CompTIA CASP+ (CAS-003) — Question 282

A penetration test is being scoped for a set of web services with API endpoints. The APIs will be hosted on existing web application servers. Some of the new
APIs will be available to unauthenticated users, but some will only be available to authenticated users. Which of the following tools or activities would the penetration tester MOST likely use or do during the engagement? (Choose two.)

Answer options

• A. Static code analyzer
• B. Intercepting proxy
• C. Port scanner
• D. Reverse engineering
• E. Reconnaissance gathering
• F. User acceptance testing

Correct answer: B, C

Explanation

The correct answers are B and C. An intercepting proxy is essential for analyzing and manipulating API requests and responses, while a port scanner helps identify open ports on the web application servers. Static code analyzers and reverse engineering are less relevant to this specific engagement, and user acceptance testing is not a penetration testing activity.