312-50V10 · Question #701
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
The correct answer is B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's. Deleting cookies on browser close mitigates session hijacking, where attackers steal session cookies to impersonate authenticated users on trusted websites.
Question
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
Options
- AAttempts by attackers to access the user and password information stored in the company's SQL
- BAttempts by attackers to access Web sites that trust the Web browser user by stealing the user's
- CAttempts by attackers to access password stored on the user's computer without the user's
- DAttempts by attackers to determine the user's Web browser usage patterns, including when sites
How the community answered
(42 responses)- A10% (4)
- B71% (30)
- C5% (2)
- D14% (6)
Why each option
Deleting cookies on browser close mitigates session hijacking, where attackers steal session cookies to impersonate authenticated users on trusted websites.
SQL injection targets server-side database queries and is not related to browser cookies stored on the client; deleting cookies has no effect on SQL injection attack surfaces.
HTTP session cookies store authentication tokens that websites use to recognize a logged-in user. If an attacker steals these cookies via XSS, network sniffing, or physical access, they can present them to the website and gain access as that user without needing credentials. Deleting cookies at session end ensures stolen cookies become immediately invalid once the legitimate user closes the browser.
Locally stored passwords in a password manager or browser vault are a separate storage mechanism from HTTP cookies, and clearing cookies does not protect those credential stores.
Browser usage pattern tracking through cookies is a privacy concern mitigated by this policy as a secondary effect, but it is not the primary security breach - session hijacking is the principal threat the policy addresses.
Concept tested: Session cookie hijacking mitigation via cookie deletion policy
Source: https://owasp.org/www-community/attacks/Session_hijacking_attack
Topics
Community Discussion
No community discussion yet for this question.