nerdexam
CompTIA

CV0-003 · Question #775

An organization was preparing to harden an environment before granting access to external auditors. Vulnerability testing was completed, and only one low-priority, informational vulnerability remained

The correct answer is D. Penetration testing. The application allowed unauthenticated access to the login page, an authentication bypass that penetration testing would have actively discovered before granting external auditor access.

Security

Question

An organization was preparing to harden an environment before granting access to external auditors. Vulnerability testing was completed, and only one low-priority, informational vulnerability remained outstanding:

Two weeks later, the auditors review the system on a new machine without an existing browser cache. Credentials are not required when accessing the application login page. Which of the following tests were skipped, causing this issue?

Exhibit

CV0-003 question #775 exhibit

Options

  • AFunctionality testing
  • BUsability testing
  • CRegression testing
  • DPenetration testing

How the community answered

(36 responses)
  • A
    8% (3)
  • B
    31% (11)
  • C
    17% (6)
  • D
    44% (16)

Why each option

The application allowed unauthenticated access to the login page, an authentication bypass that penetration testing would have actively discovered before granting external auditor access.

AFunctionality testing

Functionality testing verifies that application features work as designed from a user perspective and does not actively probe whether security controls like authentication can be bypassed.

BUsability testing

Usability testing evaluates the interface and user experience, not whether authentication mechanisms are properly enforced.

CRegression testing

Regression testing checks whether recent code changes broke existing behavior and does not involve attempting to circumvent security controls.

DPenetration testingCorrect

Penetration testing involves actively attempting to exploit vulnerabilities, including trying to access protected pages without valid credentials. A penetration tester would have directly navigated to the login page on a clean browser and found that no credentials were required, exposing the authentication bypass. Automated vulnerability scanning rated the finding as low/informational, so only hands-on exploitation testing would have revealed the true severity.

Concept tested: Penetration testing to uncover authentication bypass vulnerabilities

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#penetration testing#credential bypass#browser cache#vulnerability assessment

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice