A penetration testing team is contracted to assess the security of an organization's web application. The scope of engagement explicitly states that social engineering attacks are not allowed. During the reconnaissance phase, which of the following activities should the penetration testers avoid to comply with the engagement rules?
You selected this option
Scan the application's login page for SQL injection vulnerabilities.
You selected this option
Conduct a Cross-Site Request Forgery (CSRF) attack to test for anti-CSRF token implementation.
You selected this option
Execute a Cross-Site Scripting (XSS) attack to test for output encoding and input validation measures.
You selected this option
Perform phishing attempts to gauge the organization's employee awareness and resilience to such attacks.
Since social engineering tests are explicitly disallowed in the scope of engagement, any activities that fall under this category, such as phishing attempts, need to be avoided to maintain adherence to the rules of engagement. CSRF and XSS are technical attacks that target vulnerabilities in web applications and are not considered social engineering. As long as they are not explicitly disallowed in the scope, they can be pursued. The correct answer involves respect for the client's limitations on testing types.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is phishing in the context of social engineering?
Open an interactive chat with Bash
What are Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)?
Open an interactive chat with Bash
What are the main rules of engagement in penetration testing?