Exam 312-50v11 topic 1 question 390 discussion

D. Verbose failure messages p1848 Username Enumeration Attackers can enumerate usernames in two ways: verbose failure messages and predictable usernames. o Verbose Failure Message In a typical login system, the user enters two fields, namely username and password. In some cases, an application will ask for additional information. If the user is trying to log in and fails, it implies that at least one field was incorrect. This provides grounds for an attacker to exploit the application. Examples: Account <username> not found Incorrect password provided Account <username> has been locked out

D. Verbose failure messages

The correct option is D. Verbose failure messages

Verbose failure messages. Password reset mechanism is neutral and required for the whole auth mngt cycle, not a flaw.

Verbose failure messages

Attack Authentication Mechanism - Username Enumeration Exploit design and implementation flaws in web applications, such as failure to check password strength or insecure transmission of credentials, to bypass authentication mechanisms. verbose failure messages - In a typical login system, the user enters two fields, namely username and password. In some cases, an application will ask for additional information.
 (P.1864/1848)

A - I think password reset mechanism

The mechanism is the password reset. "Generating the verbose error, specifying if the username is valid" from the CEH book p1867 Verbose failure message is the way he get information.

verbose error

D is correct answer

The answer is D

is D. Verbose failure messages

in my opinion the correct answer is D) Verbose failure messages

VERBOSE FAILURE MESSAGES: ANY LOGIN FORM OF AN APPLICATION REQUESTS USERS TO FEED AT LEAST TWO FIELDS, NAMELY USERNAME AND PASSWORD. A FEW APPLICATIONS MAY ALSO ASK FOR ADDITIONAL PARAMETERS SUCH AS DOB, ANSWER TO A SECURITY QUESTION, AND OTP PIN, TO VALIDATE A USER. IF THE LOGIN ATTEMPT IS UNSUCCESSFUL, THE APPLICATION INDICATES THAT THE INFORMATION PROVIDED IS NOT VALID. >>>>>>>>>>WHEN THE APPLICATION SPECIFIES WHICH FIELD IS INCORRECT OR POPS UP REASONS FOR DENYING ACCESS, ATTACKERS CAN EASILY EXPLOIT THAT FIELD BY TRYING A LARGE SET OF SIMILAR NAMES OR WORDS TO ENUMERATE VALID DATA REQUIRED TO ACCESS THE APPLICATION. >>>>>>THE LIST OF ENUMERATED DATA CAN ALSO BE USED LATER FOR SOCIAL ENGINEERING

D. Is the correct answer.

Most authentication mechanisms used by web applications have design flaws. Attackers can identify these flaws and exploit them to gain unauthorized access to the web application. Such design flaws include failure to check password strength, insecure transmission of credentials over the Internet, etc. Web applications usually authenticate their clients or users by a combination of a username and password, which can be identified and exploited.  Username Enumeration Attackers can enumerate usernames in two ways: verbose failure messages and predictable usernames. o Verbose Failure Message In a typical login system, the user enters two fields, namely username and password. In some cases, an application will ask for additional information. If the user is trying to log in and fails, it implies that at least one field was incorrect. This provides grounds for an attacker to exploit the application.

The correct answer is D. Verbose failure messages as per the CEH book, Module 14 Page 1848, If the user is trying to log in and fails, it implies that at least one field was incorrect. This provides grounds for an attacker to exploit the application. Password reset mechanism is a password cracking tool, hence why I believe 'D' is the correct answer to this question.