CompTIA PenTest+ (PT0-003) — Question 179

A penetration tester enters an invalid user ID on the login page of a web application. The tester receives a message indicating the user is not found. Then, the tester tries a valid user ID but an incorrect password, but the web application indicates the password is invalid. Which of the following should the tester attempt next?

Answer options

• A. Error log analysis
• B. DoS attack
• C. Enumeration
• D. Password dictionary attack

Correct answer: C

Explanation

The correct answer is C, Enumeration, as it allows the tester to gather more information about valid user IDs and potentially discover valid accounts. Options A and D do not directly assist in identifying valid users, while B, a DoS attack, is not appropriate in this context as it aims to disrupt service rather than gather information.