Exam 200-901 topic 1 question 102 discussion

Actual exam question from Cisco's 200-901

Question #: 102
Topic #: 1

A developer pushes an application to production. The application receives a webhook over HTTPS without a secret. The webhook information contains credentials to service in cleartext. When the information is received, it is stored in the database with an SHA-256 hash. Credentials to the database are accessed at runtime through the use of a vault service. While troubleshooting, the developer sets the logging to debug to view the message from the webhook. What is the security issue in this scenario?

A. Database credentials should be accessed by using environment variables defined at runtime.
B. During the transport of webhook messages, the credentials could be unencrypted and leaked.
C. During logging, debugging should be disabled for the webhook message.
D. Hashing the credentials in the database is not secure enough; the credentials should be encrypted.

Show Suggested Answer

Suggested Answer: B 🗳️

by macxsz at June 11, 2022, 8:48 p.m.

Comments

Submit Cancel

intheshadows00

11 months, 3 weeks ago

It is B Since the application receives a webhook over HTTPS without a secret, there is a risk that the credentials in the webhook information could be transmitted over the network without encryption. Using HTTPS is a secure way to transmit data, but without a secret or proper authentication, there is a risk of unauthorized access. Enabling transport layer encryption (such as HTTPS) and ensuring proper authentication mechanisms for webhooks are essential to prevent the exposure of sensitive information during transmission.

upvoted 1 times

Omniumdolour

2 months, 3 weeks ago

HTTPS is encrypted transport, the credentials are no more at risk than any other traffic over HTTPS. The fact that the webhook info is in cleartext and debugging is going to log said webhook info...that means your log is going to contain the credentials in cleartext. So you should turn off webhook logging during debug. C.

upvoted 1 times

...

rtg2123

1 year, 9 months ago

Selected Answer: C

From my point of view C is the correct answer because B says something about during transport which is HTTPS and which is encprypted -> So no security issue because you cannot decript it. And when using webhooks debug, an atacker can exploit this vulnerability and obtain the credentials. So the problem is that this debug should not be present in a production app constructed in this way. For more details about webhooks debugging: https://hookdeck.com/webhooks/guides/troubleshooting-debugging-webhooks-tutorial#conclusion

upvoted 2 times

...

nunyabeez

1 year, 10 months ago

Selected Answer: B

This is tricky. It seems that all aspects of security are valid until debugging happens. When the webhook is sent, even though the creds are in plain text in the data payload, the transmission is encrypted with HTTPS. Then those creds are stored in with a secure hash. Then they're accessed with a vault service. The only insecure part is the debugging. When the debugging happens, you can see the user/pass in the debugging logs. Technically, that makes B correct, as the logging is done after the HTTPS is decrypted, but it also makes C correct. However, the question asks what the issue is, not what the solution is. Answer C is a solution, not the issue, so I'm going with B.

upvoted 4 times

...

mellohello

1 year, 11 months ago

Selected Answer: B

B is the correct answer!

upvoted 4 times

...

aplicacion101

2 years, 3 months ago

Selected Answer: B

No A: Credentials to the database are accessed at runtime through the use of a vault service B is make sense because no secret, without secret is the key. No is posible complete some process of security C no make sense D Webhook usea hmac for guarantee integrity and source

upvoted 1 times

...