PT0-002 · Question #44
PT0-002 Question #44: Real Exam Question with Answer & Explanation
The correct answer is D: Sessions and cookies. To gain control of the HTTP protocol's state after a user logs in, a penetration tester should target sessions and cookies, as these mechanisms manage authenticated user states.
Question
Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?
Options
- AHTTPS communication
- BPublic and private keys
- CPassword encryption
- DSessions and cookies
Explanation
To gain control of the HTTP protocol's state after a user logs in, a penetration tester should target sessions and cookies, as these mechanisms manage authenticated user states.
Common mistakes.
- A. HTTPS communication protects the confidentiality and integrity of data in transit, but attacking it typically involves decrypting traffic, not directly controlling the state of an already logged-in user in the application layer.
- B. Public and private keys are used for encryption and digital signatures, particularly in SSL/TLS, which secures the communication channel, not the application-level session state.
- C. Password encryption protects user credentials during storage or transmission. Once a user is logged in, their session state is managed independently of the initial password encryption.
Concept tested. HTTP session management exploitation
Reference. https://owasp.org/www-project-web-security-testing-guide/v41/4-Authentication_Management/
Topics
Community Discussion
No community discussion yet for this question.