CompTIA
CAS-003 · Question #225
CAS-003 Question #225: Real Exam Question with Answer & Explanation
The correct answer is A: Missing input validation on some fields. The SalesLeadRef field has no input validation. The penetration tester should not be able to enter communicated in clear text which makes it vulnerable to an attacker. This kind of information should be encrypted.
Question
A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request: Content-type: application/json { "account": [ { "creditAccount":"Credit Card Rewards account"} ], "customer": [ { "name":"Joe Citizen"} { "custRef":"3153151"} ] } The banking website responds with: HTTP/1.1 200 OK { "newAccountDetails": [ { "cardNumber":"1234123412341234"} { "cardExpiry":"2020-12-31"} { "cardCVV":"909"} ], "marketingCookieTracker":"JSESSIONID=000000001" "returnCode":"Account added successfully" } Which of the following are security weaknesses in this example? (Select TWO).
Options
- AMissing input validation on some fields
- BVulnerable to SQL injection
- CSensitive details communicated in clear-text
- DVulnerable to XSS
- EVulnerable to malware file uploads
- FJSON/REST is not as secure as XML
Explanation
The SalesLeadRef field has no input validation. The penetration tester should not be able to enter communicated in clear text which makes it vulnerable to an attacker. This kind of information should be encrypted.
Community Discussion
No community discussion yet for this question.