A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request:
POST http://www.example.com/resources/NewBankAccount HTTP/1.1
Content-type: application/json {
account:
[ { “creditAccount”:”Credit Card Rewards account”} { “salesLeadRef”:”www.example.com/badcontent/exploitme.exe”}
],
customer:
[ { “name”:”Joe Citizen”} { “custRef”:”3153151″}
]
}
The banking website responds with:
HTTP/1.1 200 OK {
newAccountDetails:
[ { “cardNumber”:”1234123412341234″} { “cardExpiry”:”2020-12-31″}
{ “cardCVV”:”909″}
],
marketingCookieTracker:”JSESSIONID=000000001″
returnCode:”Account added successfully”
}
Which of the following are security weaknesses in this example? (Select TWO).
A. Missing input validation on some fields
B. Vulnerable to SQL injection
C. Sensitive details communicated in clear-text
D. Vulnerable to XSS
E. Vulnerable to malware file uploads
F. JSON/REST is not as secure as XML
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
