312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

Broken Access Control is the correct choice because the scenario describes a user being able to access and modify resources that should be restricted to other users or roles. In CEH-aligned web testing, access control flaws occur when an application fails to enforce authorization checks consistently on the server side. Manipulating session parameters and then retrieving “sensitive medical records not associated with their own account” is a classic indicator of an authorization bypass, often seen as insecure direct object references, parameter tampering, or horizontal and vertical privilege escalation. Horizontal escalation is when one user accesses another user’s data at the same privilege level, while vertical escalation is when a user performs actions reserved for higher-privileged roles. The prompt explicitly states users can perform actions beyond assigned roles, which is the definition of broken authorization enforcement.

The other options do not align with the described root cause. Cryptographic Failures focuses on weak or missing encryption and does not explain why authenticated users can reach unauthorized records. Insecure Deserialization involves unsafe deserialization leading to remote code execution or data tampering via serialized objects, which is not indicated here. Security Misconfiguration is broader and can contribute to exposure, but the scenario emphasizes role and resource permission bypass rather than mis-set server headers, default accounts, or exposed admin interfaces.

Mitigation in CEH best practices includes enforcing server-side authorization on every request, using deny-by-default policies, validating that the authenticated user is allowed to access the specific record identifier, implementing robust role-based access control, logging access denials, and adding automated tests to prevent IDOR and privilege escalation regressions.

The correct answer is C. Insecure Data Storage because the vulnerability described is the storage of sensitive information locally on the mobile device in a manner that is not encrypted and is accessible by simply browsing the file system. In mobile application security, this is a classic risk category: when an app stores confidential data (case notes, client records, tokens, documents, cached responses, databases, logs, or exported files) in clear text or in insecure locations, an attacker who gains device access—or uses backup extraction, file explorers, rooted/jailbroken access, or malware with storage permissions—may retrieve that data without needing to authenticate to the application.

The scenario makes the weakness unmistakable: Daniel can use a “standard explorer tool” to open sensitive records “without any authentication.” This indicates the app is failing to apply appropriate protections such as encryption at rest, secure key handling, proper file permissions, and secure storage mechanisms. In secure mobile design, sensitive records should be encrypted using platform-supported protections (e.g., using OS keystores/keychains for keys, encrypting databases/files, and minimizing local retention). Additionally, apps should avoid storing highly sensitive regulated data unless essential, and should implement secure session controls and data lifecycle management (cache control, expiration, remote wipe support in enterprise settings).

Why the other options are not the best fit: Insecure communication concerns data exposure while transmitted over networks (e.g., lack of TLS, weak TLS, MITM susceptibility), whereas the issue here is purely local storage. Improper credential usage relates to mishandling passwords, tokens, or authentication secrets (hard-coded credentials, weak storage of credentials), but the prompt focuses on stored records themselves. Inadequate privacy controls is broader and typically involves over-collection, improper disclosure, or weak user privacy settings, not direct clear-text storage exposure.

Therefore, the most clearly present OWASP Top 10 Mobile Risk is Insecure Data Storage.

This scenario matches a session fixation attack because Michael sets up a valid session identifier with the application first, then forces the victim to authenticate while using that same pre-established session. In CEH terms, session fixation occurs when an attacker “fixes” or plants a known session ID in the victim’s browser, typically via a crafted URL parameter, cookie setting through a subdomain, or a redirect that preserves a session token. If the application does not regenerate the session ID after login, the victim’s authentication becomes bound to the attacker-known session. The attacker can then reuse that same session ID to access the application as the victim, exactly as described when Michael “uses that session to access the portal” after the employee logs in.

The other options do not fit the mechanism. Session sniffing relies on capturing session tokens from network traffic, usually when encryption is missing or weak, but the question focuses on a link and a pre-initialized session rather than intercepting traffic. Session replay generally refers to capturing and replaying authentication exchanges or tokens, not pre-setting a session before the victim authenticates. “Session donation” is not the standard CEH label for this behavior and is not the best match to the described flow.

CEH-recommended mitigations include regenerating session IDs immediately after authentication and privilege changes, rejecting session IDs supplied in URLs, setting Secure and HttpOnly cookie flags, enforcing SameSite where appropriate, implementing short idle timeouts, and adding server-side controls to detect concurrent use or abnormal session binding changes.

The CEH Mobile Platform Security module explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit with obfuscation is far more likely to bypass detection.

CEH explicitly teaches that:

Zero-day or unpatched vulnerabilities

Custom, obfuscated payloads

Minimal use of known frameworks

are the most effective for bypassing endpoint defenses during controlled testing.

Option A is correct.

Options B and C are easily detected.

Option D is social engineering, not a technical exploit.

The strongest indicator in this scenario is that multiple compromised hosts are “behaving like zombies,” communicating outbound to a single unfamiliar external IP over high ports, and “silently accept remote instructions” while performing “coordinated background tasks.” In CEH-aligned malware terminology, these are hallmark characteristics of a botnet: a collection of infected endpoints (bots/zombies) under centralized or semi-centralized command-and-control. Worm-like propagation explains how the compromise rapidly expanded across the internal network—using shared folders and stolen credentials for lateral spread—while the “backdoor component” provides persistent remote control functionality once a system is infected. The observed coordination across many hosts strongly suggests the attacker’s goal is not merely individual surveillance of a single machine, but scalable remote control of many machines at once.

Option A, data exfiltration, is plausible in many intrusions, but the question emphasizes orchestration and remote tasking across many endpoints rather than targeted theft from specific repositories. Option B is inconsistent because there is no mention of encryption, ransom notes, or disruption-focused behavior. Option D, a RAT, typically describes remote control of a host, but the scenario’s defining feature is the creation of many “zombies” with coordinated behavior—this aligns more precisely with building a botnet for command and control, which can later be used for data theft, DDoS, spam, or further intrusion operations.

CEH defensive guidance includes monitoring egress traffic anomalies, detecting C2 patterns, segmenting networks to limit worm spread, disabling unnecessary shares, enforcing strong credential hygiene, and using EDR to identify backdoors and lateral movement behaviors.

The Certified Ethical Hacker (CEH) Social Engineering module defines whaling as a highly targeted phishing attack aimed specifically at senior executives or high-ranking personnel.

This scenario exhibits all whaling characteristics: personalization, impersonation of leadership, business-themed content, and tailored malware delivery.

Option D is correct.

Option A involves copying legitimate emails, but does not necessarily target executives.

Option B lacks targeting.

Option C is unrelated to email-based attacks.

CEH stresses executive awareness training to counter whaling attacks.

CEH v13 identifies misconfigured cloud security groups as the leading cause of cloud data exposure. Open ports, public storage buckets, and overly permissive firewall rules frequently expose sensitive data.

Brute force and DoS do not directly expose stored data, and side-channel attacks are rare and advanced.

An HTTP Flood attack is an Application Layer (Layer 7) DDoS attack, as defined in CEH v13. In this attack, the adversary sends a massive number of seemingly legitimate HTTP GET or POST requests to exhaust server resources such as CPU, memory, and application threads.

CEH v13 emphasizes that HTTP floods are difficult to detect because they mimic normal user behavior and often bypass traditional network-layer defenses.

Other attacks operate at lower layers:

ICMP, UDP, and SYN floods target network and transport layers.