A penetration tester performs a vulnerability scan on a company’s web server and identifies several medium-risk vulnerabilities related to misconfigured settings. What should the tester do to verify the vulnerabilities?
A.
Use publicly available tools to exploit the vulnerabilities and confirm their impact
B.
Ignore the vulnerabilities since they are medium-risk
C.
Perform a brute-force attack on the web server's login page
D.
Conduct a denial-of-service (DoS) attack to test the server's resilience
CEH v13 emphasizes that after identifying vulnerabilities during scanning, testers must validate findings to determine real impact and eliminate false positives. This requires safe, controlled exploitation using approved tools such as Metasploit, Nikto, or custom proof-of-concept scripts. Misconfigurations labeled as medium-risk may still provide privilege escalation, data exposure, or footholds for further attacks. CEH methodology reinforces that exploitation should always follow the scope and rules of engagement and should avoid disruptive activities like brute-forcing or DoS attacks unless explicitly authorized. Ignoring the vulnerabilities is never acceptable in a professional assessment. Verifying the issue helps the organization prioritize remediation using evidence-based results. Therefore, the correct next step is to verify the vulnerability through controlled exploitation.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit