Top CompTIA CAS-002 ebook Choices

we provide High value CompTIA CAS-002 test preparation which are the best for clearing CAS-002 test, and to get certified by CompTIA CompTIA Advanced Security Practitioner (CASP). The CAS-002 Questions & Answers covers all the knowledge points of the real CAS-002 exam. Crack your CompTIA CAS-002 Exam with latest dumps, guaranteed!


Free VCE & PDF File for CompTIA CAS-002 Real Exam
(Full Version!)

Pass on Your First TRY 100% Money Back Guarantee Realistic Practice Exam Questions

Free Instant Download NEW CAS-002 Exam Dumps (PDF & VCE):
Available on:

Q301. – (Topic 2) 

A security tester is testing a website and performs the following manual query: 

The following response is received in the payload: 

“ORA-000001: SQL command not properly ended” 

Which of the following is the response an example of? 

A. Fingerprinting 

B. Cross-site scripting 

C. SQL injection 

D. Privilege escalation 


Q302. – (Topic 3) 

Company ABC was formed by combining numerous companies which all had multiple databases, web portals, and cloud data sets. Each data store had a unique set of custom developed authentication mechanisms and schemas. Which of the following approaches to combining the disparate mechanisms has the LOWEST up front development costs? 

A. Attestation 


C. Biometrics 

D. Federated IDs 


Q303. – (Topic 5) 

The manager of the firewall team is getting complaints from various IT teams that firewall changes are causing issues. Which of the following should the manager recommend to BEST address these issues? 

A. Set up a weekly review for relevant teams to discuss upcoming changes likely to have a broad impact. 

B. Update the change request form so that requesting teams can provide additional details about the requested changes. 

C. Require every new firewall rule go through a secondary firewall administrator for review before pushing the firewall policy. 

D. Require the firewall team to verify the change with the requesting team before pushing the updated firewall policy. 


Q304. – (Topic 4) 

Company A needs to export sensitive data from its financial system to company B’s database, using company B’s API in an automated manner. Company A’s policy prohibits the use of any intermediary external systems to transfer or store its sensitive data, therefore the transfer must occur directly between company A’s financial system and company B’s destination server using the supplied API. Additionally, company A’s legacy financial software does not support encryption, while company B’s API supports encryption. Which of the following will provide end-to-end encryption for the data transfer while adhering to these requirements? 

A. Company A must install an SSL tunneling service on the financial system. 

B. Company A’s security administrator should use an HTTPS capable browser to transfer the data. 

C. Company A should use a dedicated MPLS circuit to transfer the sensitive data to company B. 

D. Company A and B must create a site-to-site IPSec VPN on their respective firewalls. 


Q305. – (Topic 2) 

Ann is testing the robustness of a marketing website through an intercepting proxy. She has intercepted the following HTTP request: 

POST /login.aspx HTTP/1.1 


Content-type: text/html 


Which of the following should Ann perform to test whether the website is susceptible to a simple authentication bypass? 

A. Remove all of the post data and change the request to /login.aspx from POST to GET 

B. Attempt to brute force all usernames and passwords using a password cracker 

C. Remove the txtPassword post data and change alreadyLoggedIn from false to true 

D. Remove the txtUsername and txtPassword post data and toggle submit from true to false 


Q306. – (Topic 2) 

Joe, a penetration tester, is tasked with testing the security robustness of the protocol between a mobile web application and a RESTful application server. Which of the following security tools would be required to assess the security between the mobile web application and the RESTful application server? (Select TWO). 

A. Jailbroken mobile device 

B. Reconnaissance tools 

C. Network enumerator 

D. HTTP interceptor 

E. Vulnerability scanner 

F. Password cracker 

Answer: D,E 

Q307. – (Topic 5) 

A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to develop originally. The SDLC has broken the primary delivery stages into eight different deliverables, with each section requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable? 

A. Spiral model 

B. Incremental model 

C. Waterfall model 

D. Agile model 


Q308. – (Topic 3) 

A network administrator notices a security intrusion on the web server. Which of the following is noticed by[hostilejavascript]&fid=2 in the log file? 

A. Buffer overflow 

B. Click jacking 

C. SQL injection 

D. XSS attack 


Q309. – (Topic 4) 

Three companies want to allow their employees to seamlessly connect to each other’s wireless corporate networks while keeping one consistent wireless client configuration. Each company wants to maintain its own authentication infrastructure and wants to ensure that an employee who is visiting the other two companies is authenticated by the home office when connecting to the other companies’ wireless network. All three companies have agreed to standardize on 802.1x EAP-PEAP-MSCHAPv2 for client configuration. Which of the following should the three companies implement? 

A. The three companies should agree on a single SSID and configure a hierarchical RADIUS system which implements trust delegation. 

B. The three companies should implement federated authentication through Shibboleth connected to an LDAP backend and agree on a single SSID. 

C. The three companies should implement a central portal-based single sign-on and agree to use the same CA when issuing client certificates. 

D. All three companies should use the same wireless vendor to facilitate the use of a shared cloud based wireless controller. 


Q310. – (Topic 4) 

The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by outsourcing to a third party company in another country. Functions to be outsourced include: business analysts, testing, software development and back office functions that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls are not implemented? 

A. Geographical regulation issues, loss of intellectual property and interoperability agreement issues 

B. Improper handling of client data, interoperability agreement issues and regulatory issues 

C. Cultural differences, increased cost of doing business and divestiture issues 

D. Improper handling of customer data, loss of intellectual property and reputation damage