CompTIA CySA+ (CS0-002) — Question 409

During the security assessment of a new application, a tester attempts to log in to the application but receives the following message: incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?

Answer options

• A. Set the web page to redirect to an application support page when a bad password is entered.
• B. Disable error messaging for authentication.
• C. Recognize that error messaging does not provide confirmation of the correct element of authentication.
• D. Avoid using password-based authentication for the application.

Correct answer: C

Explanation

Option C is correct because it highlights that error messages can mislead attackers by not indicating which part of the authentication process is incorrect. Options A and B suggest changes to error handling but do not address the fundamental issue of what information is conveyed. Option D is not practical as it dismisses the common method of authentication without addressing the concern of error messaging.