CAP by The SecOps Group Valid Free Exam Practice Test

Question 1

Which of the following is NOT a Server-Side attack?

A. Cross-Site Request Forgery B. OS Code Injection C. Directory Traversal Attack D. SQL Injection

Correct Answer: A

Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).

Question 2

Which HTTP header is used by the CORS (Cross-origin resource sharing) standard to control access to resources on a server?

A. Access-Control-Allow-Headers B. None of the above C. Access-Control-Request-Method D. Access-Control-Request-Headers

Correct Answer: A

Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).

Question 3

In the screenshot below, which of the following is incorrect?
Target: https://example.com
HTTP/1.1 404 Not Found
Date: Fri, 09 Dec 2022 18:03:49 GMT
Server: Apache
Vary: Cookie
X-Powered-By: PHP/5.4.5-5
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Cookie: JSESSIONID=1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789; secure; HttpOnly; SameSite=None

A. A cookie is set with HttpOnly and a Secure flag B. The application reveals user-agent details C. The application discloses the framework name and version D. The application accepts insecure protocol

Correct Answer: C

Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).

Question 4

Based on the screenshot below, which of the following statements is true?
Request
GET /userProfile.php?sessionId=7576572ce164646de967c759643d53031 HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Cookie: JSESSIONID=7576572ce164646de967c759643d53031 Te: trailers Connection: keep-alive PrettyRaw | Hex | php | curl | ln | Pretty HTTP/1.1 200 OK Date: Fri, 09 Dec 2022 11:42:27 GMT Server: Apache/2.4.54 (Unix) OpenSSL/1.0.2k-fips PHP/8.0.25 X-Powered-By: PHP/8.0.25 Content-Length: 12746 Content-Type: text/html; charset=UTF-8 Connection: keep-alive Set-Cookie: JSESSIONID=7576572ce164646de967c759643d53031; Path=/; HttpOnly
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Example Domain</title>
</head>
<body style="background-color:#f0f0f2; margin:0; padding:0; font-family: -apple-system, system-ui, BlinkMacSystemFont, 'Segoe UI', 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif;">
<p style="...">...</p>
</body>
</html>

A. All of the above B. The application is vulnerable to Cross-Site Scripting attacks C. The application uses an insecure channel (non-TLS) D. The application uses an insecure HTTP method (GET) to send sensitive information

Correct Answer: D

Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).

Question 5

Which is the most effective way of input validation to prevent Cross-Site Scripting attacks?

A. Whitelisting and allowing only trusted input B. Blacklisting HTML and other harmful characters C. Marking Cookie as HttpOnly D. Using a Web Application Firewall (WAF)

Correct Answer: A

Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).

Question 6

Which of the following security attributes ensures that the browser only sends the cookie over a TLS (encrypted) channel?

A. Secure B. None of the above C. HttpOnly D. No_XSS

Correct Answer: A

Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).

The SecOps Group Certified AppSec Practitioner - CAP Exam Practice Test