Valid CAP Dumps shared by EduDump.com for Helping Passing CAP Exam! EduDump.com now offer the newest CAP exam dumps, the EduDump.com CAP exam questions have been updated and answers have been corrected get the newest EduDump.com CAP dumps with Test Engine here:
Based on the below HTTP request, which of the following statements is correct? POST /changepassword HTTP/2 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Cookie: JSESSIONID=38RB5ECV10785B53AF29816E92E2E50 Content-Length: 95 new_password=usher!@22&confirm_password=usher!@22
Correct Answer: C
The HTTP request is a POST to /changepassword with a session cookie (JSESSIONID) and parameters new_password and confirm_password. Let's evaluate each option: * Option A ("The change password feature does not validate the user"): The request includes a JSESSIONID cookie, which typically indicates that the user is authenticated via a session. There's no evidence that user validation is absent, so this is not correct. * Option B ("The change password feature uses basic authorization"): Basic authorization would involve an Authorization: Basic header with a Base64-encoded username and password, which is not present here. The authentication appears to be session-based (via cookie), not basic auth, so this is incorrect. * Option C ("The change password feature is vulnerable to Cross-Site Request Forgery attack"): Cross-Site Request Forgery (CSRF) occurs when a malicious site tricks a user's browser into making an unintended request to another site where the user is authenticated. This request lacks a CSRF token (e. g., a unique, unpredictable token in the request body or header) to verify the request's legitimacy. The Sec-Fetch-Site: same-origin header indicates the request is currently from the same origin, but this is a browser feature, not a server-side CSRF protection. Without a CSRF token, the endpoint is vulnerable to CSRF, as an attacker could craft a malicious form on another site to submit this request on behalf of the user. This is the correct answer. * Option D ("All of the above"): Since A and B are incorrect, D cannot be correct. The correct answer is C, aligning with the CAP syllabus under "Cross-Site Request Forgery (CSRF)" and "OWASP Top 10 (A08:2021 - Software and Data Integrity Failures)."References: SecOps Group CAP Documents - "CSRF Prevention," "Session Management," and "OWASP Secure Coding Practices" sections.