The correct answer is A. Design Flaws because the weaknesses originate from fundamental development-time decisions in how the application was architected-specifically (1) selecting or creating a weak custom encryption algorithm and (2) implementing session validation in a way that allows requests to bypass access controls. In CEH-aligned vulnerability classification, design flaws are problems embedded in the application's design and logic, not merely bugs from implementation mistakes, misconfiguration of a server setting, or missing vendor patches. They are often systemic: even if the code is "working as intended," the intent itself is insecure.
The prompt explicitly states the issues are "traced back to flawed system logic and poor encryption design decisions made during the development phase." That description maps directly to design flaws: using
"homegrown crypto" instead of vetted cryptographic primitives and protocols is a classic design error because it typically lacks proper peer review, threat modeling, and proven resistance to cryptanalysis. Likewise, session validation that permits bypassing access controls indicates the application's authorization/session model was designed incorrectly (for example, trusting client-side state, failing to enforce server-side checks consistently, or allowing unauthenticated endpoints to access privileged operations).
Why the other options are less accurate: Application flaws is a broad label that can include coding bugs, but the question is asking for the best category given that the root cause is architectural decisions rather than a narrow coding mistake. Misconfigurations/weak configurations usually refer to insecure settings in deployment (default credentials, permissive headers, weak TLS configuration), not a custom crypto algorithm and flawed session logic baked into the app. Poor patch management concerns failing to update known vulnerable components; here, the weakness is custom logic, not an unpatched third-party vulnerability.
Therefore, the most accurate category for these development-phase encryption and session/authorization weaknesses is Design Flaws.

The requirement that each device authenticate through a centralized server using unique usernames and passwords aligns directly with 802.1X authentication, which CEH materials describe as port-based Network Access Control used in enterprise wired and wireless environments. In Wi-Fi, 802.1X is typically implemented as WPA2-Enterprise or WPA3-Enterprise and relies on EAP methods with a backend AAA server, most commonly RADIUS. The access point acts as the authenticator, forwarding the client's authentication exchange to the RADIUS server, which validates the user or device identity and returns an accept or reject decision along with session keys and policy attributes. This provides strong control and auditing because access can be tied to individual identities, supports account disablement, and can enforce different access levels.
The other options do not match the "centralized server with unique credentials" description. Disabling TKIP improves security by removing an outdated encryption protocol, but it does not provide per-user authentication. MAC address filtering is weak because MAC addresses are easily discovered and spoofed, and it does not use centralized identity validation. Upgrading to WPA3 improves cryptographic strength, and WPA3-Enterprise can work with 802.1X, but WPA3 alone does not guarantee centralized username and password authentication unless the enterprise mode with 802.1X is specifically deployed. Therefore, the correct countermeasure that fits the described design is to use 802.1X authentication with a centralized authentication server, enabling strong access control, accountability, and improved resistance to unauthorized device connections.

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

The CEH Footprinting and Reconnaissance module highlights Google Alerts as a key passive reconnaissance tool for monitoring changes in web content, news, and online mentions.
Option B is correct.
Option A is active engagement.
Option C aids anonymity but not monitoring.
Option D is illegal and unethical.
CEH strongly promotes automated alerting for competitive intelligence.