Question

Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user's password contained in the email message didn't require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.

Answer 1

The scenario involves a security vulnerability where the lack of authentication in a password change request allows unauthorized access to an Active Directory system.

Step-by-step explanation:

In this question, the subject is Computers and Technology. The scenario described is related to security vulnerabilities and the potential for unauthorized access to an Active Directory system.

The issue arises from the lack of authentication required for the password change HTTP request. Because the session cookie was saved locally, the user remains perpetually logged on to the website, allowing the penetration tester to execute the password change request without the need for additional authentication. With this access, they could then log on to Active Directory as a high-level employee.

This scenario highlights the importance of secure authentication protocols, such as requiring additional credentials for critical actions like changing passwords. It also emphasizes the significance of protecting session cookies and regularly reviewing and updating security measures to prevent unauthorized access.