Helping Hand Questions for 312-50v13

Application Flaws is the best classification because the root cause is a coding error in the application’s input handling that results in a buffer overflow. In CEH-aligned vulnerability categorization, application flaws include implementation mistakes such as improper bounds checking, unsafe string handling, and inadequate input validation. The scenario explicitly states Lucas used fuzz testing against input validation logic and triggered a buffer overflow using malformed taxpayer ID strings, then observed unintended disclosure of payroll data due to unchecked data boundaries. Those details point to defective code behavior at runtime, not an administrative or configuration issue.

Poor Patch Management typically refers to failing to apply vendor patches or updates, leaving known vulnerabilities exploitable. The prompt does not indicate the issue was a previously known, patched defect that remained unpatched; instead, it describes a newly discovered weakness traced to an internal module and a “coding oversight.” Misconfigurations or weak configurations involve insecure settings such as overly permissive access controls, exposed services, default credentials, or insecure cloud storage policies. None of those are the trigger here; the trigger is malformed input causing memory corruption. Design Flaws relate to weaknesses in the system’s architecture or security model, such as missing authorization logic, flawed trust boundaries, or insecure workflows. While poor design can contribute to impact, the specific vulnerability mechanism described is an implementation-level memory handling failure.

Therefore, the correct classification is Application Flaws, because the vulnerability is fundamentally an input-processing and bounds-checking defect in the application code that results in a buffer overflow and data exposure.

This scenario most clearly illustrates shoulder surfing, a social engineering technique where an attacker obtains sensitive information by observing a victim’s screen, keystrokes, or written notes—often from a nearby position—without directly interacting with the victim or their device. The key indicators are that the tester is “discreetly watching their screens and hand movements” during login and is able to capture “usernames and partial passwords” without touching anything. That is the defining pattern of shoulder surfing: passive observation to harvest credentials or other confidential information.

Shoulder surfing is particularly effective in open-plan offices, shared workspaces, airports, cafés, or any environment where people can be observed entering credentials. Attackers may watch directly, use reflections (e.g., glass surfaces), or position themselves to see the keyboard and screen. Even partial password capture can be valuable when combined with other information (usernames, password patterns, reset questions, or subsequent observation), and it can help an attacker craft more convincing follow-on social engineering attempts.

Why the other options do not fit:

Dumpster diving (B) involves retrieving sensitive information from trash (printed documents, media, badges, notes), not observing logins in real time.

Impersonation (C) requires actively posing as a trusted person (IT staff, vendor, employee) to persuade someone to disclose information or grant access; the scenario explicitly avoids interaction with staff.

Tailgating (D) is physically following someone through a secure door to gain unauthorized entry; it’s about bypassing physical access controls rather than capturing credentials.

Because the technique relies on visual observation of screens and keystrokes to obtain login details, the correct answer is A. Shoulder Surfing.

In CEH v13 Cloud Computing, multi-tenancy is a core cloud characteristic—but also a major risk if isolation controls are weak. When one tenant’s actions affect others, the issue is almost always insufficient isolation between tenants.

Multi-tenant isolation ensures that compute, storage, memory, and network resources are strictly separated. Without proper isolation, a malicious tenant can:

Exhaust shared resources

Access neighboring virtual machines

Damage the provider’s reputation

Encryption and authentication protect data access but do not stop cross-tenant impact. Logging helps detect incidents but does not prevent them.

CEH v13 emphasizes strong logical isolation mechanisms—such as hypervisor hardening and tenant segmentation—as essential cloud security controls. Therefore, Option C is the correct answer.

RST hijacking is a TCP session hijacking technique emphasized in CEH materials under network attacks against established communications. In TCP, a Reset flag packet is used to abruptly tear down a connection. If an attacker can observe the session and determine the correct parameters such as IP addresses, ports, and an in-window sequence number, they can forge a TCP RST packet that appears to come from one endpoint. This can force the victim side to drop the session, making the legitimate client suddenly lose responsiveness.

The key clue in the scenario is that Rachel “observes a client-server communication” and then injects crafted packets that disrupt the client while the server continues to communicate with Rachel’s system. That behavior matches the practical use of RST hijacking in demonstrations: terminate or desynchronize the victim endpoint while keeping the server-side session usable long enough for the attacker to inject traffic with valid sequence and acknowledgment values. In a switched LAN, this is often paired with sniffing or traffic visibility to reliably craft the reset packet and subsequent injected packets.

Blind hijacking is different because the attacker cannot see the traffic and must guess sequence numbers, which contradicts the “observes communication” detail. UDP hijacking is not applicable because UDP is connectionless and does not use session state or RST flags. “TCP/IP hijacking” is a broad category, but the question asks for the specific technique used to disrupt the client via crafted packets, which is best identified as RST hijacking.