Certified Ethical Hacker (CEH v12) — Question 268

Calvin, a grey-hat hacker, targets a web application that has design flaws in its authentication mechanism. He enumerates usernames from the login form of the web application, which requests users to feed data and specifies the incorrect field in case of invalid credentials. Later, Calvin uses this information to perform social engineering. Which of the following design flaws in the authentication mechanism is exploited by Calvin?

Answer options

• A. User impersonation
• B. Insecure transmission of credentials
• C. Password reset mechanism
• D. Verbose failure messages

Correct answer: D

Explanation

The correct answer is D, as verbose failure messages reveal too much information about which part of the login process has failed, allowing an attacker to gather usernames. The other options do not directly relate to the information Calvin gains from the authentication mechanism's error messages, such as user impersonation (A), insecure transmission of credentials (B), and password reset mechanism (C), which are different types of vulnerabilities.