CAP-JPN 試験問題 21
電子商取引のウェブサイトで商品を購入した後、ユーザーは次の URL にアクセスして注文の詳細を表示できます。
https://example.com/?order_id=53870
セキュリティ研究者は、URL 内の order_id 値を操作することで、ユーザーが任意の注文とその order_id に関連付けられた機密情報を閲覧できる可能性があると指摘しました。この攻撃は次のように知られています。
https://example.com/?order_id=53870
セキュリティ研究者は、URL 内の order_id 値を操作することで、ユーザーが任意の注文とその order_id に関連付けられた機密情報を閲覧できる可能性があると指摘しました。この攻撃は次のように知られています。
正解: A
The scenario describes a vulnerability where a user can manipulate the order_id parameter in theURL (e.g.,
https://example.com/?order_id=53870) to access other users' order details, indicating a lack of proper access control. This is a classic case of anInsecure Direct Object Reference (IDOR)attack. IDOR occurs when an application exposes a reference to an internal object (e.g., an order ID) that can be manipulated by an unauthorized user to access resources they should not have access to, without validating the user's permissions.
* Option A ("Insecure Direct Object Reference"): Correct, as the ability to change order_id to view arbitrary orders fits the definition of IDOR.
* Option B ("Session Poisoning"): Incorrect, as session poisoning involves corrupting or altering a user' s session data, which is not indicated here.
* Option C ("Session Riding OR Cross-Site Request Forgery"): Incorrect, as CSRF involves tricking a user into submitting a request (e.g., via a malicious form), not manipulating a URL parameter directly.
* Option D ("Server-Side Request Forgery"): Incorrect, as SSRF involves tricking the server into making unauthorized requests to internal or external resources, which is not the case here.
The correct answer is A, aligning with the CAP syllabus under "Insecure Direct Object References (IDOR)" and "OWASP Top 10 (A04:2021 - Insecure Design)."References: SecOps Group CAP Documents - "IDOR Vulnerabilities," "Access Control," and "OWASP Testing Guide" sections.
https://example.com/?order_id=53870) to access other users' order details, indicating a lack of proper access control. This is a classic case of anInsecure Direct Object Reference (IDOR)attack. IDOR occurs when an application exposes a reference to an internal object (e.g., an order ID) that can be manipulated by an unauthorized user to access resources they should not have access to, without validating the user's permissions.
* Option A ("Insecure Direct Object Reference"): Correct, as the ability to change order_id to view arbitrary orders fits the definition of IDOR.
* Option B ("Session Poisoning"): Incorrect, as session poisoning involves corrupting or altering a user' s session data, which is not indicated here.
* Option C ("Session Riding OR Cross-Site Request Forgery"): Incorrect, as CSRF involves tricking a user into submitting a request (e.g., via a malicious form), not manipulating a URL parameter directly.
* Option D ("Server-Side Request Forgery"): Incorrect, as SSRF involves tricking the server into making unauthorized requests to internal or external resources, which is not the case here.
The correct answer is A, aligning with the CAP syllabus under "Insecure Direct Object References (IDOR)" and "OWASP Top 10 (A04:2021 - Insecure Design)."References: SecOps Group CAP Documents - "IDOR Vulnerabilities," "Access Control," and "OWASP Testing Guide" sections.
CAP-JPN 試験問題 22
SQLインジェクション脆弱性に対する主な防御策を決定する
正解: B
SQL Injection (SQLi) occurs when an attacker injects malicious SQL code into a query by manipulating user input (e.g., ' OR '1'='1'), allowing unauthorized data access or manipulation. Let's evaluate the defenses:
* Option A ("Using a Web Application Firewall (WAF)"): A WAF can detect and block SQL injection attempts by filtering malicious patterns (e.g., ' OR '1'='1'), but it is not the primary defense.
WAFs can be bypassed with sophisticated attacks (e.g., encoded payloads), and they are a secondary layer, not a fix for the root cause in the application code.
* Option B ("Prepared Statements with Parameterized Queries"): Correct. Prepared statements with parameterized queries separate SQL code from user input by using placeholders (e.g., ? in SELECT * FROM users WHERE username = ?). The database engine handles the input as data, not executable code, preventing SQL injection. This is the industry-standard primary defense (recommended by OWASP and NIST) because it addresses the root cause by ensuring user input cannot alter the query structure.
* Option C ("Use of NoSQL Database"): Switching to a NoSQL database (e.g., MongoDB) does not inherently prevent injection vulnerabilities. NoSQL databases can still be vulnerable to injection (e.g., MongoDB's $where operator), and SQL injection applies to relational databases. This is not a defense against SQLi.
* Option D ("Blacklisting Single Quote Character (')"): Blacklisting specific characters (e.g., ') attempts to block known malicious input, but it is ineffective as a primary defense. Attackers can bypass blacklists using alternate encodings (e.g., %27 for '), comments (e.g., --), or other techniques.
Blacklisting is reactive and prone to evasion, unlike prepared statements.
The correct answer is B, aligning with the CAP syllabus under "SQL Injection Prevention" and "OWASP Top
10 (A03:2021 - Injection)."References: SecOps Group CAP Documents - "SQL Injection Defense," "Secure Coding Practices," and "OWASP SQL Injection Prevention Cheat Sheet" sections.
* Option A ("Using a Web Application Firewall (WAF)"): A WAF can detect and block SQL injection attempts by filtering malicious patterns (e.g., ' OR '1'='1'), but it is not the primary defense.
WAFs can be bypassed with sophisticated attacks (e.g., encoded payloads), and they are a secondary layer, not a fix for the root cause in the application code.
* Option B ("Prepared Statements with Parameterized Queries"): Correct. Prepared statements with parameterized queries separate SQL code from user input by using placeholders (e.g., ? in SELECT * FROM users WHERE username = ?). The database engine handles the input as data, not executable code, preventing SQL injection. This is the industry-standard primary defense (recommended by OWASP and NIST) because it addresses the root cause by ensuring user input cannot alter the query structure.
* Option C ("Use of NoSQL Database"): Switching to a NoSQL database (e.g., MongoDB) does not inherently prevent injection vulnerabilities. NoSQL databases can still be vulnerable to injection (e.g., MongoDB's $where operator), and SQL injection applies to relational databases. This is not a defense against SQLi.
* Option D ("Blacklisting Single Quote Character (')"): Blacklisting specific characters (e.g., ') attempts to block known malicious input, but it is ineffective as a primary defense. Attackers can bypass blacklists using alternate encodings (e.g., %27 for '), comments (e.g., --), or other techniques.
Blacklisting is reactive and prone to evasion, unlike prepared statements.
The correct answer is B, aligning with the CAP syllabus under "SQL Injection Prevention" and "OWASP Top
10 (A03:2021 - Injection)."References: SecOps Group CAP Documents - "SQL Injection Defense," "Secure Coding Practices," and "OWASP SQL Injection Prevention Cheat Sheet" sections.
CAP-JPN 試験問題 23
GraphQL は、API 用のオープンソースのデータ クエリおよび操作言語であり、クエリ ランタイム エンジンです。この文脈では、GraphQL イントロスペクションとは何でしょうか?
正解: C
GraphQL Introspection is a built-in feature of GraphQL that allows clients to query the schema of a GraphQL API at runtime. This process involves sending introspection queries (e.g., __schema or __type) to retrieve information about the API's structure, including available types, fields, queries, mutations, and their relationships. This capability is powerful for developers to explore and document APIs but poses a security risk if left enabled in production, as attackers can use it to map out the entire API structure and identify potential attack vectors.
* Option A ("A technique for testing the compatibility of the GraphQL API with other systems"):
Incorrect, as introspection is about schema discovery, not compatibility testing.
* Option B ("A technique for testing the performance of the GraphQL API"): Incorrect, as performance testing involves load or stress testing, not schema exploration.
* Option C ("A technique for discovering the structure of the GraphQL API"): Correct, as introspection is specifically designed to expose the API's schema and structure.
* Option D ("A technique for testing the security of the GraphQL API"): Incorrect, as security testing is a separate process; introspection itself is a feature, not a security test.
The correct answer is C, aligning with the CAP syllabus under "GraphQL Security" and "API Introspection." References: SecOps Group CAP Documents - "GraphQL Fundamentals," "Introspection Risks," and
"OWASP API Security Top 10" sections.
* Option A ("A technique for testing the compatibility of the GraphQL API with other systems"):
Incorrect, as introspection is about schema discovery, not compatibility testing.
* Option B ("A technique for testing the performance of the GraphQL API"): Incorrect, as performance testing involves load or stress testing, not schema exploration.
* Option C ("A technique for discovering the structure of the GraphQL API"): Correct, as introspection is specifically designed to expose the API's schema and structure.
* Option D ("A technique for testing the security of the GraphQL API"): Incorrect, as security testing is a separate process; introspection itself is a feature, not a security test.
The correct answer is C, aligning with the CAP syllabus under "GraphQL Security" and "API Introspection." References: SecOps Group CAP Documents - "GraphQL Fundamentals," "Introspection Risks," and
"OWASP API Security Top 10" sections.
CAP-JPN 試験問題 24
www.ironman.com と www.hulk.com の DNS エントリは両方とも同じ IP アドレス (1.3.3.7) を指しています。Web サーバーは、エンド ユーザーのブラウザーによってどの Web アプリケーションが要求されているかをどのように認識するのでしょうか。
正解: A
When multiple domain names (e.g.,www.ironman.comandwww.hulk.com) resolve to the same IP address (e.
g., 1.3.3.7), a web server hosting multiple applications on that IP must determine which application to serve.
This is achieved using theHTTP "Host" header, which is part of the HTTP/1.1 protocol. The client (browser) includes the requested domain (e.g., Host: www.ironman.com) in the request, allowing the server to route the request to the appropriate virtual host or application configured for that domain. This is a standard practice in virtual hosting.
* Option A ("The web server inspects the HTTP 'Host' header sent by the client"): Correct, as the Host header enables the server to distinguish between applications on the same IP.
* Option B ("The web server inspects the cookies sent by the client"): Incorrect, as cookies are used for session management or personalization, not for identifying the requested application.
* Option C ("The web server inspects the client's SSL certificate"): Incorrect, as SSL certificates are used for encryption and authentication, not for application routing (though they may include the domain name for validation).
* Option D ("The web server uses a reverse DNS lookup of the client's IP address"): Incorrect, as reverse DNS lookup resolves an IP to a domain, which is irrelevant for the server determining the requested application.
The correct answer is A, aligning with the CAP syllabus under "Web Server Configuration" and "HTTP Protocol Security."References: SecOps Group CAP Documents - "HTTP Headers," "Virtual Hosting," and
"OWASP Web Security Testing Guide" sections.
g., 1.3.3.7), a web server hosting multiple applications on that IP must determine which application to serve.
This is achieved using theHTTP "Host" header, which is part of the HTTP/1.1 protocol. The client (browser) includes the requested domain (e.g., Host: www.ironman.com) in the request, allowing the server to route the request to the appropriate virtual host or application configured for that domain. This is a standard practice in virtual hosting.
* Option A ("The web server inspects the HTTP 'Host' header sent by the client"): Correct, as the Host header enables the server to distinguish between applications on the same IP.
* Option B ("The web server inspects the cookies sent by the client"): Incorrect, as cookies are used for session management or personalization, not for identifying the requested application.
* Option C ("The web server inspects the client's SSL certificate"): Incorrect, as SSL certificates are used for encryption and authentication, not for application routing (though they may include the domain name for validation).
* Option D ("The web server uses a reverse DNS lookup of the client's IP address"): Incorrect, as reverse DNS lookup resolves an IP to a domain, which is irrelevant for the server determining the requested application.
The correct answer is A, aligning with the CAP syllabus under "Web Server Configuration" and "HTTP Protocol Security."References: SecOps Group CAP Documents - "HTTP Headers," "Virtual Hosting," and
"OWASP Web Security Testing Guide" sections.
- 最新アップロード
- 103Oracle.1z0-1057-25.v2026-06-04.q45
- 104Amazon.AWS-Certified-Developer-Associate.v2026-06-04.q323
- 106Fortinet.FCSS_SDW_AR-7.4.v2026-06-04.q76
- 131SAP.C_THR88_2505.v2026-06-03.q76
- 149WGU.Web-Development-Applications.v2026-06-03.q73
- 130Salesforce.Mule-Dev-301.v2026-06-02.q22
- 181CISI.IFC.v2026-06-02.q111
- 192Huawei.H13-611_V5.0.v2026-06-01.q113
- 224Cisco.200-201.v2026-06-01.q230
- 184Huawei.H35-211_V2.5.v2026-06-01.q109