312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

The correct answer is HTTP Response Splitting Attack. CEH web server security material explains that HTTP response splitting is an input validation flaw in which attacker-controlled input is used to break a single HTTP response into multiple parts, often by injecting carriage return and line feed delimiters into server-generated headers or related output. The question states that one crafted request is processed as two separate ones and places this weakness in the same broad input-validation family as XSS, CSRF, and SQL injection. That framing strongly matches response splitting, which depends on improper validation of user-supplied data before it is inserted into server communication structures. Password cracking is unrelated to web response formation, directory traversal involves file path abuse, and web cache poisoning focuses on corrupting cached responses served to other users. CEH materials treat HTTP response splitting as a classic web server attack that can lead to malicious redirects, header injection, cache manipulation, or delivery of attacker-controlled content. Because the crafted input causes the server to separate what should be a single communication into multiple response segments, the most accurate classification is HTTP Response Splitting Attack.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR ' 1 ' = ' 1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR ' 1 ' = ' 1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

This question describes a classic example of Tautology-Based SQL Injection, a subcategory of SQL Injection attacks which fall under Web Application Hacking in the CEH curriculum.

In a tautology-based SQL injection, the attacker injects a SQL fragment that always evaluates to true, thus bypassing the authentication mechanism. The string ' C ' ll-T; — is a malformed variant, possibly meant to represent ' OR ' 1 ' = ' 1 ' ; --, which is one of the most basic and widely recognized tautology-based injection payloads. When injected into a vulnerable SQL query, this kind of input manipulates the WHERE clause of the query so that it always evaluates to true, regardless of the original conditions.

Here’s how it works:

If the SQL query is:

SELECT * FROM users WHERE username = ' $username ' AND password = ' $password ' ;

And the attacker inputs:

' OR ' 1 ' = ' 1 ' ; --

The query becomes:

SELECT * FROM users WHERE username = ' ' OR ' 1 ' = ' 1 ' ; -- ' AND password = ' ' ;

This results in the execution of:

SELECT * FROM users WHERE ' 1 ' = ' 1 ' ;

Which always evaluates to true, thereby bypassing authentication and allowing unauthorized access.

This method does not rely on error messages (Error-Based), timing delays (Time-Based Blind), or UNION statements (Union-Based). Its goal is to exploit logic within the query structure itself using boolean-based manipulation.

According to EC-Council ' s CEH v13 Module: Web Application Hacking, understanding tautology-based injection is critical because it ' s one of the most common ways attackers bypass login forms on poorly secured web applications.

The Certified Ethical Hacker (CEH) Incident Response lifecycle begins with Identification, followed by containment, eradication, recovery, and lessons learned. CEH documentation stresses that understanding the scope and nature of an incident is critical before taking disruptive action.

Option A is the correct initial response because it focuses on real-time monitoring and log analysis, which are essential during the identification phase. CEH materials emphasize analyzing logs, authentication failures, and traffic anomalies to confirm whether an incident has occurred and determine the attacker’s techniques, persistence level, and impact.

Option B, while valuable, is more appropriate after initial identification. Conducting deep outbound traffic audits without first understanding the attack vector can delay containment decisions.

Option C is premature. CEH warns that changing credentials too early may alert the attacker and cause them to escalate or destroy evidence.

Option D represents a containment strategy, not an initial response. CEH guidelines advise against immediately disconnecting systems unless there is confirmed active data exfiltration that cannot be otherwise controlled, as this may disrupt business operations and erase volatile forensic evidence.

Therefore, the CEH-approved approach is to monitor, analyze, and identify the incident before moving to containment and eradication.

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request—usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user’s active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

CEH v13 identifies the Idle Scan as one of the most stealthy and advanced reconnaissance techniques due to its ability to avoid generating any traffic directly between the attacker and the target. Using a “zombie host,” which has predictable IP ID sequencing, the attacker forges packets so that all scan traffic appears to originate from the zombie. The IDS sees communication only between the zombie and the target, not the attacker. This allows evasion of network monitoring tools, traffic correlation systems, and intrusion detection signatures. CEH highlights Idle Scanning as a core technique for bypassing sophisticated detection controls because it leaves no direct fingerprint of the attacker. Options A and B still originate from the attacker’s IP. Option C can evade some filters but remains detectable due to packet anomalies. Only Idle Scanning provides full origin obfuscation, making it the most appropriate method for stealth port enumeration.

According to the CEH System Hacking and Web Application Security modules, Man-in-the-Browser (MitB) attacks are among the most sophisticated and difficult session-hijacking techniques to detect. In MitB attacks, malware operates inside the victim’s browser, allowing attackers to intercept, modify, or inject transactions after authentication has occurred.

CEH documentation highlights that MitB attacks bypass:

Multi-factor authentication

Encrypted cookies

HTTPS/TLS protections

Because the malicious activity occurs at the browser level, security controls perceive transactions as legitimate.

Option B is correct.

Option A (XSS) is detectable via content security policies.

Option C is mitigated by regenerating session IDs.

Option D is ineffective against encrypted sessions.

CEH emphasizes MitB attacks as a critical threat to online banking systems.

The attackers described are most consistent with black hat hackers because their actions are clearly unauthorized, intentionally harmful, and motivated by financial gain. They compromise a financial institution, deploy credential-stealing malware, exfiltrate customer account data, and then sell the stolen information on underground forums. This aligns with criminal hacking behavior: monetizing access and stolen data through illicit marketplaces, fraud, and repeated targeting of similar victims.

The scenario explicitly rules out ideologically motivated activity: “no political or social statements are made.” That makes hacktivists unlikely, since hacktivism typically involves a political, social, or ideological motive and often seeks publicity for a cause (defacements, leaks, DDoS protests). It also rules out ethical categories: white hat hackers operate with authorization and report findings to improve security rather than steal and sell credentials. Script kiddies are generally low-skill attackers who rely on existing tools and scripts; while they can cause harm, the scenario highlights sustained targeting, credential theft, and underground monetization—behavior more strongly associated with organized cybercriminals/black hats.

Black hats typically pursue objectives like theft of credentials, financial fraud, ransomware deployment, and sale of access or data. Their operations often emphasize anonymity, operational security, and repeatability across many similar targets—consistent with “continuing to target similar organizations for financial gain.”

Therefore, the most likely category is A. Black Hat hackers.