13B: Launch Session Attacks

Question 1

A malicious actor steals a user’s session credential then uses it to impersonate the user.

Answer 1

session hijacking

Question 2

Text file used to store information about a user when they visit a website. Some sites use these to support user sessions.

Answer 2

cookie

Question 3

An attack that forces a user to browse a website in the context of a known and valid session.

Answer 3

session fixation

Question 4

This requires having access to the user authentication process itself, so that it can be intercepted and repeated.

Answer 4

session replay

Question 5

A malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

Answer 5

cross site request forgery (CSRF/XSRF)

Question 6

An attack where an attacker takes advantage of the trust established between the server and the resources it can access, including itself.

Answer 6

server site request forgery (SSRF)

Question 7

CompTIA definition: When a user accesses or modifies specific resources that they are not entitled to.
AKA: This type of privilege escalation involves gaining access to the rights of another account—human or machine—with similar privileges.

Answer 7

horizontal escalation

Question 8

When an attacker can perform functions that are normally assigned to users in higher roles, and often explicitly denied to the attacker.

Answer 8

vertical escalation

Question 9

Vulnerabilities that arise from implementation and design issues that lead to unintended behavior.

Answer 9

business logic flaws