312-50V13 Question #491: Real Exam Question with Answer & Explanation

Question

A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after multiple failed login attempts. Interestingly, the application displays detailed error messages that disclose whether the username or password entered is incorrect. The tester also notices that the application uses HTTP headers to prevent clickjacking attacks but does not implement Content Security Policy (CSP). With these observations, which of the following attack methods would likely be the most effective for the penetration tester to exploit these vulnerabilities and attempt unauthorized access?

Options

• AThe tester could execute a Brute Force attack, leveraging the lack of account lockout policy and
• BThe tester could exploit a potential SQL Injection vulnerability to manipulate the application's
• CThe tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session
• DThe tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP

Explanation

Explanation

Option A is correct because the scenario explicitly highlights two critical vulnerabilities that directly enable a brute force attack: the absence of account lockout policies (allowing unlimited login attempts) and verbose error messages that reveal whether a username or password is incorrect (enabling username enumeration to target valid accounts efficiently). Together, these weaknesses create an ideal environment for systematically guessing credentials without triggering defensive countermeasures.

Option B (SQL Injection) is incorrect because there is no mention of database query vulnerabilities or unsanitized input fields - SQL Injection requires evidence of improper input handling, which the scenario doesn't indicate. Option C (XSS) is a tempting distractor since the missing CSP could facilitate XSS, but exploiting XSS requires injecting malicious scripts and typically targets other users - it doesn't directly achieve unauthorized login access. Option D (MitM) is incorrect because the scenario doesn't suggest unencrypted traffic or weak transport security; the presence of HTTP security headers actually implies some security awareness around transport-layer protections.

🧠 Memory Tip: Think "No lockout + username hints = Brute Force paradise." When a question lists both missing lockout policies and informative error messages together, the answer almost always points to brute force or credential stuffing - the other attack types need different "ingredients" not present in the scenario.

No community discussion yet for this question.