During a penetration test, you identify an application vulnerability that could be exploited using a specific tool. However, the tool is known to sometimes cause service disruptions. The rules of engagement given by the client strictly forbids any actions that could lead to denial of service. What is the most appropriate course of action?
Discuss the potential use of the tool with the client to obtain explicit permission or alternative instructions.
Proceed with using the tool without informing the client, since identifying vulnerabilities is a higher priority.
Use the tool but monitor the application closely and stop the test if any disruptions are detected.
Use the tool during off-peak hours to minimize the risk of causing a denial of service.
The correct answer is 'Discuss the potential use of the tool with the client to obtain explicit permission or alternative instructions,' because it aligns with the ethical hacking mindset of maintaining professionalism and integrity, and ensures compliance with the specified rules of engagement. Using the tool without client permission, even if it could yield essential findings, would violate the agreed-upon terms and might lead to service disruptions, legal implications, or damage the professional relationship. By involving the client in the decision-making, the penetration tester respects the client's boundaries while also advocating for a thorough security assessment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are rules of engagement in a penetration test?
Open an interactive chat with Bash
Why is obtaining client permission important before using a potentially disruptive tool?
Open an interactive chat with Bash
What could happen if I use a vulnerability testing tool without client approval?