ECCouncil Updated 312-50v13 Exam Questions and Answers by evie-mae

Agent Smith Attack

Agent Smith attacks are carried out by luring victims into downloading and installing malicious

apps designed and published by attackers in the form of games, photo editors, or other

attractive tools from third-party app stores such as 9Apps. Once the user has installed the app,

the core malicious code inside the application infects or replaces the legitimate apps in the

victim's mobile device C&C commands. The deceptive application replaces legitimate apps such

as WhatsApp, SHAREit, and MX Player with similar infected versions. The application sometimes

also appears to be an authentic Google product such as Google Updater or Themes. The

attacker then produces a massive volume of irrelevant and fraudulent advertisements on the

victim's device through the infected app for financial gain. Attackers exploit these apps to steal

critical information such as personal information, credentials, and bank details, from the

victim's mobile device through C&C commands.

False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don't have a vulnerability when, in fact, you do.

A false positive is like a false alarm; your house alarm goes off, but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when, in reality, there is not. Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process. These tools help them ensure that all web application attack surfaces are correctly tested in a reasonable amount of time. But many false positives tend to break down this process. If the first 20 variants are false, the penetration tester assumes that all the others are false positives and ignore the rest. By doing so, there is a good chance that real web application vulnerabilities will be left undetected.

When checking for false positives, you want to ensure that they are indeed false. By nature, we humans tend to start ignoring false positives rather quickly. For example, suppose a web application security scanner detects 100 SQL Injection vulnerabilities. If the first 20 variants are false positives, the penetration tester assumes that all the others are false positives and ignore all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected. This is why it is crucial to check every vulnerability and deal with each false positive separately to ensure false positives.

CEH teaches that insufficient input validation on mobile applications enables code injection attacks. Injecting JavaScript or crafted payloads into fields validates whether the application improperly processes untrusted data. If executed, it confirms that the app is vulnerable to injection-based attacks.

Verbose failure messages are detailed error messages that reveal too much information about authentication failures. In the described scenario, the web application specifies whether the username or password is incorrect. This behavior enables attackers to:

Enumerate valid usernames by submitting random inputs and observing which error message is returned.

Use the valid usernames to conduct targeted attacks such as brute-force attempts or social engineering.

According to CEH v13:

Authentication mechanisms should provide generic error messages such as “Invalid username or password” to avoid exposing system behavior.

Verbose error messages violate the principle of "fail securely."

Incorrect Options:

A. Insecure transmission relates to credentials being sent over unencrypted channels (e.g., HTTP instead of HTTPS).

C. User impersonation involves taking on the identity of another user, not enumeration.

D. Password reset mechanisms are a different component of authentication, not mentioned in this context.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Authentication Bypass Techniques”

Subsection: “Enumeration via Verbose Error Messages”

=