Exam PT0-003 Topic 1 Question 63 Discussion
Actual exam question for CompTIA's PT0-003 exam
Question #: 63
Topic #: 1
Question #: 63
Topic #: 1
A penetration tester enters an invalid user ID on the login page of a web application. The tester receives a message indicating the user is not found. Then, the tester tries a valid user ID but an incorrect password, but the web application indicates the password is invalid. Which of the following should the tester attempt next?
Suggested Answer: C Vote an answer
The application is giving distinct error messages for valid vs. invalid usernames. This is a classic case of user enumeration, where an attacker can determine valid accounts before proceeding to brute-force or password attacks.
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 6 - Vulnerability Identification):
"Authentication systems that return different error messages based on the validity of the username can allow attackers to enumerate valid accounts."
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 6 - Vulnerability Identification):
"Authentication systems that return different error messages based on the validity of the username can allow attackers to enumerate valid accounts."
by Caesar at Jun 24, 2026, 03:46 AM
Contact Us
If you have any question please leave me your email address, we will reply and send email to you in 12 hours.
Our Working Time: ( GMT 0:00-15:00 ) From Monday to Saturday
Support: Contact now
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).