Certified Ethical Hacker (CEH v13) — Question 11

Boney, a professional hacker, targets an organization for financial benefits. He performs an attack by sending his session ID using an MITM attack technique. Boney first obtains a valid session ID by logging into a service and later feeds the same session ID to the target employee. The session ID links the target employee to Boney’s account page without disclosing any information to the victim. When the target employee clicks on the link, all the sensitive payment details entered in a form are linked to Boney’s account.
What is the attack performed by Boney in the above scenario?

Answer options

• A. Forbidden attack
• B. CRIME attack
• C. Session donation attack
• D. Session fixation attack

Correct answer: C

Explanation

The correct answer is 'Session donation attack' because in this scenario, Boney uses his session ID to impersonate the target employee without their knowledge. The other options do not accurately describe the method of exploiting session IDs in this context, as 'Forbidden attack' and 'CRIME attack' refer to different types of vulnerabilities, while 'Session fixation attack' involves a different technique of forcing a user to use a predetermined session ID.