nerdexam
EC-Council

312-50V10 · Question #701

A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

The correct answer is B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's. Deleting cookies on browser close mitigates session hijacking, where attackers steal session cookies to impersonate authenticated users on trusted websites.

Session Hijacking

Question

A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

Options

  • AAttempts by attackers to access the user and password information stored in the company's SQL
  • BAttempts by attackers to access Web sites that trust the Web browser user by stealing the user's
  • CAttempts by attackers to access password stored on the user's computer without the user's
  • DAttempts by attackers to determine the user's Web browser usage patterns, including when sites

How the community answered

(42 responses)
  • A
    10% (4)
  • B
    71% (30)
  • C
    5% (2)
  • D
    14% (6)

Why each option

Deleting cookies on browser close mitigates session hijacking, where attackers steal session cookies to impersonate authenticated users on trusted websites.

AAttempts by attackers to access the user and password information stored in the company's SQL

SQL injection targets server-side database queries and is not related to browser cookies stored on the client; deleting cookies has no effect on SQL injection attack surfaces.

BAttempts by attackers to access Web sites that trust the Web browser user by stealing the user'sCorrect

HTTP session cookies store authentication tokens that websites use to recognize a logged-in user. If an attacker steals these cookies via XSS, network sniffing, or physical access, they can present them to the website and gain access as that user without needing credentials. Deleting cookies at session end ensures stolen cookies become immediately invalid once the legitimate user closes the browser.

CAttempts by attackers to access password stored on the user's computer without the user's

Locally stored passwords in a password manager or browser vault are a separate storage mechanism from HTTP cookies, and clearing cookies does not protect those credential stores.

DAttempts by attackers to determine the user's Web browser usage patterns, including when sites

Browser usage pattern tracking through cookies is a privacy concern mitigated by this policy as a secondary effect, but it is not the primary security breach - session hijacking is the principal threat the policy addresses.

Concept tested: Session cookie hijacking mitigation via cookie deletion policy

Source: https://owasp.org/www-community/attacks/Session_hijacking_attack

Topics

#HTTP cookies#session hijacking#cookie theft#browser security

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice