312-50V13 · Question #33
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
The correct answer is B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's. The policy of deleting HTTP cookies upon browser termination aims to prevent attackers from using stolen cookies to impersonate users.
Question
Options
- AAttempts by attackers to access the user and password information stored in the company's SQL
- BAttempts by attackers to access Web sites that trust the Web browser user by stealing the user's
- CAttempts by attackers to access password stored on the user's computer without the user's
- DAttempts by attackers to determine the user's Web browser usage patterns, including when sites
How the community answered
(28 responses)- A4% (1)
- B93% (26)
- D4% (1)
Why each option
The policy of deleting HTTP cookies upon browser termination aims to prevent attackers from using stolen cookies to impersonate users.
HTTP cookies do not typically store direct SQL user and password information; this type of storage would be a severe security vulnerability for a web application.
By automatically deleting HTTP browser cookies upon termination, the policy mitigates the risk of an attacker gaining access to a user's computer and stealing persistent session cookies. These stolen cookies could otherwise be used by the attacker to hijack the user's active sessions and impersonate them on websites that rely on those cookies for authentication or session management.
While some authentication tokens might be in cookies, the primary passwords themselves are generally not stored in clear text or directly accessible formats within cookies for an attacker to steal and use as a 'password'.
While cookies contribute to tracking usage patterns, the more immediate and critical security breach prevented by deleting them upon termination is session hijacking and unauthorized access, not just pattern determination.
Concept tested: Mitigating cookie-based session hijacking
Source: https://www.owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control
Topics
Community Discussion
No community discussion yet for this question.