CAP Certified AppSec Practitioner Exam Questions and Answers

The HTTP response headers provide metadata about the server and its configuration. Let’s analyze each header and evaluate the statements:

Headers Breakdown :

Server: Microsoft-IIS/8.0: Indicates the web server is Microsoft Internet Information Services (IIS) version 8.0.

X-AspNet-Version: 2.0.50727: Indicates the application is using ASP.NET version 2.0.50727.

X-Powered-By: ASP.NET: Confirms the application framework is ASP.NET.

Other headers (e.g., Cache-Control, Content-Type, Expires) are standard and not directly relevant to the statements.

Option A ("The application is using an outdated server technology") : The Server: Microsoft-IIS/8.0 header indicates the server is running IIS 8.0, which was released in 2012 and is associated with Windows Server 2012. As of the current date (March 06, 2025), IIS 8.0 is outdated; Microsoft has released newer versions (e.g., IIS 10 with Windows Server 2016/2019). Additionally, mainstream support for Windows Server 2012 ended in October 2018, and extended support ended in October 2023, making IIS 8.0 unsupported and vulnerable to unpatched security issues. This statement is true.

Option B ("The application is disclosing the server version") : The Server: Microsoft-IIS/8.0 header explicitly discloses the server type (IIS) and version (8.0). Disclosing server version information is a security risk because attackers can use this to identify known vulnerabilities specific to that version (e.g., CVE exploits for IIS 8.0). Best practice is to suppress or obfuscate this header (e.g., Server: WebServer), so this statement is true.

Option C ("The application is disclosing the version of the framework used") : The X-AspNet-Version: 2.0.50727 header reveals the ASP.NET framework version (2.0.50727), which corresponds to .NET Framework 2.0, released in 2005. Disclosing the framework version is a security risk because attackers can target known vulnerabilities in that version (e.g., .NET Framework 2.0 is long unsupported; support ended in 2011). Best practice is to disable this header in the application configuration (e.g., in web.config for ASP.NET), so this statement is true.

Option D ("All of the above") : Since A (outdated server technology), B (disclosing server version), and C (disclosing framework version) are all true, this is the correct answer.

The correct answer is D, aligning with the CAP syllabus under "Information Disclosure" and "HTTP Header Security." References : SecOps Group CAP Documents - "Information Disclosure Prevention," "Server Hardening," and "OWASP Secure Headers Project" sections.

Clickjacking is an attack where a malicious site overlays a transparent iframe containing a legitimate site, tricking users into interacting with it unintentionally (e.g., clicking a button). The Content-Security-Policy (CSP) HTTP response header is used to mitigate various client-side attacks, including clickjacking, through specific directives. The frame-ancestors directive is the correct choice for preventing clickjacking. This directive specifies which origins are allowed to embed the webpage in an iframe, < frame > , or < object > . For example, setting frame-ancestors 'self' restricts framing to the same origin, effectively blocking external sites from embedding the page. This is a standard defense mechanism recommended by OWASP and other security frameworks.

Option A ("script-src") controls the sources from which scripts can be loaded, addressing XSS (Cross-Site Scripting) vulnerabilities but not clickjacking. Option B ("object-src") restricts the sources of plugins or embedded objects (e.g., Flash), which is unrelated to iframe-based clickjacking. Option D ("base-uri") defines the base URL for relative URLs in the document, offering no protection against framing attacks. The use of CSP with the frame-ancestors directive is a critical topic in the CAP syllabus under "Security Headers" and "OWASP Top 10" (UI Redressing).

References: SecOps Group CAP Documents - "Security Headers," "OWASP Top 10 (A07:2021 - Identification and Authentication Failures)," and "Client-Side Security" sections.

A safe password must adhere to security best practices, including sufficient length, complexity, and resistance to common attacks (e.g., brute force, dictionary attacks). Let’s evaluate each option:

Option A ("Monday@123") : This password is weak because it combines a common word ("Monday") with a simple number and symbol pattern. It is vulnerable to dictionary attacks and does not meet complexity requirements (e.g., mixed case, special characters, and randomness).

Option B ("abcdef") : This is a sequence of letters with no numbers, special characters, or uppercase letters. It is extremely weak and easily guessable, making it unsafe.

Option C ("Sq0Jh819%ak") : This password is considered safe because it is at least 10 characters long, includes a mix of uppercase letters (S, J, H), lowercase letters (q, h, a, k), numbers (0, 8, 9, 1), and a special character (%). It lacks predictable patterns and meets modern password policy standards (e.g., NIST SP 800-63B recommends at least 8 characters with complexity).

Option D ("1234567890") : This is a simple numeric sequence, highly predictable, and vulnerable to brute-force attacks, making it unsafe.

The correct answer is C, as it aligns with secure password creation guidelines, a key topic in the CAP syllabus under "Authentication Security" and "Secure Coding Practices." References : SecOps Group CAP Documents - "Password Management," "Authentication Security," and "OWASP Secure Coding Guidelines" sections.

The HTTP request is a POST to /changepassword with a session cookie (JSESSIONID) and parameters new_password and confirm_password. Let’s evaluate each option:

Option A ("The change password feature does not validate the user") : The request includes a JSESSIONID cookie, which typically indicates that the user is authenticated via a session. There’s no evidence that user validation is absent, so this is not correct.

Option B ("The change password feature uses basic authorization") : Basic authorization would involve an Authorization: Basic header with a Base64-encoded username and password, which is not present here. The authentication appears to be session-based (via cookie), not basic auth, so this is incorrect.

Option C ("The change password feature is vulnerable to Cross-Site Request Forgery attack") : Cross-Site Request Forgery (CSRF) occurs when a malicious site tricks a user’s browser into making an unintended request to another site where the user is authenticated. This request lacks a CSRF token (e.g., a unique, unpredictable token in the request body or header) to verify the request’s legitimacy. The Sec-Fetch-Site: same-origin header indicates the request is currently from the same origin, but this is a browser feature, not a server-side CSRF protection. Without a CSRF token, the endpoint is vulnerable to CSRF, as an attacker could craft a malicious form on another site to submit this request on behalf of the user. This is the correct answer.

Option D ("All of the above") : Since A and B are incorrect, D cannot be correct.

The correct answer is C, aligning with the CAP syllabus under "Cross-Site Request Forgery (CSRF)" and "OWASP Top 10 (A08:2021 - Software and Data Integrity Failures)." References : SecOps Group CAP Documents - "CSRF Prevention," "Session Management," and "OWASP Secure Coding Practices" sections.

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts execute in the context of the victim’s browser, enabling various exploitations. Let’s evaluate each option:

Option A ("Steal the user's session identifier stored on a non HttpOnly cookie"): This is possible with XSS. If a session cookie is not marked as HttpOnly (preventing JavaScript access), an attacker can use a script to access document.cookie and steal the session ID, leading to session hijacking.

Option B ("Steal the contents from the web page"): This is also possible. An XSS payload can manipulate the DOM, extract content (e.g., via innerHTML), and send it to the attacker, such as through a GET request to a malicious server.

Option C ("Steal the contents from the application's database"): This is not possible with XSS alone. XSS operates on the client side within the browser’s sandbox and cannot directly access the server-side database. Database access requires server-side vulnerabilities (e.g., SQL injection), which is a separate attack vector. Thus, this exploitation is not feasible through XSS.

Option D ("Steal the contents from the user's keystrokes using keyloggers"): This is possible. An XSS script can inject a keylogger (e.g., using onkeydown events) to capture keystrokes and transmit them to the attacker, especially on pages where sensitive data (e.g., forms) is entered.

Therefore, the correct answer is C, as XSS cannot directly exploit the database. This distinction is crucial in understanding attack vectors, a core topic in the CAP syllabus under "OWASP Top 10 (A03:2021 - Injection)" and "XSS Mitigation."

References: SecOps Group CAP Documents - "OWASP Top 10," "Cross-Site Scripting (XSS)," and "Client-Side Attack Vectors" sections.

The code snippet is a Python script that takes user input for a filename, constructs a path by concatenating it with /var/www/html/files/, reads the file content, and prints it. The vulnerability arises because the filename variable is directly used in the path without sanitization or validation, allowing an attacker to manipulate it.

Path Traversal Vulnerability : An attacker can input a value like ../../etc/passwd to navigate outside the intended /var/www/html/files/ directory and access sensitive system files (e.g., /etc/passwd). Since the open() function will attempt to access the resulting path, this is a clear case of Path Traversal if the application runs with sufficient permissions.

Remote Code Execution (RCE) : RCE would require the ability to execute arbitrary code, which is not directly possible here. The script only reads files, not executes them, unless the file contains executable code and the server interprets it (e.g., a PHP file on a web server), but this is not implied by the code alone.

Option A ("Path Traversal") : Correct, as the lack of input validation makes the code vulnerable to Path Traversal attacks.

Option B ("Remote Code Execution") : Incorrect, as the code does not execute the file content; it only reads it.

Option C ("Both A and B") : Incorrect, as RCE is not applicable here.

Option D ("None of the above") : Incorrect, as Path Traversal is a valid vulnerability.

The correct answer is A, aligning with the CAP syllabus under "Path Traversal Attacks" and "Input Validation." References : SecOps Group CAP Documents - "Path Traversal Vulnerabilities," "Input Sanitization," and "OWASP Top 10 (A05:2021 - Security Misconfiguration)" sections.

The password reset mechanism now includes a one-time random token alongside the userId in the reset link: https://example.com/reset_password?userId=5298 & token=70e7803e-bf53-45e1-8a3f-fb15da7de3a0. Let’s evaluate the effectiveness of this mechanism:

Analysis : The inclusion of a one-time random token (e.g., 70e7803e-bf53-45e1-8a3f-fb15da7de3a0) is a best practice for secure password reset mechanisms. This token should be unique, unpredictable, and tied to the specific user’s reset request (e.g., stored in the database with an expiration time). When the user clicks the link, the application should verify that the token matches the one associated with the userId and that it hasn’t been used or expired.

Preventing Arbitrary Resets : Without the token, an attacker could manipulate the userId (e.g., to 5299) to reset another user’s password (as seen in Question 45). However, with the token, the attacker would need to guess the correct token for the targeted userId, which is computationally infeasible if the token is sufficiently random (e.g., a UUID or cryptographically secure random string) and properly validated. This prevents unauthorized password resets.

Additional Considerations : The link uses https://, ensuring a secure channel (unlike Question 45). The message "If the email exists..." prevents username enumeration, as discussed previously.

Option A ("True") : Correct, as the one-time random token, if implemented correctly (e.g., validated server-side, single-use, time-limited), prevents an attacker from resetting arbitrary users’ passwords.

Option B ("False") : Incorrect, as the mechanism is secure with the token.

The correct answer is A, aligning with the CAP syllabus under "Secure Password Reset" and "Token-Based Authentication." References : SecOps Group CAP Documents - "Password Reset Security," "Token Generation Best Practices," and "OWASP Forgot Password Cheat Sheet" sections.

A Dependency Confusion Attack occurs when an attacker uploads a malicious package with the same name as a private package to a public package repository (e.g., npm, PyPI), causing a package manager to prioritize the malicious public package over the intended private one due to misconfiguration or version precedence. To identify potential private packages for such an attack, attackers analyze dependency configuration files that list the application’s dependencies.

Option A ("package.json") : This file is used by npm (Node.js package manager) to define dependencies for JavaScript projects. It lists package names and versions, making it a prime target for identifying private packages that might be targeted in a dependency confusion attack.

Option B ("requirements.txt") : This file is used by pip (Python package manager) to define dependencies for Python projects. It similarly lists package names and versions, making it another target for identifying private packages.

Option C ("Both A and B") : Correct, as both package.json (JavaScript/Node.js) and requirements.txt (Python) are dependency configuration files that can reveal private package names, which an attacker might exploit in a dependency confusion attack.

Option D ("None of the above") : Incorrect, as both files are relevant.

The correct answer is C, aligning with the CAP syllabus under "Supply Chain Attacks" and "Dependency Management." References : SecOps Group CAP Documents - "Dependency Confusion Attacks," "Software Supply Chain Security," and "OWASP Dependency-Check Guide" sections.

Asymmetric key encryption (also known as public-key cryptography) uses a pair of keys: a public key for encryption and a private key for decryption (or vice versa for signing). Symmetric key encryption, on the other hand, uses the same key for both encryption and decryption. Let’s evaluate the options:

Option A ("AES") : AES (Advanced Encryption Standard) is a symmetric key encryption algorithm. It uses a single key (e.g., 128, 192, or 256 bits) for both encryption and decryption, making it a symmetric algorithm, not an asymmetric one.

Option B ("RSA") : RSA (Rivest-Shamir-Adleman) is an asymmetric key encryption algorithm. It uses a public key to encrypt data and a private key to decrypt it, making it a classic example of asymmetric cryptography.

Option C ("Diffie-Hellman") : Diffie-Hellman is an asymmetric key exchange algorithm. While it is primarily used for key exchange rather than direct encryption, it relies on asymmetric principles (public and private keys) to securely establish a shared secret, so it is considered part of asymmetric cryptography.

Option D ("DSA") : DSA (Digital Signature Algorithm) is an asymmetric algorithm used for digital signatures. It uses a pair of keys (public and private) for signing and verification, making it an asymmetric algorithm.

The correct answer is A, as AES is the only symmetric algorithm listed, aligning with the CAP syllabus under "Cryptography Fundamentals" and "Symmetric vs. Asymmetric Encryption." References : SecOps Group CAP Documents - "Cryptographic Algorithms," "Symmetric and Asymmetric Encryption," and "OWASP Cryptographic Storage Cheat Sheet" sections.

The request is a GET to /userProfile.php with a sessionId parameter matching the JSESSIONID cookie, and the response is a 200 OK with an HTML page. Let’s evaluate the statements:

Option A ("The application uses an insecure channel (non-TLS)") : The request uses http:// (inferred from the absence of https:// in the Host and GET line), indicating a non-TLS channel. However, the question asks about the "application" (likely the server-side behavior), and the response does not explicitly confirm the channel used for the response. Modern browsers might enforce TLS, but the request suggests an insecure channel. This could be true, but it depends on the server’s configuration, making it less certain without further context.

Option B ("The application uses an insecure HTTP method (GET) to send sensitive information") : Correct. The sessionId parameter in the URL (/userProfile.php?sessionId=7576572ce164646de967c759643d53031) is sensitive data, as it could be used to hijack the user’s session. Using GET exposes this data in browser history, server logs, and referral headers, which is insecure. Best practice is to use POST for sensitive data to avoid such exposure. The JSESSIONID cookie is marked HttpOnly, mitigating some risks, but the sessionId in the URL remains a vulnerability.

Option C ("The application is vulnerable to Cross-Site Scripting attacks") : The response includes an HTML page with no visible user input or script execution. There’s no evidence of unsanitized input or script injection (e.g., no dynamic content like < script > tags with user data). The X-Xss-Protection: 1; mode=block header (though not shown) would mitigate XSS if present, but the response alone does not indicate vulnerability, so this is incorrect.

Option D ("All of the above") : Incorrect, as only B is definitively true; A is uncertain without confirming the response channel, and C lacks evidence.

The correct answer is B, aligning with the CAP syllabus under "HTTP Methods Security" and "Session Management." References : SecOps Group CAP Documents - "Insecure HTTP Methods," "Sensitive Data Exposure," and "OWASP Secure Coding Practices" sections.

Cookies can have security attributes to enhance their protection against various attacks. The question asks which attribute ensures that the cookie is only sent over a TLS (encrypted) channel, meaning it is transmitted securely via HTTPS and not over unencrypted HTTP.

Option A ("Secure") : The Secure attribute ensures that the browser only sends the cookie over a secure, encrypted connection (i.e., HTTPS). If a request is made over HTTP, the browser will not include the cookie, preventing it from being intercepted in plaintext. This is the correct answer.

Option B ("HttpOnly") : The HttpOnly attribute prevents the cookie from being accessed by JavaScript (e.g., via document.cookie), mitigating XSS attacks that steal cookies, but it does not enforce transmission over TLS.

Option C ("No_XSS") : This is not a valid cookie attribute; it appears to be a made-up term and does not relate to TLS enforcement.

Option D ("None of the above") : Incorrect, as the Secure attribute directly addresses the requirement.

The correct answer is A, aligning with the CAP syllabus under "Cookie Security" and "Session Management." References : SecOps Group CAP Documents - "Cookie Security Attributes," "Secure Session Management," and "OWASP Session Management Cheat Sheet" sections.

The robots.txt file is a text file placed in a website’s root directory to communicate with web crawlers (e.g., Googlebot) about which pages or resources should not be accessed or indexed. It uses directives like Disallow to specify restricted areas (e.g., Disallow: /admin/). However, robots.txt is not a security mechanism; it is only a request to crawlers, and malicious bots or users can ignore it.

Option A ("Developers must not list any sensitive files and directories in this file") : Correct. Listing sensitive files or directories (e.g., Disallow: /secret/) in robots.txt can inadvertently expose their existence to attackers, who can then attempt to access them directly. The best practice is to avoid mentioning sensitive paths and rely on proper access controls (e.g., authentication, authorization) instead.

Option B ("Developers must list all sensitive files and directories in this file to secure them") : Incorrect. Listing sensitive paths in robots.txt does not secure them; it only informs crawlers to avoid them, and it can serve as a roadmap for attackers.

Option C ("Both A and B") : Incorrect, as A and B are contradictory; B is false.

Option D ("None of the above") : Incorrect, as A is true.

The correct answer is A, aligning with the CAP syllabus under "Web Crawler Security" and "Information Disclosure Prevention." References : SecOps Group CAP Documents - "robots.txt Usage," "Information Exposure," and "OWASP Web Security Testing Guide" sections.

SQL injection vulnerabilities allow attackers to manipulate database queries, potentially accessing unauthorized data, including file contents, if the database supports such operations. In MySQL, the LOAD_FILE() function is specifically designed to read the contents of a file on the server where the database is hosted, provided the file exists, the database user has appropriate privileges (e.g., FILE privilege), and the file is readable. For example, SELECT LOAD_FILE('/etc/passwd') could extract the contents of the /etc/passwd file if exploitable.

Option A ("READ_FILE()") : This is not a valid MySQL function.

Option B ("LOAD_FILE()") : This is the correct function for reading file contents in MySQL, making it the right choice for exploitation.

Option C ("FETCH_FILE()") : This is not a recognized MySQL function.

Option D ("GET_FILE()") : This is also not a valid MySQL function.

The correct answer is B, aligning with the CAP syllabus under "SQL Injection" and "Database Security." References : SecOps Group CAP Documents - "Injection Vulnerabilities," "MySQL Security Features," and "OWASP Top 10 (A03:2021 - Injection)" sections.

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, particularly in the context of single sign-on (SSO). It is based on XML and is widely used to enable secure web-based authentication and authorization across different domains. The correct full form is Security Assertion Markup Language , where "Assertion" refers to statements about a subject (e.g., identity, attributes), "Markup" indicates the XML-based structure, and "Language" denotes the defined syntax.

Option A ("Security Assertion Markup Language") : This is the correct and official full form of SAML as defined by OASIS (Organization for the Advancement of Structured Information Standards).

Option B ("Security Authorization Markup Language") : Incorrect, as "Authorization" is not part of the acronym; SAML focuses on both authentication and authorization assertions.

Option C ("Security Assertion Management Language") : Incorrect, as "Management" is not part of the acronym; SAML is about markup, not management.

Option D ("Secure Authentication Markup Language") : Incorrect, as "Secure" is not part of the acronym, and SAML covers more than just authentication.

The correct answer is A, aligning with the CAP syllabus under "Authentication and Authorization" and "Single Sign-On (SSO) Standards." References : SecOps Group CAP Documents - "SAML Overview," "Authentication Protocols," and "OWASP Identity Management" sections.