nerdexam
GIAC

GCIH · Question #700

During the identification phase of a Web server compromise, you notice the following entries in the web server logs. If "admin" is a valid username, but its corresponding password is not "pass1", and

The correct answer is C. This is a session hijacking attack. The web server logs, combined with the knowledge that valid and invalid usernames produce different server responses, point to a session hijacking attack rather than a credential-based attack.

Web Application Attacks & Post-Exploitation

Question

During the identification phase of a Web server compromise, you notice the following entries in the web server logs. If "admin" is a valid username, but its corresponding password is not "pass1", and "root" is not a valid username, what can you infer solely from these logs?

Exhibit

GCIH question #700 exhibit

Options

  • AThis is a web spidering attack using wget
  • BThis is an account harvesting attack
  • CThis is a session hijacking attack
  • DThis is a password brute-forcing attack

How the community answered

(24 responses)
  • A
    8% (2)
  • B
    21% (5)
  • C
    67% (16)
  • D
    4% (1)

Why each option

The web server logs, combined with the knowledge that valid and invalid usernames produce different server responses, point to a session hijacking attack rather than a credential-based attack.

AThis is a web spidering attack using wget

Web spidering with tools like wget is used to crawl and map web content, not to manipulate authentication sessions or test login credentials.

BThis is an account harvesting attack

Account harvesting exploits differential error responses to enumerate valid usernames, but the scenario already reveals which accounts are valid, pointing away from enumeration as the goal.

CThis is a session hijacking attackCorrect

Session hijacking involves an attacker exploiting an existing authenticated session rather than guessing credentials. The log context - showing that 'pass1' is not the password for the valid user 'admin' and 'root' is not a valid user at all - suggests the attacker is not relying on credential guessing but is instead attempting to capture or forge a session token to impersonate an authenticated user without needing correct credentials.

DThis is a password brute-forcing attack

Password brute-forcing systematically tries many passwords against a known valid username, which is inconsistent with the single-attempt pattern and the presence of an invalid username in the logs.

Concept tested: Identifying session hijacking from web server log analysis

Source: https://owasp.org/www-community/attacks/Session_hijacking_attack

Topics

#web server logs#session hijacking#attack identification#log analysis

Community Discussion

No community discussion yet for this question.

Full GCIH Practice