Valid CAP Dumps shared by EduDump.com for Helping Passing CAP Exam! EduDump.com now offer the newest CAP exam dumps, the EduDump.com CAP exam questions have been updated and answers have been corrected get the newest EduDump.com CAP dumps with Test Engine here:
In the screenshot below, an attacker is attempting to exploit which vulnerability? POST /upload.php HTTP/1.1 Host: example.com Cookie: session=xyz123;JSESSIONID=abc123 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) rv:107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Length: 12345 Connection: keep-alive Content-Disposition: form-data; name="avatar"; filename="malicious.php" Content-Type: image/jpeg <?php phpinfo(); ?>
Correct Answer: C
The screenshot shows an HTTP POST request to /upload.php with a multipart/form-data payload, where the attacker uploads a file named malicious.php disguised as an image/jpeg but containing PHP code (<?php phpinfo(); ?>). This indicates an attempt to exploit aFile Upload Vulnerability. Such vulnerabilities occur when an application allows users to upload files without proper validation or sanitization, enabling attackers to upload malicious scripts (e.g., PHP) that can be executed on the server. In this case, if the server executes the uploaded malicious.php, it could expose server information via phpinfo() or perform other malicious actions. Option A ("HTTP Desync Attack") involves manipulating HTTP request pipelines, which is not relevant here as the request appears standard. Option B ("File Path Traversal Attack") involves accessing unauthorized files using ../, which is not evident in this request. Option D ("Server-Side Request Forgery") involves tricking the server into making unintended requests, which does not apply to file uploads. Thus, C is the correct answer, aligning with the CAP syllabus under "File Handling Security" and "OWASP Top 10 (A05:2021 - Security Misconfiguration)."References: SecOps Group CAP Documents - "File Upload Vulnerabilities," "Input Validation," and "OWASP Top 10" sections.