Exam CS0-002 topic 1 question 140 discussion

its C how would you feel if you kept entering your username and password and nothing happened, but after a few click you get locked out of your account thinking that the people who designed the application were total idiots for atleast warning me that something i was typing was wrong. "decrease likelihood" of attacker gaining "helpful info" . as it is, the application is already telling you that the username is correct, so if he were brute forcing in a sense, he has already attained half of the needed info. he wouldnt know this if it were stating "username or password is incorrect" as do the majority of other sites on the internet have.

B. Disable error messaging for authentication. Disable error messaging for authentication (Option B): This is a good practice to prevent attackers from gaining information about the correctness of the entered username or password. By disabling detailed error messages, the system avoids providing attackers with specific feedback, making it more difficult for them to determine valid usernames. Recognize that error messaging does not provide confirmation of the correct element of authentication (Option C): While recognizing this fact is important, it doesn't directly address the issue of preventing potentially revealing error messages.

Can't vote without comment, so I will quote his comment "" how would you feel if you kept entering your username and password and nothing happened, but after a few click you get locked out of your account thinking that the people who designed the application were total idiots for atleast warning me that something i was typing was wrong. ""

I think the correct answer is C.

quote "Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?" should be B that's the recommendation, my first choice was C but then I re read the question and I'm going for B

Disabling error messaging for authentication is a recommended approach to decreasing the likelihood that a malicious attacker will receive helpful information. By disabling error messaging, an attacker will not receive specific information about what went wrong during authentication, such as whether the username or password was incorrect.

After rethinking this I dont think the error message tells you anything. It is basically only saying that the username and password dont go together. It doesnt say anything about whether or not the username exists

If C said Incorrect password/username please try again. Then I would certainly go with that option, however, the error message tells me I found the correct username just not the correct password. So the only reasonable answer is B. Disabling error messages for auth.

Going with B on this.

Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information? I understand people saying how disablign the notification wouldn't help regular users but from what the question gives us, that is of no concern. It's gotta be B

I think the answer is B, while it doesn't make sense to fully disable messaging the question is asking how to prevent information from being provided to the adversary. It doesn't ask for the solution to make it easier to solve future issues. Terrible question

It is also C. When you enter wrong pass/user, what do you do without authentication error messaging?

If you disable error messaging completely it will make it alot harder to solve issues

Disable error messaging then no information can be provided.

The only valid answer I see is B. A - Setting the web page to redirect can give the attacker insight they don't need. C - Recognizing the error message doesn't provide confirmation just isn't true - the error message reads "incorrect password for a given username", so they know the username is correct, but the password is incorrect. D - just unrealistic. B - disabling the error message for authentication doesn't seem like a great option, but it will avoid giving the attacker unnecessary/helpful information, which is what the question is asking for.

This is a horribly worded question. The only correct answer by the parameters set by the question is realistically B, if we assume that the message did in fact give information. I don't think it did but if CompTIA's autists do then.. I would choose C but I'm almost forced to choose B..

Error messaging is a type of feedback that is provided to users when something goes wrong, such as when they enter an incorrect password. In some cases, error messaging can provide helpful information to attackers, such as confirming that they have correctly guessed the username or that they are using the correct password format. By disabling error messaging for authentication, the tester can reduce the amount of information that is provided to attackers and make it more difficult for them to guess the correct username and password. The correct answer is B: Disable error messaging for authentication.