 'OWASP Top 10 (A04:2021 - Insecure Design).'

Answer : C

Cross-Origin Resource Sharing (CORS) is a security mechanism that allows servers to specify which origins can access their resources, relaxing the Same-Origin Policy (SOP) for legitimate cross-origin requests. CORS uses specific HTTP headers to control this access. The key header for controlling access to resources is Access-Control-Allow-Origin, which specifies which origins are permitted to access the resource. However, among the provided options, the closest related header is Access-Control-Allow-Headers, which is part of the CORS standard and controls which request headers can be used in the actual request (e.g., during a preflight OPTIONS request).

Option A ('Access-Control-Request-Method'): This header is sent by the client in a preflight request to indicate the HTTP method (e.g., GET, POST) that will be used in the actual request. It is not used by the server to control access.

Option B ('Access-Control-Request-Headers'): This header is sent by the client in a preflight request to list the headers it plans to use in the actual request. It is not used by the server to control access.

Option C ('Access-Control-Allow-Headers'): This header is sent by the server in response to a preflight request, specifying which headers are allowed in the actual request. While Access-Control-Allow-Origin is the primary header for controlling access, Access-Control-Allow-Headers is part of the CORS standard to manage header-based access control, making this the best match among the options.

Option D ('None of the above'): Incorrect, as Access-Control-Allow-Headers is a CORS header.

The correct answer is C, aligning with the CAP syllabus under 'CORS Security' and 'HTTP Headers.'

Answer : C

The screenshot shows an HTTP POST request to /upload.php with a multipart/form-data payload, where the attacker uploads a file named malicious.php disguised as an image/jpeg but containing PHP code (<?php phpinfo(); ?>). This indicates an attempt to exploit a File Upload Vulnerability. Such vulnerabilities occur when an application allows users to upload files without proper validation or sanitization, enabling attackers to upload malicious scripts (e.g., PHP) that can be executed on the server. In this case, if the server executes the uploaded malicious.php, it could expose server information via phpinfo() or perform other malicious actions.

Option A ('HTTP Desync Attack') involves manipulating HTTP request pipelines, which is not relevant here as the request appears standard. Option B ('File Path Traversal Attack') involves accessing unauthorized files using ../, which is not evident in this request. Option D ('Server-Side Request Forgery') involves tricking the server into making unintended requests, which does not apply to file uploads. Thus, C is the correct answer, aligning with the CAP syllabus under 'File Handling Security' and 'OWASP Top 10 (A05:2021 - Security Misconfiguration).'