Certified Ethical Hacker (CEH v12) — Question 222

A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after multiple failed login attempts. Interestingly, the application displays detailed error messages that disclose whether the username or password entered is incorrect. The tester also notices that the application uses HTTP headers to prevent clickjacking attacks but does not implement Content Security Policy (CSP). With these observations, which of the following attack methods would likely be the most effective for the penetration tester to exploit these vulnerabilities and attempt unauthorized access?

Answer options

• A. The tester could exploit a potential SQL Injection vulnerability to manipulate the application's database.
• B. The tester could execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials.
• C. The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack.
• D. The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection.

Correct answer: B

Explanation

The correct answer is B because the lack of an account lockout policy combined with the detailed error messages allows the tester to systematically guess the username and password without facing a lockout. Option A is incorrect as SQL Injection is not indicated as a vulnerability in this scenario, while options C and D focus on attacks that do not capitalize on the authentication weaknesses present.