[Information Gathering and Vulnerability Scanning] A penetration tester performs several Nmap scans against the web application for a client. INSTRUCTIONS Click on the WAF and servers to review the results of the Nmap scans. Then click on each tab to select the appropriate vulnerability and remediation options. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_120_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_120_img_2.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_121_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_121_img_2.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_122_img_1.jpg

Does the question specify if "best" remediation is required, or just any viable option? If they're asking for the most secure setup, I'd say only allowing the approved components plus that custom auth header is key. If it's just about any fix, network restriction alone could suffice.

Question 13 - Top CompTIA Pentest+ PT0-003 Real Exam Questions [Jan 2026 Update]

Q: 13

[Information Gathering and Vulnerability Scanning] A penetration tester performs several Nmap scans against the web application for a client. INSTRUCTIONS Click on the WAF and servers to review the results of the Nmap scans. Then click on each tab to select the appropriate vulnerability and remediation options. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Your Answer

Correct Answer:

VULNERABILITY:

BYPASS THE WAF TO COMMUNICATE DIRECTLY WITH HTTPS://WWW.GOOGLE.COM/URL?SA=E&SOURCE=GMAIL&Q=APP01.EXAMPLE.COM.

REMEDIATION:

RESTRICT DIRECT COMMUNICATIONS TO HTTPS://WWW.GOOGLE.COM/URL?SA=E&SOURCE=GMAIL&Q=APP01.EXAMPLE.COM TO ONLY APPROVED COMPONENTS.

REQUIRE AN ADDITIONAL AUTHENTICATION HEADER VALUE BETWEEN HTTPS://WWW.GOOGLE.COM/SEARCH?Q=CDN.EXAMPLE.COM AND HTTPS://WWW.GOOGLE.COM/URL?SA=E&SOURCE=GMAIL&Q=APP01.EXAMPLE.COM.

Explanation

The Nmap scan results reveal that the application server (App01.example.com) has its HTTP (port 80) and HTTPS (port 443) ports open to the internet. The network architecture intends for all traffic to be filtered through the CDN/WAF. However, because the application server is directly accessible, an attacker can send requests to it without going through the WAF, effectively bypassing its security protections. This is a common misconfiguration where the origin server is not properly firewalled to accept connections only from the CDN/WAF's IP addresses.

The two most effective preventative measures address the vulnerability at different layers.

Network Layer: Restricting communication at the network level is the primary solution. This involves configuring firewall rules or network access control lists (ACLs) on the application server to only accept incoming traffic from the specific IP address ranges of the CDN/WAF. This ensures no other entity on the internet can connect directly.
Application Layer: Requiring a custom authentication header adds a second layer of defense. The CDN/WAF is configured to add a secret, custom HTTP header to all requests it forwards to the application server. The application server is then configured to reject any request that does not contain this specific header and value, preventing direct access.

References

Microsoft Azure Documentation. (2023). Restrict access to a specific Azure region. In Azure Front Door. Microsoft explicitly recommends using IP ACLing for backends to ensure traffic is routed exclusively through the Front Door service. "You can configure your backend to only accept traffic from Azure Front Door's backend IP address range and Azure's infrastructure services. ... This configuration ensures that your backend is only reachable through Azure Front Door."

Amazon Web Services (AWS) Documentation. (2024). Restricting access to an Amazon S3 origin. In Amazon CloudFront Developer Guide. AWS details two methods for securing an origin: using origin access control (OAC) and adding custom headers. The guide states, "You can require that users access your content through CloudFront URLs, not by using Amazon S3 URLs. ... Another way to restrict access to content at an origin is to add custom headers to the requests that CloudFront sends to your origin." (Section: Using custom headers to restrict access).

Chell, S., et al. (2020). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (2nd ed.). Wiley. While the book itself is a commercial source, the principles it describes are foundational in cybersecurity academia. It discusses bypassing frontend proxies and WAFs by identifying the direct IP address of the backend server, a technique that is only possible if the backend server's firewall is misconfigured. The standard remediation is to ensure the backend only accepts connections from the trusted frontend proxy. (Chapter 9: Attacking Application Architecture).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE