312-50v13 Questions Bank

document.write(< cookie =+ escape(document.cookie) +/ >); (Cookie and session ID theft)

As seen in the indicated question, cookies are escaped and sent to script to variable ‘cookie’. If the malicious user would inject this script into the website’s code, then it will be executed in the user’s browser and cookies will be sent to the malicious user.

The scenario describes an API vulnerability where unauthorized users are able to view, modify, or delete sensitive data by interacting with API objects. This indicates a failure in access control—specifically, a lack of Attribute-Based Access Control (ABAC) validation.

Attribute-Based Access Control (ABAC):

ABAC is an advanced access control model that evaluates access permissions based on attributes of the user, the resource, and the environment (e.g., user role, data sensitivity, location, etc.).

When ABAC is not properly implemented ("No ABAC validation"), APIs may allow users to access or manipulate objects they shouldn't have access to.

In APIs, this typically results in vulnerabilities like Insecure Direct Object Reference (IDOR), where users can tamper with object identifiers (IDs) to access or alter data that doesn’t belong to them.

This is one of the top risks highlighted by the OWASP API Security Top 10 (e.g., Broken Object Level Authorization).

Incorrect Options:

A. Code injection refers to injecting malicious code (e.g., SQLi, XSS), not improper access control.

B. Improper use of CORS (Cross-Origin Resource Sharing) may lead to unauthorized data exposure but doesn’t describe unauthorized object access in an API.

D. Business logic flaws relate to weaknesses in application workflows and rules, not direct access control failures.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: "API Security Threats"

Subsection: "Access Control Failures in APIs (IDOR, BOLA, ABAC-related flaws)"

OWASP API Security Top 10: 2023 – A1: Broken Object Level Authorization

CEH iLabs and CEH Engage also demonstrate API-based attack vectors exploiting access control weaknesses.

CEH v13 outlines a structured approach to vulnerability assessment and exploitation. After identifying a high-severity vulnerability, the next critical step is verification and research, not immediate exploitation. This ensures accuracy, reduces false positives, and avoids unnecessary risk. CEH emphasizes that testers must validate vulnerability details, confirm version applicability, assess exploit availability (e.g., Metasploit, Exploit-DB), and evaluate potential impact. Attempting DoS attacks (Option A) is prohibited unless explicitly scoped and does not align with responsible testing. Brute-force attacks (Option B) are unrelated to software version vulnerabilities. Ignoring the issue (Option D) violates CEH methodology. The correct process is to research and verify—ensuring exploitation is safe, relevant, and authorized. This aligns with CEH’s vulnerability management lifecycle: discovery → verification → prioritization → exploitation (when allowed) → reporting.

In CEH v13 Module 10: Vulnerability Assessment, the Vulnerability Management Lifecycle is defined with the following structured steps:

Identify assets & baseline (Step 2)

Vulnerability scanning (Step 5)

Risk assessment/prioritization (Step 6)

Remediation (Step 1)

Verification (Step 3)

Continuous monitoring (Step 4)

So the correct lifecycle flow is:

2 → 5 → 6 → 1 → 3 → 4

This ensures vulnerabilities are identified, assessed, remediated, validated, and monitored on an ongoing basis.