an attack that hijacks a valid user session. An attacker attempts to lure a user to authenticate himself or herself with a known session ID and then hijacks the user-validated session with the knowledge of the used session ID

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam. Study with comprehensive questions and explanations. Equip yourself with the skills needed for success!

Multiple Choice

an attack that hijacks a valid user session. An attacker attempts to lure a user to authenticate himself or herself with a known session ID and then hijacks the user-validated session with the knowledge of the used session ID

Explanation:
Session fixation is being tested here. In this attack, the attacker provides or forces a known session identifier before the user logs in and tricks the user into authenticating with that session ID. After authentication, the server associates that same pre-set session with the user, allowing the attacker to hijack the session simply by using that known ID to access the account later. Defense lies in preventing pre-issued IDs from being used at login—generate a fresh session ID on authentication, invalidate old ones, and use secure cookie practices. Why the others don’t fit: session hijacking involves stealing an already active session token to take over a session, not forcing the user to login with a pre-known ID. CSRF relies on tricking a user into performing actions in a valid session without taking over the session token itself. Man-in-the-browser involves malware inside the user’s browser to capture credentials or sessions, not the pre-login session fixation scenario.

Session fixation is being tested here. In this attack, the attacker provides or forces a known session identifier before the user logs in and tricks the user into authenticating with that session ID. After authentication, the server associates that same pre-set session with the user, allowing the attacker to hijack the session simply by using that known ID to access the account later. Defense lies in preventing pre-issued IDs from being used at login—generate a fresh session ID on authentication, invalidate old ones, and use secure cookie practices.

Why the others don’t fit: session hijacking involves stealing an already active session token to take over a session, not forcing the user to login with a pre-known ID. CSRF relies on tricking a user into performing actions in a valid session without taking over the session token itself. Man-in-the-browser involves malware inside the user’s browser to capture credentials or sessions, not the pre-login session fixation scenario.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy