Which of the following are security weaknesses in this …

A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request:
POST http://www.example.com/resources/NewBankAccount HTTP/1.1
Content-type: application/json
{
“account”:

[
{ “creditAccount”:”Credit Card Rewards account”} {
“salesLeadRef”:”www.example.com/badcontent/exploitme.exe”}
],
“customer”:
[
{ “name”:”Joe Citizen”} { “custRef”:”3153151″}
] }

The banking website responds with:
HTTP/1.1 200 OK
{
“newAccountDetails”:
[
{ “cardNumber”:”1234123412341234″} { “cardExpiry”:”2020-12-31″}
{ “cardCVV”:”909″}
],
“marketingCookieTracker”:”JSESSIONID=000000001″
“returnCode”:”Account added successfully”
}
Which of the following are security weaknesses in this example? (Select TWO).

A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request:
POST http://www.example.com/resources/NewBankAccount HTTP/1.1
Content-type: application/json
{
“account”:

[
{ “creditAccount”:”Credit Card Rewards account”} {
“salesLeadRef”:”www.example.com/badcontent/exploitme.exe”}
],
“customer”:
[
{ “name”:”Joe Citizen”} { “custRef”:”3153151″}
] }

The banking website responds with:
HTTP/1.1 200 OK
{
“newAccountDetails”:
[
{ “cardNumber”:”1234123412341234″} { “cardExpiry”:”2020-12-31″}
{ “cardCVV”:”909″}
],
“marketingCookieTracker”:”JSESSIONID=000000001″
“returnCode”:”Account added successfully”
}
Which of the following are security weaknesses in this example? (Select TWO).

A.
Missing input validation on some fields

B.
Vulnerable to SQL injection

C.
Sensitive details communicated in clear-text

D.
Vulnerable to XSS

E.
Vulnerable to malware file uploads

F.
JSON/REST is not as secure as XML



Leave a Reply 0

Your email address will not be published. Required fields are marked *