The SecOps Group CAP Exam Questions

CORS (Cross-Origin Resource Sharing) is a mechanism that allows servers to specify which origins can access their resources, enhancing security for cross-origin requests. A common misconfiguration occurs with the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers. When Access-Control-Allow-Origin is set to * (wildcard, allowing all origins), it permits any domain to make requests. However, if Access-Control-Allow-Credentials is set to true (allowing credentials like cookies or HTTP authentication), this creates a security risk. Browsers will block such requests because sending credentials with a wildcard origin violates CORS security policies, but an attacker could exploit this misconfiguration to trick a victim's browser into making unauthorized requests if other controls are absent.

Option A is correct because the combination of Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true is exploitable, as it enables potential credential leakage or unauthorized access. Option B is incorrect because Access-Control-Allow-Credentials: false disables credential sending, reducing exploitability. Option C is incorrect because the value of Access-Control-Allow-Credentials is not irrelevant; it must be false with a wildcard origin to comply with security standards. Option D ('All of the above') is incorrect as only A holds true. This is a key topic in the CAP syllabus under 'CORS Misconfiguration' and 'Client-Side Security.'

Let's evaluate the two statements about NoSQL injection:

Statement A: NoSQL databases (e.g., MongoDB, Cassandra) are designed for scalability and flexibility, often sacrificing strict consistency for performance (e.g., eventual consistency in distributed systems). Unlike traditional SQL databases, they do not enforce rigid relational constraints, which simplifies scaling but does not eliminate the risk of injection attacks. Even without SQL syntax, NoSQL databases are vulnerable to injection if user input is not sanitized (e.g., in MongoDB, injecting $where or $ne operators). This statement is true.

Statement B: NoSQL database queries are typically written in the application's programming language (e.g., JavaScript for MongoDB), using a custom API (e.g., MongoDB's query API), or formatted in standards like JSON, XML, or LINQ. For example, a MongoDB query might look like db.collection.find({ 'key': input }), where input is a JSON-like structure. This statement accurately describes how NoSQL queries are constructed and is true.

Option A ('A is true, and B is false'): Incorrect, as both statements are true.

Option B ('A is false, and B is true'): Incorrect, as both statements are true.

Option C ('Both A and B are false'): Incorrect, as both statements are true.

Option D ('Both A and B are true'): Correct, as both statements accurately describe NoSQL databases and their vulnerability to injection.

The correct answer is D, aligning with the CAP syllabus under 'NoSQL Injection' and 'Database Security.'

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts execute in the context of the victim's browser, enabling various exploitations. Let's evaluate each option:

Option A ('Steal the user's session identifier stored on a non HttpOnly cookie'): This is possible with XSS. If a session cookie is not marked as HttpOnly (preventing JavaScript access), an attacker can use a script to access document.cookie and steal the session ID, leading to session hijacking.

Option B ('Steal the contents from the web page'): This is also possible. An XSS payload can manipulate the DOM, extract content (e.g., via innerHTML), and send it to the attacker, such as through a GET request to a malicious server.

Option C ('Steal the contents from the application's database'): This is not possible with XSS alone. XSS operates on the client side within the browser's sandbox and cannot directly access the server-side database. Database access requires server-side vulnerabilities (e.g., SQL injection), which is a separate attack vector. Thus, this exploitation is not feasible through XSS.

Option D ('Steal the contents from the user's keystrokes using keyloggers'): This is possible. An XSS script can inject a keylogger (e.g., using onkeydown events) to capture keystrokes and transmit them to the attacker, especially on pages where sensitive data (e.g., forms) is entered.

Therefore, the correct answer is C, as XSS cannot directly exploit the database. This distinction is crucial in understanding attack vectors, a core topic in the CAP syllabus under 'OWASP Top 10 (A03:2021 - Injection)' and 'XSS Mitigation.'

SQL injection vulnerabilities allow attackers to manipulate database queries, potentially accessing unauthorized data, including file contents, if the database supports such operations. In MySQL, the LOAD_FILE() function is specifically designed to read the contents of a file on the server where the database is hosted, provided the file exists, the database user has appropriate privileges (e.g., FILE privilege), and the file is readable. For example, SELECT LOAD_FILE('/etc/passwd') could extract the contents of the /etc/passwd file if exploitable.

Option A ('READ_FILE()'): This is not a valid MySQL function.

Option B ('LOAD_FILE()'): This is the correct function for reading file contents in MySQL, making it the right choice for exploitation.

Option C ('FETCH_FILE()'): This is not a recognized MySQL function.

Option D ('GET_FILE()'): This is also not a valid MySQL function.

The correct answer is B, aligning with the CAP syllabus under 'SQL Injection' and 'Database Security.'

The HTTP request is a POST to /changepassword with a session cookie (JSESSIONID) and parameters new_password and confirm_password. Let's evaluate each option:

Option A ('The change password feature does not validate the user'): The request includes a JSESSIONID cookie, which typically indicates that the user is authenticated via a session. There's no evidence that user validation is absent, so this is not correct.

Option B ('The change password feature uses basic authorization'): Basic authorization would involve an Authorization: Basic header with a Base64-encoded username and password, which is not present here. The authentication appears to be session-based (via cookie), not basic auth, so this is incorrect.

Option C ('The change password feature is vulnerable to Cross-Site Request Forgery attack'): Cross-Site Request Forgery (CSRF) occurs when a malicious site tricks a user's browser into making an unintended request to another site where the user is authenticated. This request lacks a CSRF token (e.g., a unique, unpredictable token in the request body or header) to verify the request's legitimacy. The Sec-Fetch-Site: same-origin header indicates the request is currently from the same origin, but this is a browser feature, not a server-side CSRF protection. Without a CSRF token, the endpoint is vulnerable to CSRF, as an attacker could craft a malicious form on another site to submit this request on behalf of the user. This is the correct answer.

Option D ('All of the above'): Since A and B are incorrect, D cannot be correct.

The correct answer is C, aligning with the CAP syllabus under 'Cross-Site Request Forgery (CSRF)' and 'OWASP Top 10 (A08:2021 - Software and Data Integrity Failures).'