Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Location Chicago IL, USA

Exam CS0-002 topic 1 question 61 discussion

Actual exam question from CompTIA's CS0-002
Question #: 61
Topic #: 1
[All CS0-002 Questions]

Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server. A portion of a capture file is shown below:
POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation
+xmlns="http://tempuri.org/">
<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></ s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 1006 1001 0 192.168.1.22
POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/>
<a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>[email protected]</a:Username></ request></Login></s:Body></s:Envelope> 192.168.5.66 - - api.somesite.com 200 0 11558 1712 2024 192.168.4.89
POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/ envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode
+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 1003 1011 307
192.168.1.22
POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/ envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/ somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication>
<a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</ a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</ a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66
- - api.somesite.com 200 0 1378 1209 48 192.168.4.89
Which of the following MOST likely explains how the clients' accounts were compromised?

  • A. The clients' authentication tokens were impersonated and replayed.
  • B. The clients' usernames and passwords were transmitted in cleartext.
  • C. An XSS scripting attack was carried out on the server.
  • D. A SQL injection attack was carried out on the server.
Show Suggested Answer Hide Answer

Suggested Answer: A

Comments

elfaz
Highly Voted 3 months ago
b. we can see the password and user name here
upvoted 10 times
B does appear to be the best reason.
upvoted 3 times
...
...
garou
Highly Voted 2 months ago
I'm not so sure that the answer is B. To me A seems acceptable. I think that the attacker is changing user's password by using user's token <a:Password>Password123</a:Password> <a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/> <a:Username>[email protected]</a:Username> <a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken> <a:ImpersonateUserId>0</a:ImpersonateUserId> <a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId> <a:ProviderId>''1=1</a:ProviderId> <a:UserId>13026046</a:UserId> </a:Authentication>
upvoted 8 times
...
CodeMonkey2
Most Recent 6 days, 12 hours ago
Questions asks HOW the clients' accounts were compromised? (A) is HOW it was done and (B) is WHAT was done.
upvoted 2 times
...
infosec208
1 month ago
garou is spot on. it helps when you break it out on each line instead of it being all smooshed together. It is A.
upvoted 2 times
...
mhughes25
1 month, 1 week ago
i think that it could be A. because B. isn't wrong, however it tells us why the account was compromised. A. tells us HOW the account was compromised, which is what the question is asking. that is just my 2 cents.
upvoted 1 times
...
White_T_10
1 month, 2 weeks ago
A and B both seem correct, I think Comptia wants us to close our eyes and choose one between these 2!!!
upvoted 2 times
...
somsom
1 month, 2 weeks ago
B is the right answer user name and password in plain text
upvoted 2 times
...
americaman80
1 month, 3 weeks ago
A is the correct answer. I'm with garou on this one. The scripts say Apitoken and impersonate right there in the text.
upvoted 1 times
...
leif06
2 months, 1 week ago
Agreed, B is the right answer.
upvoted 3 times
...
IxlJustinlxl
2 months, 3 weeks ago
HTTP traffic is unencrypted therefor everything is sent in plaintext - user/password are visible in the packet capture so the answer has to be B
upvoted 3 times
...
btoopalow
2 months, 4 weeks ago
Gotta be B. I can see the password
upvoted 3 times
...
Crkvica
3 months ago
I agree with elfaz...we can see the password and the user name, so it should be B...
upvoted 2 times
...

SaveCancel