The SecOps Group CAP Certified AppSec Practitioner Exam Exam Practice Test

This question is identical to Question 52, describing a scenario where a TLS certificate has expired, causing a TLS error message, and asking about the correct course of action. The analysis remains the same:

Option A ("There is no urgency to renew the certificate as the communication is still over TLS"): Incorrect. An expired TLS certificate invalidates the trust model, even if the connection technically uses TLS. Browsers will issue warnings, and users may bypass them, but the lack of a valid certificate compromises security, making renewal urgent.

Option B ("There is an urgency to renew the certificate as the users of the website may get conditioned to ignore TLS warnings and therefore ignore a legitimate warning which could be a real Man-in-the-Middle attack"): Correct. Repeated exposure to TLS warnings due to an expired certificate may desensitize users, increasing the risk that they ignore legitimate warnings from a Man-in-the-Middle (MitM) attack. Renewing the certificate promptly is essential to maintain security and user trust.

The correct answer is B, aligning with the CAP syllabus under "TLS Configuration" and "Certificate Management."References: SecOps Group CAP Documents - "TLS Security," "Certificate Expiry Management," and "OWASP Transport Layer Protection Cheat Sheet" sections.

The Same-Origin Policy (SOP) is a fundamental security mechanism in web browsers that restricts how a document or script loaded from one origin can interact with resources from another origin. An origin is defined by the combination ofprotocol,host, andport. Two pages have the same origin if their protocol (e.g., host (e.g., ), and port (default is 80 for HTTP) match exactly. The given URL is which uses HTTP, host and the default port 80.

Option 1 ("http://www.example.com/dir/other.html"): Matches the protocol (http), host ( ), and port (default 80), so it is in the same origin.

Option 2 ("http://www.example.com:81/dir/other.html"): Differs in port (81 vs. default 80), so it is a different origin.

Option 3 ("http://www.example.com/dir/other.html"): Identical to Option 1, matching protocol, host, and port, so it is in the same origin. However, since it’s a duplicate of Option 1 in the list, it doesn’t add a new page.

Option 4 ("http://en.example.com/dir/other.html"): Differs in host (en.example.com vs. ), so it is a different origin.

Since the question asks which pages are in the same origin, and only Option 1 (and its duplicate Option 3) matches, the correct answer is A ("1 Only"), considering unique pages. The CAP syllabus covers SOP under "Client-Side Security" and "Cross-Origin Resource Sharing (CORS)."References: SecOps Group CAP Documents - "Same-Origin Policy," "Browser Security Models," and "OWASP Client-Side Security" sections.

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts execute in the context of the victim’s browser, enabling various exploitations. Let’s evaluate each option:

Option A ("Steal the user's session identifier stored on a non HttpOnly cookie"): This is possible with XSS. If a session cookie is not marked as HttpOnly (preventing JavaScript access), an attackercan use a script to access document.cookie and steal the session ID, leading to session hijacking.

Option B ("Steal the contents from the web page"): This is also possible. An XSS payload can manipulate the DOM, extract content (e.g., via innerHTML), and send it to the attacker, such as through a GET request to a malicious server.

Option C ("Steal the contents from the application's database"): This is not possible with XSS alone. XSS operates on the client side within the browser’s sandbox and cannot directly access the server-side database. Database access requires server-side vulnerabilities (e.g., SQL injection), which is a separate attack vector. Thus, this exploitation is not feasible through XSS.

Option D ("Steal the contents from the user's keystrokes using keyloggers"): This is possible. An XSS script can inject a keylogger (e.g., using onkeydown events) to capture keystrokes and transmit them to the attacker, especially on pages where sensitive data (e.g., forms) is entered.

Therefore, the correct answer is C, as XSS cannot directly exploit the database. This distinction is crucial in understanding attack vectors, a core topic in the CAP syllabus under "OWASP Top 10 (A03:2021 - Injection)" and "XSS Mitigation."

References: SecOps Group CAP Documents - "OWASP Top 10," "Cross-Site Scripting (XSS)," and "Client-Side Attack Vectors" sections.

The screenshot shows a login form where the user coder@viewer attempts to log in, and the application responds with "User does not exist." Let’s evaluate the statements:

Option A ("The application is vulnerable to username enumeration"): Correct. Username enumeration occurs when an application reveals whether a username exists in the system, often through distinct error messages. Here, the message "User does not exist" for coder@viewer directly indicates that the username is invalid, allowing an attacker to enumerate valid usernames by testing different inputs and observing the responses (e.g., "Invalid password" for existing users vs. "User does not exist"). Best practice is to use generic error messages like "Invalid username or password" to prevent enumeration.

Option B ("The application is vulnerable to brute-force attacks"): Incorrect. There’s no evidence in the screenshot of a lack of brute-force protections (e.g., rate limiting, account lockout). Brute-force vulnerability would require additional context, such as no CAPTCHA or no lockout mechanism, which is not shown.

Option C ("The application does not enforce a strong password policy"): Incorrect. The screenshot does not provide information about password requirements (e.g., length, complexity), so we cannot conclude whether a strong password policy is enforced.

Option D ("None of the above"): Incorrect, as A is true.

The correct answer is A, aligning with the CAP syllabus under "Username Enumeration" and "Authentication Security."References: SecOps Group CAP Documents - "Authentication Best Practices," "Enumeration Attacks," and "OWASP Authentication Cheat Sheet" sections.

Cookies can have security attributes to enhance their protection against various attacks. The question asks which attribute ensures that the cookie is only sent over a TLS (encrypted) channel, meaning it is transmitted securely via HTTPS and not over unencrypted HTTP.

Option A ("Secure"): The Secure attribute ensures that the browser only sends the cookie over a secure, encrypted connection (i.e., HTTPS). If a request is made over HTTP, the browser will not include the cookie, preventing it from being intercepted in plaintext. This is the correct answer.

Option B ("HttpOnly"): The HttpOnly attribute prevents the cookie from being accessed by JavaScript (e.g., via document.cookie), mitigating XSS attacks that steal cookies, but it does not enforce transmission over TLS.

Option C ("No_XSS"): This is not a valid cookie attribute; it appears to be a made-up termand does not relate to TLS enforcement.

Option D ("None of the above"): Incorrect, as the Secure attribute directly addresses the requirement.

The correct answer is A, aligning with the CAP syllabus under "Cookie Security" and "Session Management."References: SecOps Group CAP Documents - "Cookie Security Attributes," "Secure Session Management," and "OWASP Session Management Cheat Sheet" sections.

A Race Condition vulnerability occurs in multi-threaded or multi-process applications when two or more threads access a shared resource concurrently, and the outcome depends on the non-deterministic order of their execution. This can lead to inconsistent states or security issues, such as privilege escalation or data corruption, if the access is not properly synchronized (e.g., using locks or semaphores). The classic definition focuses on concurrent access to the same resource.

Option A ("A situation that occurs when two threads access the same resource at the same time"): Correct, as this accurately describes a race condition where the lack of synchronization on a shared resource (e.g., a file, variable, or database entry) can lead to unpredictable behavior.

Option B ("A situation that occurs when two threads access different resources at the same time"): Incorrect, as race conditions specifically involve contention over the same resource, not different ones.

Option C ("A situation that occurs when a single thread unpredictably accesses two resources"): Incorrect, as race conditions require multiple threads or processes; a single thread’s behavior is not a race condition.

Option D ("A situation that occurs when a single thread predictably accesses two resources"): Incorrect, as predictability negates the race condition concept, and it still involves only one thread.

The correct answer is A, aligning with the CAP syllabus under "Race Condition Vulnerabilities" and "Multi-Threaded Security."References: SecOps Group CAP Documents - "Concurrency Issues," "Race Conditions," and "OWASP Secure Coding Practices" sections.

SAML (Security Assertion Markup Language) is an XML-based standard for authentication and authorization, commonly used for single sign-on (SSO). Its reliance on XML and the complexity of its trust model make it vulnerable to several attacks:

Option A ("XML Signature Wrapping Attack"): This is a common SAML attack where an attacker manipulates the XML structure to wrap a malicious element while preserving the signature, tricking the relying party into accepting a forged assertion. This attack exploits the way SAML parsers handle signed XML messages.

Option B ("XML External Entity Injection"): SAML messages are XML-based, making them susceptible to XXE (XML External Entity) attacks if the XML parser is misconfigured. An attacker can include external entities to access local files or make network requests, compromising the system.

Option C ("Assertion Replay Attack"): In this attack, an attacker intercepts a valid SAML assertion and reuses it to impersonate the user. If the assertion lacks proper replay protection (e.g., timestamps, nonces), the relying party may accept the replayed assertion as valid.

Option D ("All of the above"): Correct, as all three attacks (XML Signature Wrapping, XXE Injection, and Assertion Replay) are well-documented vulnerabilities in SAML implementations.

The correct answer is D, aligning with the CAP syllabus under "SAML Security" and "XML-Based Attacks."References: SecOps Group CAP Documents - "SAML Security Risks," "XML Vulnerabilities," and "OWASP SAML Security Cheat Sheet" sections.

The screenshot shows an HTTP response header from with a 404 status. Let’s evaluate each option:

Option A ("The application discloses the framework name and version"): The X-Powered-By: PHP/5.4.5-5 header reveals the server is running PHP version 5.4.5-5, which is a security risk as it exposes the framework and version. This information can help attackers identify known vulnerabilities, making A incorrect (i.e., it is a problem).

Option B ("The application reveals user-agent details"): The response does not include user-agent details; it only shows the server’s configuration. User-agent details are part of the request, not the response, so this is incorrect (not a problem here).

Option C ("A cookie is set with HttpOnly and a Secure flag"): The Cookie header includes HttpOnly and Secure attributes, which are best practices to prevent JavaScript access and ensure transmission over HTTPS, respectively. This is correct behavior, so it is not incorrect.

Option D ("The application accepts insecure protocol"): The response uses indicating a secure protocol (TLS), and there’s no evidence of accepting insecure protocols like HTTP. This is not incorrect.

Thus, the incorrect statement is A, as disclosing the framework name and version via X-Powered-By is a security misconfiguration. This aligns with the CAP syllabus under "Security Headers" and "Information Disclosure."References: SecOps Group CAP Documents - "Security Misconfigurations," "HTTP Headers," and "OWASP Top 10 (A05:2021 - Security Misconfiguration)" sections.

The scenario describes a vulnerability where a user can manipulate the order_id parameter in theURL (e.g., to access other users’ order details, indicating a lack of proper access control. This is a classic case of an Insecure Direct Object Reference (IDOR)attack. IDOR occurs when an application exposes a reference to an internal object (e.g., an order ID) that can be manipulated by an unauthorized user to access resources they should not have access to, without validating the user’s permissions.

Option A ("Insecure Direct Object Reference"): Correct, as the ability to change order_id to view arbitrary orders fits the definition of IDOR.

Option B ("Session Poisoning"): Incorrect, as session poisoning involves corrupting or altering a user’s session data, which is not indicated here.

Option C ("Session Riding OR Cross-Site Request Forgery"): Incorrect, as CSRF involves tricking a user into submitting a request (e.g., via a malicious form), not manipulating a URL parameter directly.

Option D ("Server-Side Request Forgery"): Incorrect, as SSRF involves tricking the server into making unauthorized requests to internal or external resources, which is not the case here.

The correct answer is A, aligning with the CAP syllabus under "Insecure Direct Object References (IDOR)" and "OWASP Top 10 (A04:2021 - Insecure Design)."References: SecOps Group CAP Documents - "IDOR Vulnerabilities," "Access Control," and "OWASP Testing Guide" sections.

The screenshot shows an HTTP POST request to /upload.php with a multipart/form-data payload, where the attacker uploads a file named malicious.php disguised as an image/jpeg but containing PHP code (). This indicates an attempt to exploit aFile Upload Vulnerability. Such vulnerabilities occur when an application allows users to upload files without proper validation or sanitization, enabling attackers to upload malicious scripts (e.g., PHP) that can be executed on the server. In this case, if the server executes the uploaded malicious.php, it could expose server information via phpinfo() or perform other malicious actions.

Option A ("HTTP Desync Attack") involves manipulating HTTP request pipelines, which is not relevant here as the request appears standard. Option B ("File Path Traversal Attack") involves accessing unauthorized files using ../, which is not evident in this request. Option D ("Server-Side Request Forgery") involves tricking the server into making unintended requests, which does not apply to file uploads. Thus, C is the correct answer, aligning with the CAP syllabus under "File Handling Security" and "OWASP Top 10 (A05:2021 - Security Misconfiguration)."References: SecOps Group CAP Documents - "File Upload Vulnerabilities," "Input Validation," and "OWASP Top 10" sections.

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, particularly in the context of single sign-on (SSO). It is based on XML and is widely used to enable secure web-based authentication and authorization across different domains. The correct full form isSecurity Assertion Markup Language, where "Assertion" refers to statements about a subject (e.g., identity, attributes), "Markup" indicates the XML-based structure, and "Language" denotes the defined syntax.

Option A ("Security Assertion Markup Language"): This is the correct and official full form of SAML as defined by OASIS (Organization for the Advancement of Structured Information Standards).

Option B ("Security Authorization Markup Language"): Incorrect, as "Authorization" is not part of the acronym; SAML focuses on both authentication and authorization assertions.

Option C ("Security Assertion Management Language"): Incorrect, as "Management" is not part of the acronym; SAML is about markup, not management.

Option D ("Secure Authentication Markup Language"): Incorrect, as "Secure" is not part of the acronym, and SAML covers more than just authentication.

The correct answer is A, aligning with the CAP syllabus under "Authentication and Authorization" and "Single Sign-On (SSO) Standards."References: SecOps Group CAP Documents - "SAML Overview," "Authentication Protocols," and "OWASP Identity Management" sections.

The code snippet loads a JavaScript file from a third-party CDN with integrity and crossorigin attributes. Let’s analyze what these attributes do:

The integrity attribute specifies a Subresource Integrity (SRI) hash (e.g., sha384-Fmb0CYeA6gM2uLuyvqs7x75u0mktDh2nKLomp3PHkJ0b5vJF2qF6Gbrc/6dK), which the browser uses to verify the integrity of the loaded script. If the script’s content does not match the hash, the browser will not execute it, protecting against tampering (e.g., if the CDN is compromised).

The crossorigin="anonymous" attribute ensures the request does not send credentials (e.g., cookies) and allows the script to be loaded from a different origin while enabling CORS (Cross-Origin Resource Sharing).

Option A ("The code snippet will perform validations for Cross-Site Scriptingattacks"): Incorrect. XSS (Cross-Site Scripting) involves injecting malicious scripts into a page. The integrity attribute ensures the script’s integrity but does not validate the script’s content for XSS vulnerabilities (e.g., if the script itself contains malicious code). XSS prevention requires other measures, like Content Security Policy (CSP) or input sanitization.

Option B ("The code snippet will perform validations for Cross-Site Request Forgery attacks"): Incorrect. CSRF (Cross-Site Request Forgery) involves tricking a user into making unintended requests. The integrity and crossorigin attributes do not address CSRF, which requires server-side protections like CSRF tokens.

Option C ("The code snippet will perform Subresource Integrity (SRI) checks"): Correct. The integrity attribute explicitly enables SRI, ensuring the browser verifies the script’s hash before execution. This protects against supply chain attacks where a third-party script might be modified maliciously.

Option D ("The code snippet will perform validations for Outdated Javascript checks"): Incorrect. The snippet does not check for outdated JavaScript versions. SRI ensures the script matches the expected hash but does not validate the script’s version or security status.

The correct answer is C, aligning with the CAP syllabus under "Subresource Integrity (SRI)" and "Third-Party Script Security."References: SecOps Group CAP Documents - "SRI Implementation," "Third-Party Resource Security," and "OWASP Secure Coding Practices" sections.

Asymmetric key encryption (also known as public-key cryptography) uses a pair of keys: a public key for encryption and a private key for decryption (or vice versa for signing). Symmetric key encryption, on the other hand, uses the same key for both encryption and decryption. Let’s evaluate the options:

Option A ("AES"): AES (Advanced Encryption Standard) is a symmetric key encryption algorithm. It uses a single key (e.g., 128, 192, or 256 bits) for both encryption and decryption, making it a symmetric algorithm, not an asymmetric one.

Option B ("RSA"): RSA (Rivest-Shamir-Adleman) is an asymmetric key encryption algorithm. It uses a public key to encrypt data and a private key to decrypt it, making it a classic example of asymmetric cryptography.

Option C ("Diffie-Hellman"): Diffie-Hellman is an asymmetric key exchange algorithm. While it is primarily used for key exchange rather than direct encryption, it relies on asymmetric principles (public and private keys) to securely establish a shared secret, so it is considered part of asymmetric cryptography.

Option D ("DSA"): DSA (Digital Signature Algorithm) is an asymmetric algorithm used for digital signatures. It uses a pair of keys (public and private) for signing and verification, making it an asymmetric algorithm.

The correct answer is A, as AES is the only symmetric algorithm listed, aligning with the CAP syllabus under "Cryptography Fundamentals" and "Symmetric vs. Asymmetric Encryption."References: SecOps Group CAP Documents - "Cryptographic Algorithms," "Symmetric and Asymmetric Encryption," and "OWASP Cryptographic Storage Cheat Sheet" sections.

A safe password must adhere to security best practices, including sufficient length, complexity, and resistance to common attacks (e.g., brute force, dictionary attacks). Let’s evaluate each option:

Option A ("Monday@123"): This password is weak because it combines a common word ("Monday") with a simple number and symbol pattern. It is vulnerable to dictionary attacks and does not meet complexity requirements (e.g., mixed case, special characters, and randomness).

Option B ("abcdef"): This is a sequence of letters with no numbers, special characters, or uppercase letters. It is extremely weak and easily guessable, making it unsafe.

Option C ("Sq0Jh819%ak"): This password is considered safe because it is at least 10 characters long, includes a mix of uppercase letters (S, J, H), lowercase letters (q, h, a, k), numbers (0, 8, 9, 1), and a special character (%). It lacks predictable patterns and meets modern password policy standards (e.g., NIST SP 800-63B recommends at least 8 characters with complexity).

Option D ("1234567890"): This is a simple numeric sequence, highly predictable, and vulnerable to brute-force attacks, making it unsafe.

The correct answer is C, as it aligns with secure password creation guidelines, a key topic in the CAP syllabus under "Authentication Security" and "Secure Coding Practices."References: SecOps Group CAP Documents - "Password Management," "Authentication Security," and "OWASP Secure Coding Guidelines" sections.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols used to secure communication over a network. The security of these protocols has evolved over time, with older versions being deprecated due to identified vulnerabilities.SSLv2andSSLv3are considered insecure because they are vulnerable to attacks such as POODLE (Padding Oracle On Downgraded Legacy Encryption), which exploits weaknesses in their padding schemes. Similarly,TLSv1.0andTLSv1.1are also deemed insecure due to vulnerabilities like BEAST (Browser Exploit Against SSL/TLS) and weak cipher support, and they have been deprecated by modern standards (e.g., PCI DSS).TLSv1.2andTLSv1.3are considered secure when properly configured with strong ciphers.

Option A correctly identifies SSLv2 and SSLv3 as insecure, but it omits TLSv1.0 and TLSv1.1. Option B correctly identifies TLSv1.0 and TLSv1.1 as insecure but omits SSLv2 and SSLv3. Option C ("Both A and B") encompasses all insecure protocols (SSLv2, SSLv3, TLSv1.0, and TLSv1.1), making it the most comprehensive and correct answer. Option D is incorrect because it includes TLSv1.2 and TLSv1.3, which are secure when used with modern configurations. This aligns with the CAP syllabus focus on secure communication protocols and vulnerability management.References: SecOps Group CAP Documents - "Secure Communication," "SSL/TLS Configuration," and "OWASP Secure Headers" sections.

Let’s evaluate the two statements about NoSQL injection:

Statement A: NoSQL databases (e.g., MongoDB, Cassandra) are designed for scalability and flexibility, often sacrificing strict consistency for performance (e.g., eventual consistency in distributed systems). Unlike traditional SQL databases, they do not enforce rigid relational constraints, which simplifies scaling but does not eliminate the risk of injection attacks. Even without SQL syntax, NoSQL databases are vulnerable to injection if user input is not sanitized (e.g., in MongoDB, injecting $where or $ne operators). This statement is true.

Statement B: NoSQL database queries are typically written in the application’s programming language (e.g., JavaScript for MongoDB), using a custom API (e.g., MongoDB’s query API), or formatted in standards like JSON, XML, or LINQ. For example, a MongoDB query might look like db.collection.find({ "key": input }), where input is a JSON-like structure. This statement accurately describes how NoSQL queries are constructed and is true.

Option A ("A is true, and B is false"): Incorrect, as both statements are true.

Option B ("A is false, and B is true"): Incorrect, as both statements are true.

Option C ("Both A and B are false"): Incorrect, as both statements are true.

Option D ("Both A and B are true"): Correct, as both statements accurately describe NoSQL databases and their vulnerability to injection.

The correct answer is D, aligning with the CAP syllabus under "NoSQL Injection" and "Database Security."References: SecOps Group CAP Documents - "NoSQL Injection Vulnerabilities," "Database Query Security," and "OWASP Top 10 (A03:2021 - Injection)" sections.

The robots.txt file is a text file placed in a website’s root directory to communicate with web crawlers (e.g., Googlebot) about which pages or resources should not be accessed or indexed. It uses directives like Disallow to specify restricted areas (e.g., Disallow: /admin/). However, robots.txt is not a security mechanism; it is only a request to crawlers, and malicious bots or users can ignore it.

Option A ("Developers must not list any sensitive files and directories in this file"): Correct. Listing sensitive files or directories (e.g., Disallow: /secret/) in robots.txt can inadvertently expose their existence to attackers, who can then attempt to access them directly. The best practice is to avoid mentioning sensitive paths and rely on proper access controls (e.g., authentication, authorization) instead.

Option B ("Developers must list all sensitive files and directories in this file to secure them"): Incorrect. Listing sensitive paths in robots.txt does not secure them; it only informs crawlers to avoid them, and it can serve as a roadmap for attackers.

Option C ("Both A and B"): Incorrect, as A and B are contradictory; B is false.

Option D ("None of the above"): Incorrect, as A is true.

The correct answer is A, aligning with the CAP syllabus under "Web Crawler Security" and "Information Disclosure Prevention."References: SecOps Group CAP Documents - "robots.txt Usage," "Information Exposure," and "OWASP Web Security Testing Guide" sections.

Null Byte Injection is a vulnerability where a null byte character (\0 or ASCII 0) is injected into user-supplied input to manipulate application behavior, often bypassing filters or terminating strings prematurely in languages like C or C++ that rely on null-terminated strings. In web applications, this is typically encoded in URLs using percent-encoding (e.g., %xx, where xx is the hexadecimal value). The ASCII value of a null byte is 0, which is represented as %00 in URL encoding.

Option A ("%01"): Represents the ASCII character with value 1 (Start of Heading), not a null byte.

Option B ("%10"): Represents the ASCII character with value 16 (Data Link Escape), not a null byte.

Option C ("%25"): Represents the % character itself (ASCII 37), not a null byte.

Option D ("%00"): Represents the null byte (ASCII 0), which is the correct URL-encoded form used in Null Byte Injection attacks.

The correct answer is D, aligning with the CAP syllabus under "Injection Attacks" and "Input Validation Bypasses."References: SecOps Group CAP Documents - "Null Byte Injection," "URL Encoding," and "OWASP Injection Prevention" sections.