Certified Ethical Hacker (CEH v11) — Question 66

Boney, a professional hacker, targets an organization for financial benefits. He performs an attack by sending his session ID using an MITM attack technique.
Boney first obtains a valid session ID by logging into a service and later feeds the same session ID to the target employee. The session ID links the target employee to Boney's account page without disclosing any information to the victim. When the target employee clicks on the link, all the sensitive payment details entered in a form are linked to Boney's account.
What is the attack performed by Boney in the above scenario?

Answer options

• A. Forbidden attack
• B. CRIME attack
• C. Session donation attack
• D. Session fixation attack

Correct answer: C

Explanation

The correct answer is C, Session donation attack, as it involves the attacker providing a valid session ID to the victim, allowing the attacker to access the victim's account. The other options do not accurately describe this method; Forbidden attack is not a recognized term, CRIME attack pertains to data compression vulnerabilities, and Session fixation attack involves an attacker setting a session ID before the victim logs in, which is not the case here.