A company’s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
A.
Attempts by attackers to access the user and password information stored in the company’s SQL database.
B.
Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.
C.
Attempts by attackers to access passwords stored on the user’s computer without the user’s knowledge.
D.
Attempts by attackers to determine the user’s Web browser usage patterns, including when sites were visited and for how long.
HTTP cookies may store authentication tokens, allowing users to remain logged in. If a browser retains cookies after closing, an attacker with access to the device could hijack active sessions.
Automatically deleting cookies upon termination reduces the window of opportunity for session hijacking.
Reference – CEH v13 Official Study Guide:
Module 11: Hacking Web Applications
Topic: Session Management
Quote:
“Session hijacking exploits persistent cookies or session IDs stored in browsers. Enforcing cookie deletion helps prevent this attack.”
Incorrect Options:
A. SQL databases are unrelated to browser cookies.
C. Browser cookies don’t store OS-level passwords.
D. This may be a secondary concern, but not the primary mitigation.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit