Section 19.183 Session Hijacking

Question 1

Session Management

Answer 1

Fundamental security component in web applications that enables web applications to uniquely identify a user across a number of different actions and requests, while keeping the state of the data generated by the user and ensuring it is assigned to that user

Question 2

Cookie

Answer 2

Text file used to store information about a user when they visit a website

■ Cookies must be protected because they contain client information that is being
transmitted across the Internet

Question 3

Session cookies

Answer 3

Non-persistent, reside in memory, and are deleted when the browser
instance is closed

Question 4

Persistent Cookies

Answer 4

Cookies that are stored in the browser cache until they are deleted by the
user or pass a defined expiration date

● Cookies should be encrypted if they store confidential information

Question 5

Session Hijacking

Answer 5

A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host’s IP address

■ Session hijacking attacks can occur through the theft or modification of cookies

Question 6

Session Prediction Attacks

Answer 6

A type of spoofing attack where the attacker attempts to predict the session
token to hijack a session

■ A session token must be generated using a non-predictable algorithm and it must not reveal any information about the session client

Question 7

Cookie Poisoning

Answer 7

Modifies the contents of a cookie after it has been generated and sent by the
web service to the client’s browser so that the newly modified cookie can be used to exploit vulnerabilities in the web app