Certified AppSec Pentester (CAPen) PDF Dumps

Download Valid CAPen Exam Dumps for Best Preparation 1 / 8 Exam : CAPen Title : https://www.passcert.com/CAPen.html Certified AppSec Pentester (CAPen) Download Valid CAPen Exam Dumps for Best Preparation 2 / 8 1.Use a Google dork to identify login pages of vulnerable sites running PHP. A. See the Explanation. Answer: A Explanation: 1. Open Google and use the dork: inurl:login.php intitle:"Login" 2. This query targets pages with “ login.php ” in the URL and “ Login ” in the title. 3. Review results and pick non-government, non-critical sites for testing only. 4. Combine with site: to target specific domains, e.g., site:.edu. 5. Validate findings using a test environment to ensure ethical usage. 2.Find public documents on a government site that may contain sensitive metadata using Google dorks. A. See the Explanation. Answer: A Explanation: 1. Use the dork: site:gov filetype:pdf 2. To find specific content, extend it: site:gov filetype:pdf confidential 3. Download a few sample PDFs (legally and ethically). 4. Use exiftool filename.pdf or pdfinfo filename.pdf to extract metadata. 5. Check for usernames, software versions, or timestamps that leak OSINT data. 3.Discover open directories with potentially sensitive files using Google dorks. A. See the Explanation. Answer: A Explanation: 1. Use: intitle:"index of" "parent directory" +passwd 2. This searches for open directories with file listings containing "passwd". 3. Replace passwd with other keywords like .sql, .bak, .env, etc. 4. Confirm findings are in non-sensitive environments or demos. 5. Access is legal only if no authentication is bypassed or required. 4.Identify email addresses belonging to a company using OSINT techniques. A. See the Explanation. Answer: A Explanation: 1. Use Hunter.io or theHarvester tool: theHarvester -d target.com -b google 2. Search Google with: @target.com 3. Use LinkedIn or GitHub advanced search: site:github.com "@target.com" 4. Collect emails for phishing simulation (if permitted). 5. Verify email validity using tools like EmailHippo or Debounce.io. 5.Find GitHub repositories accidentally exposing sensitive credentials. A. See the Explanation. Answer: A Explanation: Download Valid CAPen Exam Dumps for Best Preparation 3 / 8 1. Use GitHub search with: filename:.env SMTP_PASSWORD 2. Try: filename:.git-credentials or AWS_SECRET_ACCESS_KEY 3. Use Google dork: site:github.com "AWS_SECRET_ACCESS_KEY" 4. Examine the commit history to verify it's not a dummy key. 5. Report using GitHub's responsible disclosure if real data is found. 6.Detect sensitive API keys or tokens leaked via Google. A. See the Explanation. Answer: A Explanation: 1. Use: intext:"apikey=" site:pastebin.com 2. Explore other platforms: site:jsfiddle.net intext:"api_key=" 3. Pastebin or similar sites often expose dumped credentials. 4. Use grep or custom scripts to extract patterns after downloading. 5. Never use or abuse these keys — only report or use for awareness. 7.Identify subdomains of a target using OSINT tools. A. See the Explanation. Answer: A Explanation: 1. Use sublist3r: sublist3r -d target.com 2. Use crt.sh: site:crt.sh "target.com" in Google. 3. Check with assetfinder: assetfinder --subs-only target.com 4. Collect discovered subdomains for further enumeration. 5. Cross-reference with DNS records using dig or nslookup. 8.Perform WHOIS lookup and analyze domain ownership. A. See the Explanation. Answer: A Explanation: 1. Use whois target.com or websites like whois.domaintools.com 2. Identify registrant email, organization, and address. 3. Note the creation and expiry dates for phishing timing. 4. Look for reused contact emails across other domains. 5. Use the OSINT data to map the company ’ s digital footprint. 9.Discover whitelisted IPs on a web application firewall (WAF). A. See the Explanation. Answer: A Explanation: 1. Perform fuzzing with Burp Suite or ffuf from multiple IPs. 2. Compare response headers (e.g., 403 vs 200) per IP. 3. Use X-Forwarded-For header injection: X-Forwarded-For: 127.0.0.1 Download Valid CAPen Exam Dumps for Best Preparation 4 / 8 4. If WAF trusts it, you may bypass it and access protected areas. 5. Log findings and validate with multiple headers like X-Client-IP. 10.Bypass IP-based blacklisting using proxy chaining. A. See the Explanation. Answer: A Explanation: 1. Setup proxychains on Kali or Parrot OS. 2. Edit /etc/proxychains.conf to include public proxies or Tor. 3. Run command: proxychains curl http://target.com 4. Your source IP will rotate, bypassing static IP bans. 5. Monitor logs with tcpdump to ensure traffic goes through proxy. 11.Bypass User-Agent based blacklisting. A. See the Explanation. Answer: A Explanation: 1. Blacklists often block default tools like curl/wget. 2. Use: curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" http://target.com 3. Try user-agents of popular browsers to mimic normal traffic. 4. If blocked still, test JavaScript execution with headless browsers. 5. Burp Suite allows changing headers globally for automation. 12.Identify IPs or domains blacklisted by spam/blocking services. A. See the Explanation. Answer: A Explanation: 1. Use tools like MXToolbox or DNSBL checkers. 2. Enter IP or domain and check against spam RBLs (e.g., SORBS, Spamhaus). 3. If blacklisted, gather reason and timestamp. 4. Validate if it's due to previous abuse or misconfiguration. 5. Report or analyze why IP got blacklisted for awareness. 13.Extract internal path disclosure using Google cache. A. See the Explanation. Answer: A Explanation: 1. Use: cache:target.com/page 2. Review the cached page for debug info, internal file paths, or server errors. 3. Sometimes cached versions show errors removed from the live page. 4. Look for PHP include paths or file system structure. 5. Archive and sanitize findings for reporting. 14.Use Wayback Machine to identify unprotected admin panels. Download Valid CAPen Exam Dumps for Best Preparation 5 / 8 A. See the Explanation. Answer: A Explanation: 1. Go to archive.org/web and enter the target domain. 2. Navigate older snapshots of /admin/ or /panel/ URLs. 3. These may expose endpoints that are now hidden or secured. 4. Use waybackurls target.com for automated historical URLs. 5. Test endpoints with caution and proper scope approval. 15.Check for directory listing whitelisting bypasses. A. See the Explanation. Answer: A Explanation: 1. Try accessing target.com/uploads/, target.com/files/, etc. 2. If blocked by referrer policy, spoof it: Referer: https://target.com/allowed-page 3. Use Burp or curl with -e flag to set the referer header. 4. If directory loads, whitelisting is broken. 5. Review exposed file names and extensions. 16.Bypass HTTP Host header whitelisting for SSRF or cache poisoning. A. See the Explanation. Answer: A Explanation: 1. Send a request with a modified Host header: Host: attacker.com 2. Observe application behavior or redirection. 3. If SSRF or open redirect is present, it may process untrusted hosts. 4. Try dual-host headers: Host: attacker.com + X-Host: original.com 5. Confirm if app logic depends on the Host header. 17.Perform username enumeration using OSINT + blacklisting bypass. A. See the Explanation. Answer: A Explanation: 1. Collect usernames via OSINT (GitHub, LinkedIn, etc.). 2. Attempt login and observe app response for valid vs invalid users. 3. Some apps return different messages or response times. 4. If blacklisted after attempts, rotate IPs using proxychains or VPN. 5. Validate only in scope-approved testing environments. 18.Detect firewall-based whitelisting of internal-only services. A. See the Explanation. Answer: A Explanation: Download Valid CAPen Exam Dumps for Best Preparation 6 / 8 1. Use SSRF or open redirect to access http://127.0.0.1:8000 via app. 2. If whitelisted from internal IPs only, SSRF can exploit it. 3. Try metadata services like http://169.254.169.254 4. Use Burp Collaborator to detect callbacks. 5. Log findings and test multiple internal IPs and ports. 19.Leverage DNS records for passive OSINT discovery. A. See the Explanation. Answer: A Explanation: 1. Use dig target.com ANY or online tools like dnsdumpster.com 2. Review MX, TXT, and SPF records for email providers or security config. 3. Look for .internal. subdomains or staging environments. 4. Combine with brute-forcing for further expansion. 5. Visualize DNS map for infrastructure awareness. 20.Test bypass of a file upload blacklisting filter. A. See the Explanation. Answer: A Explanation: 1. Try uploading a .php file with a known webshell. 2. If blocked, rename it as .php5, .pHp, or shell.php.jpg. 3. Intercept request in Burp, modify Content-Type, and send. 4. Upload .htaccess file to re-enable execution if applicable. 5. Access uploaded file and confirm code execution — only in a test lab. question: 01 How would you identify and exploit an SQL Injection vulnerability in a login form using Burp Suite? 21.Describe how you can detect and exploit Broken Object Level Authorization (BOLA/IDOR). A. See the Explanation. Answer: A Explanation: 1. Authenticate as user A and access a resource like: GET /api/user/1001/profile 2. Change the ID to another value: GET /api/user/1002/profile 3. If you access another user's data, IDOR exists. 4. Confirm without causing damage; don ’ t modify data unless authorized. 5. Log findings and escalate for patching with access controls. 22.How would you test for Cross-Site Scripting (XSS) in a search parameter? A. See the Explanation. Answer: A Explanation: 1. Use payloads like <script>alert(1)</script> or "><svg/onload=alert(1)> in the search box. 2. Observe if the script executes in the response page. 3. Use Burp Suite to fuzz input fields with the XSS payload list. Download Valid CAPen Exam Dumps for Best Preparation 7 / 8 4. Bypass filters with encoded or nested payloads like %3Cscript%3E. 5. Confirm DOM-based XSS with Chrome DevTools and Burp's DOM scanner. 23.Identify and exploit Security Misconfiguration in Apache or Nginx headers. A. See the Explanation. Answer: A Explanation: 1. Use curl -I http://target.com or Burp Suite to analyze headers. 2. Check for missing X-Content-Type-Options, X-Frame-Options, or Content-Security-Policy. 3. Absence allows MIME sniffing, clickjacking, and XSS. 4. Demonstrate by crafting malicious content framed into the site. 5. Report the misconfigurations with sample exploit and hardening advice. 24.How do you test for Broken Authentication using session prediction? A. See the Explanation. Answer: A Explanation: 1. Login with valid credentials and capture the session cookie. 2. Observe if session IDs are sequential or guessable (e.g., sessid=12345, 12346). 3. Use Burp Intruder to fuzz session tokens. 4. If you hijack another session by guessing the token, it's a flaw. 5. Exploit only in a legal scope; report the vulnerability immediately. 25.How can you detect and exploit Insecure Deserialization in a PHP-based app? A. See the Explanation. Answer: A Explanation: 1. Look for serialized strings like a:2:{i:0;s:4:"test";i:1;s:4:"demo";} 2. Use Burp to modify values and see if the server crashes or reacts abnormally. 3. If vulnerable, create a malicious payload using phpggc like: phpggc Laravel/RCE1 system 'id' 4. Base64 encode and send via cookie, POST, or GET. 5. If code executes, you ’ ve confirmed insecure deserialization. 26.Test for XXE (XML External Entity) vulnerability in file upload or XML endpoints. A. See the Explanation. Answer: A Explanation: 1. Intercept XML POST request like: <note><to>User</to></note> 2. Modify to include XXE payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> 3. Replace a value with &xxe; 4. If server returns file contents, XXE exists. Download Valid CAPen Exam Dumps for Best Preparation 8 / 8 5. Use Burp Collaborator to exfiltrate via blind XXE. 27.How do you detect and exploit Server-Side Request Forgery (SSRF)? A. See the Explanation. Answer: A Explanation: 1. Find a parameter that fetches external resources: /fetch?url=https://example.com/image.jpg 2. Replace it with http://127.0.0.1:80 or http://169.254.169.254 3. Use Burp Collaborator: http://<your-collab-id>.burpcollaborator.net 4. Monitor for DNS or HTTP callbacks. 5. Confirm SSRF and check if internal assets (e.g., AWS metadata) are exposed. 28.Test for Mass Assignment vulnerability in a user profile update feature. A. See the Explanation. Answer: A Explanation: 1. Capture the PUT or POST request to /profile/update. 2. Inject extra parameters like is_admin=true or role=admin in JSON. 3. Observe the response or re-login to see changes. 4. Use fuzzing to guess other sensitive keys like credit_limit or user_id. 5. Only test in an authorized lab or target; never abuse on live systems. 29.Detect and exploit insufficient logging and monitoring. A. See the Explanation. Answer: A Explanation: 1. Perform brute force, IDOR, and other attacks while monitoring logs (if accessible). 2. Check if any alerts are triggered or IP gets blocked. 3. If not, it's a visibility/logging issue. 4. If web logs are downloadable or exposed via misconfig, retrieve them. 5. Provide PoC showing that critical actions aren ’ t logged or flagged. 30.How would you detect insecure CORS (Cross-Origin Resource Sharing) configuration? A. See the Explanation. Answer: A Explanation: 1. Use curl -I -H "Origin: evil.com" http://target.com 2. If Access-Control-Allow-Origin: * is returned along with credentials, it's insecure. 3. Use a malicious HTML page to send credentialed XHR requests. 4. Exploit session theft by using stolen cookies if credentials are included. 5. Validate that Access-Control-Allow-Credentials isn ’ t misconfigured.