CAS-003 · Question #407
CAS-003 Question #407: Real Exam Question with Answer & Explanation
The correct answer is B: Intercepting proxy. For API-focused penetration testing: Reconnaissance gathering (E) is the foundational first step of any engagement - the tester maps the API surface, identifies endpoints, discovers authentication mechanisms, and understands the target before attacking. An intercepting proxy (B)
Question
Options
- AStatic code analyzer
- BIntercepting proxy
- CPort scanner
- DReverse engineering
- EReconnaissance gathering
- FUser acceptance testing
Explanation
For API-focused penetration testing: Reconnaissance gathering (E) is the foundational first step of any engagement - the tester maps the API surface, identifies endpoints, discovers authentication mechanisms, and understands the target before attacking. An intercepting proxy (B) such as Burp Suite is the primary tool for API testing - it captures and replays HTTP/S requests, allows manipulation of parameters, headers, and authentication tokens, and is essential for testing both authenticated and unauthenticated endpoints. Option A (static code analyzer) requires source code access, which is typically not granted in black-box pen tests. Option C (port scanner) is useful for network-level recon but less targeted for API-specific testing on known hosts. Option D (reverse engineering) applies to binary/compiled software. Option F (user acceptance testing) is a QA activity, not penetration testing.
Community Discussion
No community discussion yet for this question.