A penetration tester is testing a web application's product search feature, which takes user input and queries the database. The tester suspects inadequate input sanitization. What is the best approach to confirm the presence of SQL injection?
Correct Answer: C
Tautology-based SQL injection tests, such as using ' OR '1'='1, are safe and effective methods to verify whether SQL queries are being manipulated by user input. CEH emphasizes avoiding destructive queries and using logical expressions that return all rows if injection is successful.
312-50v13 Exam Question 27
Which DNS resource record can indicate how long any "DNS poisoning" could last?
Correct Answer: B
DNS poisoning (also known as DNS cache poisoning) occurs when a malicious actor injects false DNS data into a DNS resolver's cache. The poisoned entry will persist for the duration of its TTL (Time To Live), which is defined in the DNS SOA (Start of Authority) record. The SOA record contains several fields including: Serial number Refresh Retry Expire Minimum TTL The Minimum TTL value in the SOA record determines how long a DNS resolver should cache the DNS data - including any potentially poisoned data. From CEH v13 Official Courseware: Module 3: Scanning Networks Topic: DNS Enumeration & Poisoning CEH v13 Study Guide states: "The SOA record includes a minimum TTL value that dictates how long DNS information should be cached by other DNS servers. If DNS cache poisoning occurs, the false information will persist until the TTL expires." Incorrect Options: A: MX (Mail Exchange) defines mail servers, not TTLs. C: NS (Name Server) specifies authoritative servers, not caching durations. D: TIMEOUT is not a valid DNS resource record. Reference:CEH v13 Study Guide - Module 3: DNS Records # SOA Record Structure and TTLRFC 1035 - Domain Names: Implementation and Specification (Section 3.3.13)
312-50v13 Exam Question 28
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?
Correct Answer: B
An anomaly-based intrusion detection system is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created. In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and the testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.[3] Other techniques used to detect anomalies include data mining methods, grammar-based methods, and the Artificial Immune System. Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer endpoints. They allow for fine-tuned, granular protection of endpoints at the application level. Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. Attempts have been made to address these issues through techniques used by PAYL and MCPAD.
312-50v13 Exam Question 29
Which of the following is the primary goal of ethical hacking?
Correct Answer: B
Ethical hacking, as defined throughout CEH courseware, is the authorized and legitimate process of identifying vulnerabilities, weaknesses, and misconfigurations in information systems. The primary objective is to strengthen security by discovering issues before malicious actors can exploit them. Ethical hackers follow strict legal guidelines, obtain written permission, and operate within a defined scope to ensure their activities contribute positively to the organization's security posture. Unlike malicious hacking, the intent is not to steal data, cause harm, or disrupt operations. Ethical hackers use the same tools, techniques, and methodologies that attackers use, but with the purpose of remediation and risk reduction. CEH emphasizes that ethical hacking supports defense-in-depth strategies by enabling organizations to harden their environments and proactively mitigate threats. Therefore, identifying and fixing vulnerabilities is the central mission of ethical hacking.
312-50v13 Exam Question 30
In both pharming and phishing attacks, an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?
Correct Answer: A
According to CEH v13 Module 09: Social Engineering, both pharming and phishing are forms of fraud that direct users to malicious websites. However, their techniques differ: Pharming involves modifying DNS entries or the victim's host file to silently redirect users to a malicious site without needing user interaction. Phishing involves sending links via emails or messages where the URL is visually deceptive (misspelled, similar domain names, homoglyph attacks). Reference: Module 09 - Social Engineering, Section: Pharming vs. Phishing Techniques CEH eBook: Attack Vectors in Identity Theft and Fraud
