Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-50v12 All Questions

View all questions & answers for the 312-50v12 exam
Go to Exam

Exam 312-50v12 topic 1 question 227 discussion

Actual exam question from ECCouncil's 312-50v12
Question #: 227
Topic #: 1
[All 312-50v12 Questions]

A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after multiple failed login attempts. Interestingly, the application displays detailed error messages that disclose whether the username or password entered is incorrect. The tester also notices that the application uses HTTP headers to prevent clickjacking attacks but does not implement Content Security Policy (CSP). With these observations, which of the following attack methods would likely be the most effective for the penetration tester to exploit these vulnerabilities and attempt unauthorized access?

  • A. The tester could exploit a potential SQL Injection vulnerability to manipulate the application's database.
  • B. The tester could execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials.
  • C. The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack.
  • D. The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by DarioReymag at Feb. 6, 2024, 10:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
LordXander
7 months, 3 weeks ago
Selected Answer: B
Because there's no account lockout mecanism and have detailed information whatever the username or password is wrong, the brute force method makes the most sense B
upvoted 1 times
...
xbsumz
9 months, 2 weeks ago
Could someone confirm the accuracy of this CEH technique
upvoted 1 times
Lalo
8 months ago
1.- It is not an exclusive technique of CEH, it is a general technique to crack passwords 2.- When reading the scenario it indicates ...does not implement account lockout policies after multiple failed login attempts... Therefore the correct option is option b. 3.- If you read the scenario carefully and know a little about security, you come to this conclusion
upvoted 1 times
...
...
insaniunt
9 months, 2 weeks ago
Selected Answer: B
B. The tester could execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials.
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel