CV0-003 · Question #775
An organization was preparing to harden an environment before granting access to external auditors. Vulnerability testing was completed, and only one low-priority, informational vulnerability remained
The correct answer is D. Penetration testing. The application allowed unauthenticated access to the login page, an authentication bypass that penetration testing would have actively discovered before granting external auditor access.
Question
An organization was preparing to harden an environment before granting access to external auditors. Vulnerability testing was completed, and only one low-priority, informational vulnerability remained outstanding:
Two weeks later, the auditors review the system on a new machine without an existing browser cache. Credentials are not required when accessing the application login page. Which of the following tests were skipped, causing this issue?
Exhibit
Options
- AFunctionality testing
- BUsability testing
- CRegression testing
- DPenetration testing
How the community answered
(36 responses)- A8% (3)
- B31% (11)
- C17% (6)
- D44% (16)
Why each option
The application allowed unauthenticated access to the login page, an authentication bypass that penetration testing would have actively discovered before granting external auditor access.
Functionality testing verifies that application features work as designed from a user perspective and does not actively probe whether security controls like authentication can be bypassed.
Usability testing evaluates the interface and user experience, not whether authentication mechanisms are properly enforced.
Regression testing checks whether recent code changes broke existing behavior and does not involve attempting to circumvent security controls.
Penetration testing involves actively attempting to exploit vulnerabilities, including trying to access protected pages without valid credentials. A penetration tester would have directly navigated to the login page on a clean browser and found that no credentials were required, exposing the authentication bypass. Automated vulnerability scanning rated the finding as low/informational, so only hands-on exploitation testing would have revealed the true severity.
Concept tested: Penetration testing to uncover authentication bypass vulnerabilities
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.
