GCIH · Question #700
During the identification phase of a Web server compromise, you notice the following entries in the web server logs. If "admin" is a valid username, but its corresponding password is not "pass1", and
The correct answer is C. This is a session hijacking attack. The web server logs, combined with the knowledge that valid and invalid usernames produce different server responses, point to a session hijacking attack rather than a credential-based attack.
Question
During the identification phase of a Web server compromise, you notice the following entries in the web server logs. If "admin" is a valid username, but its corresponding password is not "pass1", and "root" is not a valid username, what can you infer solely from these logs?
Exhibit
Options
- AThis is a web spidering attack using wget
- BThis is an account harvesting attack
- CThis is a session hijacking attack
- DThis is a password brute-forcing attack
How the community answered
(24 responses)- A8% (2)
- B21% (5)
- C67% (16)
- D4% (1)
Why each option
The web server logs, combined with the knowledge that valid and invalid usernames produce different server responses, point to a session hijacking attack rather than a credential-based attack.
Web spidering with tools like wget is used to crawl and map web content, not to manipulate authentication sessions or test login credentials.
Account harvesting exploits differential error responses to enumerate valid usernames, but the scenario already reveals which accounts are valid, pointing away from enumeration as the goal.
Session hijacking involves an attacker exploiting an existing authenticated session rather than guessing credentials. The log context - showing that 'pass1' is not the password for the valid user 'admin' and 'root' is not a valid user at all - suggests the attacker is not relying on credential guessing but is instead attempting to capture or forge a session token to impersonate an authenticated user without needing correct credentials.
Password brute-forcing systematically tries many passwords against a known valid username, which is inconsistent with the single-attempt pattern and the presence of an invalid username in the logs.
Concept tested: Identifying session hijacking from web server log analysis
Source: https://owasp.org/www-community/attacks/Session_hijacking_attack
Topics
Community Discussion
No community discussion yet for this question.
