Question

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier which allows an attacker the opportunity to steal authenticated sessions, describes which of the following?

1) Cross-Site Scripting (XSS)
2) Cross-Site Request Forgery (CSRF)
3) Session Fixation
4) Clickjacking

Answer 1

The described scenario is called Session Fixation, a security exploit where an attacker hijacks a user session by exploiting the reuse of a valid session ID.

Step-by-step explanation:

The scenario described in the question indicates Session Fixation, one of the methods through which hackers can gain unauthorized access to a system. In session fixation attacks, the attacker tricks the victim into using a specific session identifier. After the victim logs in, the attacker uses that pre-determined session ID to hijack their session and gain access to the user's account without needing to know the username and password. This type of attack exploits the vulnerability of a system that doesn't assign a new session ID when authenticating a new session.