Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Comptia Discussions

Exam CS0-001 topic 1 question 52 discussion

Actual exam question from CompTIA's CS0-001
Question #: 52
Topic #: 1
[All CS0-001 Questions]

After scanning the main company's website with the OWASP ZAP tool, a cybersecurity analyst is reviewing the following warning:

The analyst reviews a snippet of the offending code:

Which of the following is the BEST course of action based on the above warning and code snippet?

  • A. The analyst should implement a scanner exception for the false positive.
  • B. The system administrator should disable SSL and implement TLS.
  • C. The developer should review the code and implement a code fix.
  • D. The organization should update the browser GPO to resolve the issue.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by s3curity1 at May 31, 2020, 12:25 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
s3curity1
Highly Voted 3 years, 10 months ago
Isn't this C? The offending code is from the company's website. Updating the browser's GPO will only fix the issue within the company since they will be the one's in scope for the GPO change. However, users accessing the website outside the company, and using their personal devices are still at risk. So I think, its best to address the root cause and have the developer review the code, and implement the fix.
upvoted 7 times
TheThreatGuy
3 years, 10 months ago
Yes. I second this thought. GPO only addresses this on a PC you manage.. Since the question does not identify this as an intranet site, reviewing code and implementing a fix is the "BEST" answer.
upvoted 2 times
...
somtowally
3 years, 6 months ago
if the offending code contained the syntax <input autocomplete="on"> then C would have been the right answer. Take note that the vulnerability reported could be false and the only way to verify this is by reviewing the code itself. Having said this using GPO is the right answer
upvoted 1 times
...
...
Kuku55
Most Recent 3 years, 2 months ago
Lol guys stop arguing its A. https://github.com/zaproxy/zaproxy/issues/4215 major browsers will override any use of autocomplete="off" then zap retire that plugin https://github.com/zaproxy/zap-extensions/pull/1233
upvoted 1 times
...
Acrisius
3 years, 4 months ago
The answer here is C. This a coding issue with the application. You can set a GPO but the app will still be an issue. Similar Q in 002
upvoted 2 times
...
ckr8
3 years, 4 months ago
Same question on Jason Dion tutorials and answer is C.
upvoted 1 times
...
RazaG
3 years, 7 months ago
It should be C. What about users outside the network? If they save passwords and their machines are infected, attackers will have access to their credentials.
upvoted 2 times
...
MagicianRecon
3 years, 8 months ago
C should be correct https://www.w3schools.com/tags/att_input_autocomplete.asp
upvoted 1 times
somtowally
3 years, 6 months ago
if the offending code contained the syntax <input autocomplete="on"> then C would have been the right answer. Take note that the vulnerability reported could be false and the only way to verify this is by reviewing the code itself. Having said this using GPO is the right answer
upvoted 1 times
...
...
lloydxmas
3 years, 9 months ago
The code is not necessarily incorrect as developers can still reference the 'passwword' name correctly in their code. Its just blatantly spelt wrong. You wouldn't know this if you did not have experience building logic for a 'front-end' component in a webpage. The misspelling is a trap feature in the question. The question is about the Auto complete feature which should be disabled in the browser. D GPO Change is correct.
upvoted 4 times
...
christ0phermc
3 years, 9 months ago
i guessed 4 and i got it right so i think it is 4 becauise the website sasid it was and the internet is very smart
upvoted 1 times
shakevia463
2 years, 4 months ago
very helpful input mate
upvoted 1 times
...
...
Blind_Hatred
3 years, 10 months ago
I think this is indeed D, for the following reason: The AUTOCOMPLETE option set to disable is seldom followed-up on by modern browsers anyway. I think the goal here is to prevent an attacker from being able harvest company credentials on an infected machine. So from a security perspective, it would be better to disable autocompletion in the Browser settings, than doing it on the company website knowing full well that doesn't usually work.
upvoted 1 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel