Certified Ethical Hacker (CEH v13) — Question 280

A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after multiple failed login attempts. Interestingly, the application displays detailed error messages that disclose whether the username or password entered is incorrect. The tester also notices that the application uses HTTP headers to prevent clickjacking attacks but does not implement Content Security Policy (CSP). With these observations, which of the following attack methods would likely be the most effective for the penetration tester to exploit these vulnerabilities and attempt unauthorized access?

Answer options

• A. The tester could exploit a potential SQL Injection vulnerability to manipulate the application's database.
• B. The tester could execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials.
• C. The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack.
• D. The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection.

Correct answer: B

Explanation

The correct answer is B because the lack of an account lockout policy combined with detailed error messages allows the tester to systematically guess passwords without being locked out. Option A is incorrect as SQL Injection is not indicated as a vulnerability based on the provided information. Options C and D are also not the best choices, as they focus on different attack vectors that do not directly exploit the identified weaknesses in authentication.