AppSec Practitioner CAP Exam Questions and Answers PDF

The Same-Origin Policy (SOP) is a fundamental security mechanism in web browsers that restricts how a document or script loaded from one origin can interact with resources from another origin. An origin is defined by the combination ofprotocol,host, andport. Two pages have the same origin if their protocol (e.g., host (e.g., ), and port (default is 80 for HTTP) match exactly. The given URL is which uses HTTP, host and the default port 80.

Option 1 ("http://www.example.com/dir/other.html"): Matches the protocol (http), host ( ), and port (default 80), so it is in the same origin.

Option 2 ("http://www.example.com:81/dir/other.html"): Differs in port (81 vs. default 80), so it is a different origin.

Option 3 ("http://www.example.com/dir/other.html"): Identical to Option 1, matching protocol, host, and port, so it is in the same origin. However, since it’s a duplicate of Option 1 in the list, it doesn’t add a new page.

Option 4 ("http://en.example.com/dir/other.html"): Differs in host (en.example.com vs. ), so it is a different origin.

Since the question asks which pages are in the same origin, and only Option 1 (and its duplicate Option 3) matches, the correct answer is A ("1 Only"), considering unique pages. The CAP syllabus covers SOP under "Client-Side Security" and "Cross-Origin Resource Sharing (CORS)."References: SecOps Group CAP Documents - "Same-Origin Policy," "Browser Security Models," and "OWASP Client-Side Security" sections.

A Race Condition vulnerability occurs in multi-threaded or multi-process applications when two or more threads access a shared resource concurrently, and the outcome depends on the non-deterministic order of their execution. This can lead to inconsistent states or security issues, such as privilege escalation or data corruption, if the access is not properly synchronized (e.g., using locks or semaphores). The classic definition focuses on concurrent access to the same resource.

Option A ("A situation that occurs when two threads access the same resource at the same time"): Correct, as this accurately describes a race condition where the lack of synchronization on a shared resource (e.g., a file, variable, or database entry) can lead to unpredictable behavior.

Option B ("A situation that occurs when two threads access different resources at the same time"): Incorrect, as race conditions specifically involve contention over the same resource, not different ones.

Option C ("A situation that occurs when a single thread unpredictably accesses two resources"): Incorrect, as race conditions require multiple threads or processes; a single thread’s behavior is not a race condition.

Option D ("A situation that occurs when a single thread predictably accesses two resources"): Incorrect, as predictability negates the race condition concept, and it still involves only one thread.

The correct answer is A, aligning with the CAP syllabus under "Race Condition Vulnerabilities" and "Multi-Threaded Security."References: SecOps Group CAP Documents - "Concurrency Issues," "Race Conditions," and "OWASP Secure Coding Practices" sections.

Cross-Origin Resource Sharing (CORS) is a security mechanism that allows servers to specify which origins can access their resources, relaxing the Same-Origin Policy (SOP) for legitimate cross-origin requests. CORS uses specific HTTP headers to control this access. The key header for controlling access to resources isAccess-Control-Allow-Origin, which specifies which origins are permitted to access the resource. However, among the provided options, the closest related header isAccess-Control-Allow-Headers, which is part of the CORS standard and controls which request headers can be used in the actual request (e.g., during a preflight OPTIONS request).

Option A ("Access-Control-Request-Method"): This header is sent by the client in a preflight request to indicate the HTTP method (e.g., GET, POST) that will be used in the actual request. It is not used by the server to control access.

Option B ("Access-Control-Request-Headers"): This header is sent by the client in apreflight request to list the headers it plans to use in the actual request. It is not used by the server to control access.

Option C ("Access-Control-Allow-Headers"): This header is sent by the server in response to a preflight request, specifying which headers are allowed in the actual request. While Access-Control-Allow-Origin is the primary header for controlling access, Access-Control-Allow-Headers is part of the CORS standard to manage header-based access control, making this the best match among the options.

Option D ("None of the above"): Incorrect, as Access-Control-Allow-Headers is a CORS header.

The correct answer is C, aligning with the CAP syllabus under "CORS Security" and "HTTP Headers."References: SecOps Group CAP Documents - "CORS Configuration," "Security Headers," and "OWASP Secure Headers Guide" sections.

The password reset mechanism now includes a one-time random token alongside the userId in the reset link: &token=70e7803e-bf53-45e1-8a3f-fb15da7de3a0. Let’s evaluate the effectiveness of this mechanism:

Analysis: The inclusion of a one-time random token (e.g., 70e7803e-bf53-45e1-8a3f-fb15da7de3a0) is a best practice for secure password reset mechanisms. This token should be unique, unpredictable, and tied to the specific user’s reset request (e.g., stored in the database with an expiration time). When the user clicks the link, the application should verify that the token matches the one associated with the userId and that it hasn’t been used or expired.

Preventing Arbitrary Resets: Without the token, an attacker could manipulate the userId (e.g., to 5299) to reset another user’s password (as seen in Question 45). However, with the token, the attacker would need to guess the correct token for the targeted userId, which is computationally infeasible if the token is sufficiently random (e.g., a UUID or cryptographically secure random string) and properly validated. This prevents unauthorized password resets.

Additional Considerations: The link uses ensuring a secure channel (unlike Question 45). The message "If the email exists..." prevents username enumeration, as discussed previously.

Option A ("True"): Correct, as the one-time random token, if implemented correctly (e.g., validated server-side, single-use, time-limited), prevents an attacker from resetting arbitrary users’ passwords.

Option B ("False"): Incorrect, as the mechanism is secure with the token.

The correct answer is A, aligning with the CAP syllabus under "Secure Password Reset" and "Token-Based Authentication."References: SecOps Group CAP Documents - "Password Reset Security," "Token Generation Best Practices," and "OWASP Forgot Password Cheat Sheet" sections.