A contract prohibits DoS testing, but a tester finds a WAF that could be tested with a technique resembling slowloris. What is the best course of action?
Proper to obtain permission before testing.
Why this answer
Option D is correct because the tester should request a scope change to include DoS testing after explaining the risk. Option A is wrong because it violates the contract. Option B is wrong because even a single request might be considered excessive.
Option C is wrong because it does not address the prohibition.