The SecOps Group Certified AppSec Practitioner Exam CAP Question # 10 Topic 2 Discussion

The scenario describes a password reset mechanism where a user receives an email with a reset link: http://example.com/reset_password?userId=5298. Let’s evaluate each option:

Option A ("The reset link uses an insecure channel"): The reset link uses http:// instead of https://, indicating an insecure channel (HTTP instead of HTTPS). Transmitting sensitive data (e.g., a reset link) over HTTP allows an attacker to intercept the request, potentially stealing the reset token or user ID. This makes the reset mechanism insecure, so this statement is true.

Option B ("The application is vulnerable to username enumeration"): The message "If the email exists, we will email you a link to reset the password" is generic and does not reveal whether the email exists, which is a best practice to prevent username enumeration. Username enumeration would occur if the application responded differently for existing vs. non-existing users (e.g., "Email not found"). Here, there’s no indication of enumeration vulnerability, so this statement is false.

Option C ("The application will allow the user to reset an arbitrary user’s password"): The reset link includes a userId=5298 parameter, which appears to directly reference a user’s ID. If an attacker can manipulate this parameter (e.g., to userId=5299), they might be able to reset another user’s password, especially if the application does not validate that the reset request is tied to the user’s session or email. The link also lacks a one-time token or other verification mechanism to ensure the request is legitimate. This suggests an Insecure Direct Object Reference (IDOR) vulnerability, making this statement true.

Option D ("Both A and C"): Since both A (insecure channel) and C (arbitrary password reset) are true, this is the correct answer.

The correct answer is D, aligning with the CAP syllabus under "Password Reset Security" and "Insecure Direct Object References (IDOR)."References: SecOps Group CAP Documents - "Password Reset Best Practices," "IDOR Vulnerabilities," and "OWASP Authentication Cheat Sheet" sections.