Tuesday , January 21 2025
Breaking News

API Security Architect Exam Answers – API Academy

API Security Architect Certification
  • Establish credentials with a handshake or registration during client installation, instead of hosting the secrets in code.
  • Consistently implement monitoring and detection
  • Move the credentials to a server
  • Do NOT move the credentials to a server
  • Client Threats -> Attackers obtaining client secrets. Attackers phishing for credentials using compromised or embedded browser. Open redirection on the client side.
  • Endpoint Threats -> Phishing by counterfeit authorization server. Interception of traffic to resource server.
  • Token Threat – > Token theft. Disclosure of client credentials during token transmission. Obtaining client secrets from either the database or through guesswork.
  • ID Token -> …contains claims about authentication status of an end user, and indicates the status of the authentication.
  • Access Token -> ….indicates the status of authorization. It can be used by a client to retrieve additional user information, but is not intended to carry information about the user.
  • Refresh Token -> …is used to get a new access token once the previous token has expired.
  • JSON Web Token -> …is a signed and/or encrypted, stateless and self-contained token format, carrying all the necessary information within their header, payload, and signature.
  • Authorization code -> The resource owner’s credentials are never shared with the client application and the resource server. The access token is never shared with the resource owner. It is the most secure and most common grant type today.
  • Implicit -> The client is issued an access token directly. No intermediate credentials (such as an authorization code) are issued. The authorization server does not authenticate the client.
  • Resource owner password credentials -> This grant type should only be used when there is a high degree of trust between the resource owner and the client, such as if the resource owner is the sole owner or operator of the device. Given the nature of this grant type, the ability of a person to impersonate the resource owner is highly likely, making it incredibly easy for hackers to have complete access. Use this type only when other authorization grant types are not available.
  • Client credentials -> This grant type is typically used when the client is acting on its own behalf or is requesting access based on a previously arranged authorization. Example use cases are typically for non-interactive applications such as a Command Line Interface, a daemon, or any service running in a backend server that doesn’t require any interaction with the end user. Many IoT devices also fall into this category. In all these examples, the client application would request and receive the access token without the user having any access to the protected resources.
  • Joe logs into a third-party application and wishes to access his banking information from the application.
  • The third-party application sends an authorization request to the bank’s authorization server. It redirects Joe’s browser to the login screen of the authorization server.
  • The authorization server asks Joe to authorize the third-party application’s access to his banking information.
  • Joe grants or denies the third-party application’s access to the banking information.
  • The OAuth 2.0 protocol… -> …excels at delegated authorization.
  • Scope, a mechanism in OAuth 2.0… -> …is designed to limit an application’s access to a resource such as user’s data.
  • The client ID… -> …is a public identifier for apps and is typically encoded in a multi-character hex string.
  • The authorization code… -> …is not enough for the client application to fetch the requested resources from the resource server and is subsequently exchanged for an access token.
  • Using claims to the fullest extent
  • Setting a shorter timeout
  • Never letting the header alone drive verification
  • All options are correct
  • A good consideration to address redirect hijack is to implement a proof key for code exchange (PKCE).
  • The redirection hijack happens once authorization has been granted with either an authorization code or implicit grant type. Instead of redirecting back to the client, the authorization server is fooled into redirecting to somewhere other than the client.
  • All options are correct
  • One way to mitigate the risk of redirection hijack is to whitelist the redirect URIs on the authorization server.
  • False
  • True
  • The OAuth 2.0 core framework has not really been evolving as contributors are not allowed to publish additional specifications.
  • OAuth 2.0 has a reputation to be complicated and difficult to implement, not only because of the various grant types but also because the specification itself is less prescriptive.
  • OAuth 2.0 authentication was designed to address vulnerabilities in OpenID Connect authorization protocol.
  • Like other open-source frameworks of similar scale and magnitude, a long list of RFC specifications makes OAuth 2.0 potentially overwhelming.
  • True
  • False
  • JWT is checked against the token registry on the authorization server.
  • JWT is stateless.
  • JWT is stateful.
  • As a versatile token format, JWT’s usage spans across the OAuth 2.0 and OpenID Connect workflow: It can be used as a format for ID tokens, access tokens, and refresh tokens.
  • JWT is programming language-agnostic.
  • TLS (Transport Layer Security) and SSL (Secure Sockets Layer)… -> …are cryptographic protocols that help you keep the internet connection and transfer of data secure.
  • Rate limiting, Message validation, Encryption and signing and Access control… -> …are standard security functions from the API gateway world that are important when it comes to protecting the APIs and mitigating API threats.
  • HTTP access control… -> …provides an access authentication feature and allows servers to challenge clients and reject unauthorized access.
  • TLS trust attacks… -> …can be divided into three categories – certificate authority vulnerabilities, human vulnerabilities and man in the middle issues.
  • For APIs, we CANNOT rely on the same security methods and technologies that we use to secure the browser-centric web applications.
  • APIs are fundamentally different from the traditional browser-centric web and therefore have a unique risk profile.
  • APIs DO NOT share any underlying technologies with traditional browser-centric web applications.
  • Well-designed APIs are, by nature, more transparent than websites and therefore more vulnerable.
  • HTTP Access Control
  • TLS / SSL protocol
  • OpenID Connect protocol
  • Implicit grant type
  • The ID Token acts like an encrypted fingerprint that travels through the flow with the access token.
  • Within the Authorization flow, if “openid” is included as the scope, an additional ID Token is generated along with the Access Token.
  • All options are correct
  • The OpenID Connect protocol is an extension of OAuth 2.0 that is filling in the authentication gaps within OAuth 2.0, such as better enabling SSO.
  • False
  • True
  • OAuth 2.0
  • OpenID 2.0
  • OpenID Connect
  • Access Token
  • Every JSON Web Token comprises three elements – header, payload and signature.
  • JWT is NOT part of the Javascript Object Signing and Encryption framework.
  • JWT is a token format, an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
  • Higher verbosity is a characteristic that encourages usage of JWT tokens.
  • False
  • True
  • Cryptographic protocols that help you keep the internet connection and transfer of data secure
  • Authorization and authentication features
  • The most typical components in the API security domain
  • Historical vulnerabilities related to TLS/SSL protocols
  • False
  • True
  • The authorization server validates the client’s request and generates a JWT (which it encrypts and signs using a private key).
  • The authorization server returns the JWT to the client.
  • The client makes a request to the resource server with the JWT and the server must validate the token with its private key.
  • The server’s protected routes will check for a valid JWT in the Authorization header, and if it is present, the client will be allowed to access protected resources.
  • URL redirect
  • A proof key for code exchange (PKCE)
  • Cross-Origin Resource Sharing (CORS)
  • Access and refresh tokens
  • Certificate pinning
  • Cross-site scripting and denial of service attacks
  • Attackers phishing for credentials using a compromised or embedded browser
  • Man-in-the-middle and man-in-the-browser attacks

About Clear My Certification

Check Also

Information Technology Management Professional CertificatioN

Information Technology Management Professional Certification

Information Technology Management Professional Certification Information Technology Management involves overseeing and directing the use of …

Leave a Reply

Your email address will not be published. Required fields are marked *