While testing a web application that relies on JavaScript-based client-side security controls, which method is most effective for bypassing these controls without triggering server-side alerts?
Correct Answer: B
The Certified Ethical Hacker (CEH) Web Application Security module emphasizes that client-side controls cannot be trusted. Disabling JavaScript allows attackers to bypass: * Password complexity enforcement * CAPTCHA validation * Input validation logic Option B is the simplest and most effective CEH-approved method. Option A is unnecessary and noisy. Option C risks detection. Option D is effective but more complex and detectable. CEH explicitly teaches testers to disable JavaScript to evaluate server-side enforcement.
312-50v13 Exam Question 47
During a penetration test at IntelliCore Systems in Raleigh, North Carolina, ethical hacker Javier directs a wave of repetitive web requests against the company ' s portal that overloads backend scripts which process search queries and form submissions. As a result, legitimate customers experience long delays and occasional timeouts while attempting to log in or complete transactions. Which DoS/DDoS technique is Javier most likely demonstrating?
Correct Answer: D
The scenario describes a Layer 7 (application-layer) denial-of-service pattern: Javier sends a wave of repetitive web requests that specifically overload backend scripts responsible for search queries and form submissions. This is characteristic of an HTTP GET/POST attack, where the attacker floods a web application with large volumes of HTTP requests-commonly GET requests for pages/resources and POST requests that trigger server-side processing (login, checkout, searches, form handlers). Because these requests can be syntactically valid and target costly operations, they can quickly exhaust CPU, memory, threads, database connections, or application worker pools, resulting in slow responses and timeouts for legitimate users- exactly what the customers experience here. Why the other options don't fit as well: Slowloris (A) is also an application-layer technique, but it works differently: it holds many connections open by sending partial HTTP headers very slowly, aiming to exhaust the server's concurrent connection capacity. The question emphasizes repetitive requests overloading backend scripts, not slow, incomplete requests holding sockets open. UDP Flood (B) is a network/transport-layer volumetric attack that sends massive UDP packets to random or targeted ports, consuming bandwidth and host resources. It doesn't specifically target web scripts handling search/forms. Peer-to-Peer Attack (C) typically involves abusing P2P networks or reflection/amplification through distributed peers; it's not described as direct repetitive web requests to application endpoints. The key indicators are: (1) web requests (2) targeting script-driven functions like search and form submissions, and (3) resulting in user-facing slowness/timeouts due to overwhelmed application processing. These align most directly with D. HTTP GET/POST Attack.
312-50v13 Exam Question 48
A penetration tester identifies malware that monitors the activities of a user and secretly collects personal information, such as login credentials and browsing habits. What type of malware is this?
Correct Answer: C
CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim's knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits-which hide processes and files-or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.
312-50v13 Exam Question 49
You are working as a threat intelligence analyst for a fintech startup that recently discovered a spike in credential stuffing attempts against its admin panel. The security team believes this may be due to leaked internal files circulating on underground forums. You are tasked with investigating potential exposure on the dark web without directly interacting with any service or forum. You decide to use advanced search filters to identify documents hosted on hidden services that may contain sensitive access details. The team suspects these documents might include account-related keywords in their titles. Which of the following search queries would best support this investigation?
Correct Answer: A
This task describes passive reconnaissance using advanced search operators, a technique covered in CEH as search engine reconnaissance or Google dorking. The objective is to find potentially exposed documents on hidden services while avoiding direct interaction with forums or services. The most important element in the query is restricting results to hidden service domains using the site:onion operator. Any option that does not include site:onion is less suitable because it will return results from the public web rather than from .onion resources. Option A is the strongest fit because it combines three high-value filters: filetype:pdf to focus on document artifacts that are commonly leaked or shared, intitle: " admin access " to target titles suggesting privileged access or administrative information, and site:onion to restrict the scope to hidden services. In CEH reporting and threat intelligence workflows, targeting high-signal keywords such as admin access, credentials, password list, or vpn access in document metadata is a practical way to identify likely leak sources without active engagement. Option B lacks site:onion, so it fails the hidden-service requirement. Option C includes site:onion but the phrase secure login is more generic and may return many benign pages, reducing precision. Option D includes site:onion and filetype targeting, but user accounts is broader and less indicative of immediate access data than admin access. Therefore, A best supports efficient passive discovery of high-risk documents relevant to credential exposure on hidden services.
312-50v13 Exam Question 50
In Seattle, Washington, ethical hacker Mia Chen is hired by Pacific Trust Bank to test the security of their corporate network, which stores sensitive customer financial data. During her penetration test, Mia conducts a thorough reconnaissance, targeting a server that appears to host a critical database of transaction records. As she interacts with the server, she notices it responds promptly to her queries but occasionally returns error messages that seem inconsistent with a production system's behavior, such as unexpected protocol responses. Suspicious that this server might be a decoy designed to monitor her actions, Mia applies a technique to detect inconsistencies that may reveal the system as a honeypot. Which technique is Mia most likely using to determine if the server at Pacific Trust Bank is a honeypot?
Correct Answer: C
Fingerprinting the running service is the most appropriate technique because the strongest indicator in the scenario is inconsistent protocol behavior and error responses that do not match a legitimate production database service. In CEH reconnaissance guidance, honeypots and decoy systems often emulate common services but may implement only partial protocol stacks or simplified responses. This can lead to anomalies such as incorrect banner strings, malformed or generic error messages, unsupported command handling, unusual protocol negotiation, or responses that do not align with the claimed software version. By fingerprinting, Mia compares observed behavior against expected behavior for the genuine service, including version-specific quirks, command sets, response codes, and timing patterns for particular requests. In practice, service fingerprinting involves interacting with the service using legitimate and edge-case requests, validating banners and headers, and correlating results with known signatures from real implementations. If the server claims to be a specific database or application service but reacts in ways that real deployments would not, it suggests emulation, instrumentation, or deception typical of honeypots designed to log attacker activity. Analyzing response time can help, because some honeypots respond too quickly or with uniform timing, but timing alone is less definitive than protocol inconsistencies. MAC address analysis is not reliable for identifying honeypots and is often not visible beyond the local segment. Analyzing system configuration and metadata usually requires deeper access than reconnaissance and is not the primary method when the clue is protocol-level mismatch. Therefore, fingerprinting the running service best fits the observed symptoms.
