A penetration test is being scoped for a set of web services with API endpoints. The APIs will be hosted on existing web application servers. Some of the new APIs will be available to unauthenticated users, but some will only be available to authenticated users. Which of the following tools or activities would the penetration tester MOST likely use or do during the engagement? (Select TWO.)
A. Static code analyzer
B. Intercepting proxy
C. Port scanner
D. Reverse engineering
E. Reconnaissance gathering
F. User acceptance testing
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
Maybe: C. Port scanner and B. Intercepting Proxy?
Reconnaissance gathering is not very specific.
The tester will need to make sure that the APIs that are supposed to available only to authenticated users are not available to anybody else.
Hes not doing a security assessment… hes doing a pentest. Not his job to make sure APIs are available only to the authenticated users lol
I’m a Pentest+ certified and I have never hear of “Reconnaissance gathering”. I know “reconnaissance” or “information gathering”. Weird.
*heard
Yeah I like B and E here. An API is going to be accessed so utilizing some type of interceptor proxy for different test will come in handy. Also since the API is available to unauthenticated users, then having some form of recon in the background to see what endpoints can be enumerated will be handy.
B. Intercepting proxy and C. Port scanner
any feedback?
tools or activities, recon is the first thing, then intercept….again another could be comptia q
I swear i keep convincing myself its not Reconnaissance. HAHA Thanks Anon I needed that.
Any thoughts?