Exam 312-50v11 topic 1 question 188 discussion

This is from the EC-Council Course, Module 11, Page 1414: In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation. A session donation attack involves the following steps.

This is a session donation attack. In session donation, the attacker logs into a service, removes their account credentials, and then sends the valid session ID to the victim. In a session fixation attack, the attacker makes a connection to the server to obtain a valid SID but they do not have to log in.

Key differences between Session Donation Attack and Session Fixation Attack: Session Donation Attack: Attacker willingly shares their valid session with victims Often appears as legitimate sharing of access Usually requires victim's cooperation Common in scenarios where sharing access seems beneficial Session Fixation Attack: Attacker forces a known session ID onto victim No willing participation from victim Works by pre-establishing session before victim logs in Attacker maintains control of session throughout attack More malicious and deceptive in nature The key distinction is control and consent - donation involves willing sharing while fixation involves forced session manipulation.

In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation. A session donation attack involves the following steps. CEH pg 920

In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation.

Simple example of Session Fixation attack (1)The attacker has to establish a legitimate connection with the web server which (2) issues a session ID or, the attacker can create a new session with the proposed session ID, then, (3) the attacker has to send a link with the established session ID to the victim, they have to click on the link sent from the attacker accessing the site, (4) the Web Server saw that session was already established and a new one need not to be created, (5) the victim provides their credentials to the Web Server, (6) knowing the session ID, the attacker can access the user’s account.

The correct option is D: sesión fixation attack. The options A y C dont exists! The option B is about SSL/TLS so not is for this question.

C Donation: uses ALWAYS MITM. Fixation: never, never, never...uses MITM.

The attack is session donation: In session donation, the account is an attacker's account page, the attacker deceives the victim to provide his personal details as if he owns the account page. In session fixation: The pre-determined the session ID of the victim, used it to create a session and fix it for the victim.

D seems to be the answer according to CEH: Matt Walker ALL in One book. Page 261 gave the definition. In addition: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. Session fixation Scenario: 1.The attacker accesses the web application login page and receives a session ID generated by the web application. 2.The attacker uses an additional technique such as CRLF Injection, man-in-the-middle attack, social engineering, etc., and gets the victim to use the provided session identifier. 3.The victim accesses the web application login page and logs in to the application. After authenticating, the web application treats anyone who uses this session ID as if they were this user. 4.The attacker uses the session ID to access the web application, take over the user session, and impersonate the victim.

Session donation. The key is that the victim access the attacker's account and provide the financial data. With Session Fixation the attacker get access the user account by fooling him/her to use a specific session ID.

Application Level Session Hijacking - Session Donation Attack An attacker donates his/her own session identifier (SID) to the target user. The attacker first obtains a valid SID by logging into a service and later feeds the same SID to the target user.This SID links a target user back to the attacker’s account page without any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. (P.1430/1414)

Correct answer is C, session donation

Page number 1414 in Ec Council material

Module 11 Page 1414 Session Hijacking Using Session Donation Attack In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation.

This correct awser is session donation aattack

Session fixation attack Session Fixation is an attack that allows an attacker to hijack a sound user session. The attack explores a limitation within the means the net application manages the session ID, a lot of specifically the vulnerable web application. once authenticating a user, it doesn’t assign a new session ID, creating it possible to use an existent session ID. The attack consists of getting a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, then hijacking the user-validated session by the data of the used session ID. The attacker has got to give a legitimate internet application session ID and try to make the victim’s browser use it.