PT0-003 · Question #292
PT0-003 Question #292: Real Exam Question with Answer & Explanation
The correct answer is C: Session fixation. Session fixation occurs when an application accepts a session identifier provided by the client (or set before authentication) and continues to use that same identifier after the user authenticates. In this scenario the server issues the same cookie value both before and after lo
Question
During a web application assessment, a penetration tester accesses the site unauthenticated and receives the following Set-Cookie on the first response: auth=yYKGORbrpabgr842ajbvrpbptaui42342 When the tester logs in, the server sends only one Set-Cookie header, and the value is exactly the same as shown above. Which of the following vulnerabilities has the tester discovered?
Options
- AJWT manipulation
- BCookie poisoning
- CSession fixation
- DCollision attack
Explanation
Session fixation occurs when an application accepts a session identifier provided by the client (or set before authentication) and continues to use that same identifier after the user authenticates. In this scenario the server issues the same cookie value both before and after login, indicating the session ID is set pre-authentication and not rotated/renewed on successful authentication -- a classic session fixation vulnerability. An attacker could force or coerce a victim to use a known session ID, then log in and hijack the authenticated session.
Topics
Community Discussion
No community discussion yet for this question.