CAPIE - Chapter 5.4 - API Pentesting MCQ

Question 1: What is the primary purpose of a Test Plan in API pentesting?

A. To document discovered vulnerabilities and provide remediation steps

B. To outline the objectives, scope, and methodology of the pentest

C. To convene stakeholders and discuss lessons learned

D. To eliminate the need for any post-assessment meetings

Question 2: Which of the following is typically not included in a Test Plan for an API pentest?

A. Detailed Postman collections or Swagger files describing the APIs

B. A schedule for retesting and ongoing monitoring after remediation

C. An NDA signed by all testing personnel

D. Out-of-scope systems and endpoints

Question 3: According to the chapter, which testing approach involves partial knowledge of an API's internal details to improve coverage and accuracy?

A. Black-box testing

B. Grey-box testing

C. White-box testing

D. Fuzz testing

Question 4: What is the primary role of the Test Report in a pentest engagement?

A. To determine the project's overall budget

B. To provide a structure for scheduling the test

C. To document vulnerabilities, impacts, and recommended fixes

D. To train internal staff on using a new framework

Question 5: Which section of a Test Report offers a quick, high-level overview for non-technical stakeholders?

A. Executive Summary

B. Appendices

C. Methodology

D. Findings

Question 6: In the example Test Report structure, where would detailed logs and technical data (e.g., request/response payloads) typically be placed?

A. The Executive Summary

B. The Methodology section

C. The Appendices

D. The Recommendations section

Question 7: Which activity is the main focus of the Test Debrief Meeting?

A. Conducting additional pentesting on new endpoints

B. Reviewing findings, discussing remediation strategies, and learning lessons

C. Negotiating the cost of pentest services

D. Archiving old system logs to free up disk space

Question 8: Who usually participates in the Test Debrief Meeting?

A. The pentest team, security team, development team, and relevant stakeholders

B. Only the CEO and CFO of the organization

C. Front-end designers and marketing personnel

D. Legal experts and external auditors exclusively

Question 9: During a Test Debrief Meeting, what is one key outcome the chapter highlights?

A. A finalized compliance certification from regulators

B. A redesigned company logo to reflect security improvements

C. A clear roadmap for remediation and future security assessments

D. A guarantee that no other vulnerabilities exist

Question 10: Which statement best summarizes the conclusion of Chapter 5?

A. The pentest process ends after vulnerabilities are found, with no additional follow-up

B. A formal Test Plan, detailed Test Report, and collaborative Debrief Meeting ensure thorough and effective API security assessments

C. Most API pentests can omit a Test Plan in favor of ad-hoc techniques

D. The main purpose of a Test Debrief Meeting is to reduce the scope of findings