A web developer is completing a new web application security checklist before releasing the application to production. The task of disabling unnecessary services is on the checklist. Which web application threat is being mitigated by this action?
in OWASP top 10 there is no term called broken access control, its called broken authentication. correct answer is security misconfiguration which includes web server, database, application, routers and firewalls as well.
there is; at least in the 2021 version.
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
I really dislike these kind of questions where you need to infer from the answers that "the checklist" is the OWASP top 10... but it is what it is.
Why not A?
The question is asking which application THREAT is being mitigated.. Session hijacking is the only threat listed..
Security misconfiguration is a vulnerability
Broken access control is a vulnerability
Sensitive data exposure is a risk..
C. Broken Access Controls is the correct answer. Broken access controls pertain to issues related to improper authorization and access permissions, which are often a key aspect of mitigating threats by disabling unnecessary services. However, B. Security misconfiguration in itself will not be an appropriate answer for the question. I see a lot of people selecting answer B. because they are looking at Chatgpt. Please don't blindly accept chatgpt answers, many of them are wrong and this is one of them.
The web application threat being mitigated by disabling unnecessary services is:
B. Security misconfiguration.
Disabling unnecessary services helps reduce the attack surface of a web application by eliminating potential entry points for attackers. It helps ensure that only essential services are running, reducing the chances of security vulnerabilities arising from misconfigured or unpatched services. By disabling unnecessary services, the web developer minimizes the risk of security misconfigurations that could be exploited by attackers.
not completly clear for me but after googleing cissp security missconfiguration all the articles refere to functions that should be disabled if not needed (no default config on). so B
A & D can be eliminated as session hijacking and data breach still going to happen after hardening/ disabling unnecessary services
I chose Broken Authentication, but it's not true. I read some articles. Example of broken authentication (https://avatao.com/blog-broken-access-control/) - it can still happen
B seems right - if we don't disable configuration for directory listing, attacker can list the directory (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration)
This section is not available anymore. Please use the main Exam Page.CISSP Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
amitsir
1 month, 2 weeks agoJ_Ko
1 month, 1 week ago8b48948
6 months, 3 weeks agodm808
7 months, 2 weeks agoRamye
5 months, 3 weeks agoYesPlease
11 months agoSoleandheel
11 months, 1 week agoBach1968
1 year, 4 months agoMoose01
1 year, 5 months agoDapengZhang
1 year, 7 months agojackdryan
1 year, 6 months agosphenixfire
2 years agofranbarpro
2 years agodev46
2 years, 1 month agoygc
2 years, 2 months ago