CEH v13 312-50v13 Updated Exam

The correct answer is B, Clickjacking Attack. Clickjacking is a web application attack in which an attacker tricks a victim into clicking on a hidden or disguised element different from what the victim perceives on the screen. The most common technique involves placing a transparent or invisible iframe over legitimate-looking content. When the victim clicks the visible button, image, or link, the click is actually directed to the hidden iframe controlled by the attacker.

In CEH web application hacking topics, clickjacking is considered a user-interface redress attack because it manipulates the user’s perception of the web page. Attackers use this technique to force users to perform unintended actions such as changing account settings, authorizing transactions, enabling webcams, downloading malware, or granting permissions on trusted websites while remaining unaware of the action being performed.

HTTP Parameter Pollution involves manipulating application parameters, HTML Injection inserts malicious HTML into a web page, and Session Fixation forces a user to use a predefined session identifier. Since the scenario specifically describes a transparent iframe tricking the victim into clicking hidden content, the attack is Clickjacking.

Answer: B QUESTION NO: 25 [Malware Threats]

What kind of detection technique is being used in antivirus software that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it ' s made on the provider ' s environment?

A. Heuristics based

B. Honeypot based

C. Behavioral based

D. Cloud based

Answer: D

The correct answer is D. Cloud based because the question describes an antivirus architecture where suspicious files, metadata, reputation information, and threat intelligence are collected from multiple protected endpoints and analyzed within the vendor’s cloud infrastructure rather than exclusively on the local machine. In CEH malware defense concepts, cloud-based detection leverages centralized analysis engines, reputation services, machine learning models, and global threat intelligence gathered from many endpoints. This approach enables rapid identification of emerging malware and zero-day threats because intelligence learned from one protected system can immediately benefit all other protected systems.

Heuristic-based detection focuses on identifying suspicious code characteristics and malware-like patterns. Behavioral-based detection monitors how a program behaves on a system, such as unauthorized registry changes, process injection, or unusual network activity. Honeypot-based solutions use decoy systems to attract and study attackers. None of these specifically describe offloading analysis to the antivirus provider’s environment. The key phrase in the question is that malware analysis is performed in the provider’s environment using information collected from many protected systems, which is the defining characteristic of cloud-based malware detection. Therefore, option D is the most accurate CEH-aligned answer.

CEH v13 highlights the Idle Scan as one of the stealthiest reconnaissance methods available, designed specifically to avoid detection by IDS and security monitoring tools. Idle scanning leverages a “zombie host”—a system with a predictable IPID sequence—to route all probe packets through it. Since no packets ever originate directly from the attacker’s IP, IDS systems are unable to attribute the port scan to the attacker. CEH emphasizes that this technique creates zero direct traffic between the attacker and the target, making it extremely evasive and ideal for highly monitored networks. FIN scans (Option A) are somewhat stealthy but still originate from the attacker and are detectable. TCP Connect scans (Option C) are the most detectable because they complete full connections. ICMP Echo scans (Option D) are easily logged and flagged by IDS. Idle scanning is uniquely suited for bypassing advanced detection systems while still identifying open ports and live hosts.

The correct answer is A, Data scraping. When a web application or API does not restrict request frequency, attackers can automate high-volume requests to collect large amounts of data from exposed endpoints. In CEH web application hacking concepts, APIs and web services are important attack surfaces, and weak API controls can allow attackers to bypass intended policies or abuse application functionality. Lack of rate limiting also allows repeated application-layer requests that may appear legitimate but are performed at abusive scale. CEH DoS material explains that large volumes of requests can overload web applications or services, and application-layer attacks often resemble normal website traffic. Among the choices, data scraping is the best fit because unrestricted API calls allow automated harvesting of user records, product data, pricing, messages, or other exposed information. CSRF requires tricking an authenticated user into sending requests, XSS involves script injection, and SQLi targets database query manipulation. The key issue here is missing request throttling, so the risk is data scraping.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.