nerdexam
EC-Council

312-50V13 · Question #491

A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after

Sign in or unlock 312-50V13 to reveal the answer and full explanation for question #491. The question stem and answer options stay visible for context.

Submitted by chiamaka_o· Mar 6, 2026Hacking Web Applications

Question

A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after multiple failed login attempts. Interestingly, the application displays detailed error messages that disclose whether the username or password entered is incorrect. The tester also notices that the application uses HTTP headers to prevent clickjacking attacks but does not implement Content Security Policy (CSP). With these observations, which of the following attack methods would likely be the most effective for the penetration tester to exploit these vulnerabilities and attempt unauthorized access?

Options

  • AThe tester could execute a Brute Force attack, leveraging the lack of account lockout policy and
  • BThe tester could exploit a potential SQL Injection vulnerability to manipulate the application's
  • CThe tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session
  • DThe tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP

Unlock 312-50V13 to see the answer

You've previewed enough free 312-50V13 questions. Unlock 312-50V13 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.

Topics

#Brute Force Attack#Authentication Bypass#Web Application Security#Username Enumeration
Full 312-50V13 Practice