A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request:
POSThttp://www.example.com/resources/NewBankAccount
HTTP/1.1
Content-type: application/json
{
"account":
[
{ "creditAccount":"Credit Card Rewards account"}
{ "salesLeadRef":"www.example.com/badcontent/exploitme.exe"}
],
"customer":
[
{ "name":"Joe Citizen"}
{ "custRef":"3153151"}
]
}
The banking website responds with:
HTTP/1.1 200 OK
{
"newAccountDetails":
[
{ "cardNumber":"1234123412341234"}
{ "cardExpiry":"2020-12-31"}
{ "cardCVV":"909"}
],
"marketingCookieTracker":"JSESSIONID=000000001"
"returnCode":"Account added successfully"
}
Which of the following are security weaknesses in this example? (Select TWO).

• A.Missing input validation on some fields
• B.Vulnerable to SQL injection
• C.Sensitive details communicated in clear-text
• D.Vulnerable to XSS
• E.Vulnerable to malware file uploads
• F.JSON/REST is not as secure as XML

Comment: *

Name: *

Email: *

Verification: *

A security engineer is attempting to increase the randomness of numbers used in key generation in a
system. The goal of the effort is to strengthen the keys against predictive analysis attacks.
Which of the following is the BEST solution?

• A.Loop multiple pseudo-random number generators in a series to produce larger numbers.
• B.Increase key length by two orders of magnitude to detect brute forcing.
• C.Use an entropy-as-a-service vendor to leverage larger entropy pools.
• D.Shift key generation algorithms to ECC algorithms.

Comment: *

Name: *

Email: *

Verification: *

Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access
to them. Ann emails her previous manager and asks to get her personal photos back.
Which of the following BEST describes how the manager should respond?

• A.Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if
  the storage team has recent backups.
• B.Report the email because it may have been a spoofed request coming from an attacker who is trying to
  exfiltrate data from the company laptop.
• C.Inform Ann that the laptop was for company data only and she should not have stored personal photos
  on a company asset.
• D.Consult with the legal and/or human resources department and check company policies around
  employment and termination procedures.

Comment: *

Name: *

Email: *

Verification: *

Company policy mandates the secure disposal of sensitive data at the end of the useful lifespan of IT equipment. The IT department donates old devices to charity and recycles truly obsolete equipment In addition to deleting workstations from the systems responsible for monitoring network connections which of the following actions should the company implement? (Select TWO)

• A.Removing and storing hard drives for archival purposes
• B.Staggering device disposal dates to coordinate with acceptance testing
• C.Ensuring change notices for each asset are recorded
• D.Deleting and overwriting the boot sectors of each workstation
• E.Removing the devices from the asset management system
• F.Secure shredding of SSOs separate from laptop chassis

Comment: *

Name: *

Email: *

Verification: *

A security administrator was doing a packet capture and noticed a system communicating with an unauthorized address within the 2001::/32 prefix. The network administrator confirms there is no IPv6 routing into or out of the network.
Which of the following is the BEST course of action?

• A.Investigate the network traffic and block UDP port 3544 at the firewall
• B.Remove the system from the network and disable IPv6 at the router
• C.Locate and remove the unauthorized 6to4 relay from the network
• D.Disable the switch port and block the 2001::/32 traffic at the firewall

Comment: *

Name: *

Email: *

Verification: *