Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

Which of the following MOST likely explains how the clients' accounts were compromised?

Question

Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap
<s:Envelopetxmlns:s="http: //schemas.s/soap/envelope/"><s:Body>

<Get IPLocation+xmlns="http: //tempuri.org/">
<request+xmlns:a="http!//schemas .somesite.org"+xmlns:i="http: //www.w3.or
g/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 - -
api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123
</atPassword><a: Reset PasswordTokent+i:nil="true"/>
<a!ShouldImpersonatedaAuthent icationBePopulated+i:nil="true"/>
sername>somebody@companyname . com</a:Username></request></Login>
</s:Body></s:Envelope> 192.168.5.66 - - api.somesite.com 200 0 11558
1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap
<s:Envelopetxmlns:s="http: //schemas . xmlsoap .org/soap/envelope/"><s:Body>
<GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605
</a:IPAddress><a:ZipCodeti:nil="true"/></request></GetIPLocation>
</s:Body></s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 1003 1011
307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap
<s:Envelope+xmlns:s="http: //schemas.xmlsoap.org/soap/envelope/"><s :Body>
<IsLoggedIntxmlns="http: //tempuri.org/">
<request+xmlns:a="http: //schemas .datacontract .org/2004/07/somesite.web+x
mlns:i="http: //www.w3.org/2001/xXMLSchema-instance"><a:Authentication>
piToken>kmL4krg2CwwWBan5BReGV5Djb7syxXTNKcWEuSjd</a:ApiToken>
mpersonateUserId>0</a: ImpersonateUserId><a:LocationId>161222
</a:LocationId> <a:NetworkId>4</a:NetworkId><a: ProviderId>''1=1

</a: Providerld><a : UserId>13026046</a:UserId></a:Authentication>
</request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 - -
api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

Exam-Answer · Accepted Answer

The clients` authentication tokens were impersonated and replayed.

Question 56 of 160 from exam CS0-002: CompTIA CySA+

Question

Answers

Explanations