Question

Authenticating a user, or otherwise establishing new user session, without invalidating any existing session identifier which allows an attacker the opportunity to steal authenticated sessions, describes which of the following?

a)Session Hijacking
b)Session Fixation
c)Session Takeover
d)Session Sequencing

Answer 1

The correct answer is Session Fixation, which is when an attacker sets a known session identifier that a user later uses to authenticate, allowing the attacker to hijack the session.

Step-by-step explanation:

The scenario you've described is an example of a Session Fixation attack. This type of security vulnerability occurs when a system accepts an existing, valid session identifier from an attacker, allowing the attacker to fixate (set) a known session identifier to be used by a user.

After the user logs in using this session identifier, the attacker, who knows this identifier, can hijack the user's authenticated session. This differs from Session Hijacking, where an attacker takes over a user's existing session post-authentication, and Session Takeover, which is a broader term that encompasses several types of attacks leading to unauthorized session control. Session Sequencing isn't typically used as a term in this context.