ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 200-901 All Questions

View all questions & answers for the 200-901 exam
Go to Exam

Exam 200-901 topic 1 question 102 discussion

Actual exam question from Cisco's 200-901
Question #: 102
Topic #: 1
[All 200-901 Questions]

A developer pushes an application to production. The application receives a webhook over HTTPS without a secret. The webhook information contains credentials to service in cleartext. When the information is received, it is stored in the database with an SHA-256 hash. Credentials to the database are accessed at runtime through the use of a vault service. While troubleshooting, the developer sets the logging to debug to view the message from the webhook. What is the security issue in this scenario?

  • A. Database credentials should be accessed by using environment variables defined at runtime.
  • B. During the transport of webhook messages, the credentials could be unencrypted and leaked.
  • C. During logging, debugging should be disabled for the webhook message.
  • D. Hashing the credentials in the database is not secure enough; the credentials should be encrypted.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by macxsz at June 11, 2022, 8:48 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
intheshadows00
8 months, 4 weeks ago
It is B Since the application receives a webhook over HTTPS without a secret, there is a risk that the credentials in the webhook information could be transmitted over the network without encryption. Using HTTPS is a secure way to transmit data, but without a secret or proper authentication, there is a risk of unauthorized access. Enabling transport layer encryption (such as HTTPS) and ensuring proper authentication mechanisms for webhooks are essential to prevent the exposure of sensitive information during transmission.
upvoted 1 times
Omniumdolour
3 days, 4 hours ago
HTTPS is encrypted transport, the credentials are no more at risk than any other traffic over HTTPS. The fact that the webhook info is in cleartext and debugging is going to log said webhook info...that means your log is going to contain the credentials in cleartext. So you should turn off webhook logging during debug. C.
upvoted 1 times
...
...
rtg2123
1 year, 6 months ago
Selected Answer: C
From my point of view C is the correct answer because B says something about during transport which is HTTPS and which is encprypted -> So no security issue because you cannot decript it. And when using webhooks debug, an atacker can exploit this vulnerability and obtain the credentials. So the problem is that this debug should not be present in a production app constructed in this way. For more details about webhooks debugging: https://hookdeck.com/webhooks/guides/troubleshooting-debugging-webhooks-tutorial#conclusion
upvoted 2 times
...
nunyabeez
1 year, 7 months ago
Selected Answer: B
This is tricky. It seems that all aspects of security are valid until debugging happens. When the webhook is sent, even though the creds are in plain text in the data payload, the transmission is encrypted with HTTPS. Then those creds are stored in with a secure hash. Then they're accessed with a vault service. The only insecure part is the debugging. When the debugging happens, you can see the user/pass in the debugging logs. Technically, that makes B correct, as the logging is done after the HTTPS is decrypted, but it also makes C correct. However, the question asks what the issue is, not what the solution is. Answer C is a solution, not the issue, so I'm going with B.
upvoted 4 times
...
mellohello
1 year, 8 months ago
Selected Answer: B
B is the correct answer!
upvoted 4 times
...
aplicacion101
2 years ago
Selected Answer: B
No A: Credentials to the database are accessed at runtime through the use of a vault service B is make sense because no secret, without secret is the key. No is posible complete some process of security C no make sense D Webhook usea hmac for guarantee integrity and source
upvoted 1 times
...
Angryeyebrows
2 years, 2 months ago
Selected Answer: A
Its saying that HTTPS is used during webbook which makes me think its not B and should be A
upvoted 1 times
...
Medusa8
2 years, 2 months ago
Selected Answer: B
I think it should be B
upvoted 1 times
...
XerAR
2 years, 2 months ago
Selected Answer: C
I guess is C
upvoted 1 times
...
shtou
2 years, 3 months ago
Selected Answer: B
Its B for me
upvoted 1 times
...
macxsz
2 years, 3 months ago
Selected Answer: A
The credentials are received on clear text so B is incorrect. A makes sense as this is a best practice
upvoted 1 times
SierraSix
2 years, 1 month ago
I think that’s the catch here. The question is asking what the issue is. I think it’s B. A would be the correct action.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago