312-50V13 · Question #452
312-50V13 Question #452: Real Exam Question with Answer & Explanation
The correct answer is B: Verbose failure messages. Calvin exploited a web application's login form that provided specific error messages, enabling him to enumerate valid usernames.
Question
Calvin, a grey-hat hacker, targets a web application that has design flaws in its authentication mechanism. He enumerates usernames from the login form of the web application, which requests users to feed data and specifies the incorrect field in case of invalid credentials. Later, Calvin uses this information to perform social engineering. Which of the following design flaws in the authentication mechanism is exploited by Calvin?
Options
- AInsecure transmission of credentials
- BVerbose failure messages
- CUser impersonation
- DPassword reset mechanism
Explanation
Calvin exploited a web application's login form that provided specific error messages, enabling him to enumerate valid usernames.
Common mistakes.
- A. Insecure transmission of credentials refers to sending sensitive authentication data without proper encryption, allowing eavesdropping, which is distinct from enumerating usernames via login form responses.
- C. User impersonation is the act of successfully pretending to be another user, which is an outcome of exploiting a vulnerability, not the design flaw itself that permits username enumeration.
- D. A password reset mechanism vulnerability would involve flaws in the process of resetting forgotten passwords, such as weak token generation or improper email validation, not the informative error messages on a standard login form.
Concept tested. Authentication mechanism flaws (verbose error messages)
Reference. https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
Topics
Community Discussion
No community discussion yet for this question.