312-50v11 Exam - Question 188

Question

Boney, a professional hacker, targets an organization for financial benefits. He performs an attack by sending his session ID using an MITM attack technique.

Boney first obtains a valid session ID by logging into a service and later feeds the same session ID to the target employee. The session ID links the target employee to Boney's account page without disclosing any information to the victim. When the target employee clicks on the link, all the sensitive payment details entered in a form are linked to Boney's account.

What is the attack performed by Boney in the above scenario?

Examice · Accepted Answer

In this scenario, the attacker obtains a valid session ID by logging into a service and then feeds the same session ID to the target employee. This session ID links the target employee to the attacker's account page without disclosing any information to the victim. When the target employee enters sensitive payment details, they are linked to the attacker's account. This method is known as a session donation attack, where the attacker 'donates' their session ID to the victim, thus linking the victim’s actions to the attacker's session.

Scryptic · Answer

This is from the EC-Council Course, Module 11, Page 1414:
In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation. A session donation attack involves the following steps.

[Removed] · Answer

This is a session donation attack. In session donation, the attacker logs into a service, removes their account credentials, and then sends the valid session ID to the victim.  In a session fixation attack, the attacker makes a connection to the server to obtain a valid SID but they do not have to log in.

eth65535 · Answer

The right one is the donation attack

sks1 · Answer

It's definitely Session Donation(C)- as the attacker is sending his own session-id and not just any valid session-id which is a requirement of session fixation.

Kamal_SriLanka · Answer

The answer is correct

Silascarter · Answer

In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.)

americaman80 · Answer

D is the correct answer.  Source:
https://skanyi.github.io/blog/cyber-security/what-is-session-hijacking-and-how-to-prevent-it/

cerzocuspi · Answer

Absolutely session donation attack.

In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account.

willian_H · Answer

"Boney first obtains a valid session ID by logging into a service" ,say use Boney's ID,so
The anwser is "donation"

chacha543 · Answer

https://owasp.org/www-community/attacks/Session_fixation#
Example 1

KHoward · Answer

C.  Module 11 page 1414

blackhat · Answer

In session donation, attacker obtains a valied session ID by logging and feeds the same session id later.

Daniel8660 · Answer

Application Level Session Hijacking - Session Donation Attack
An attacker donates his/her own session identifier (SID) to the target user. The attacker first obtains a valid SID by logging into a service and later feeds the same SID to the target user.This SID links a target user back to the attacker’s account page without any information to the victim.
When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. (P.1430/1414)

VOAKDO · Answer

C
Donation: uses ALWAYS MITM.
Fixation: never, never, never...uses MITM.

Mento · Answer

Session Donation Involves Social Engineering(SE) to make it possible. An attacker creates an account and send authenticated link to the victim. Convincing the victim to provide more information about their account but in reality it is not their account but attackers acccount. Users are used to be logged in different sites making it less suspicious when the user click link that they already authenticated.

So its D.

beowolf · Answer

Attacker fixed users session ID in advance instead of generating it at the time of login so Session fixation is the correct answer.

Khalid_Loudi · Answer

D. Session Fixation Attack is correct answer
check module 11 page 1123
session donation is not added to the session hijacking ways

LIBUNB · Answer

C is the correct answer
Session donation attack

Novmejst · Answer

Module 11 - Page 1414 - Session Donation Attack - C
... When the target user clicks on the link
and enters the details (username, password, payment details, etc.) in a form, the entered
details are linked to the attacker’s account ...

Mikehedi · Answer

OWSP session fixation example:
https://owasp.org/www-community/attacks/Session_fixation
Example 1
The example below explains a simple form, the process of the attack, and the expected results.

(1)The attacker has to establish a legitimate connection with the web server which (2) issues a session ID or, the attacker can create a new session with the proposed session ID, then, (3) the attacker has to send a link with the established session ID to the victim, they have to click on the link sent from the attacker accessing the site, (4) the Web Server saw that session was already established and a new one need not to be created, (5) the victim provides their credentials to the Web Server, (6) knowing the session ID, the attacker can access the user’s account.

cazzobsb · Answer

correct

BIOLorenz · Answer

Module 11 Page 1414

Session Hijacking Using Session Donation Attack
In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation.

josevirtual · Answer

Session donation. The key is that the victim access the attacker's account and provide the financial data. With Session Fixation the attacker get access the user account by fooling him/her to use a specific session ID.

Teesmd · Answer

D seems to be the answer according to CEH: Matt Walker ALL in One book. Page 261 gave the definition.
In addition:
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

Session fixation Scenario:

1.The attacker accesses the web application login page and receives a session ID generated by the web application.
2.The attacker uses an additional technique such as CRLF Injection, man-in-the-middle attack, social engineering, etc., and gets the victim to use the provided session identifier.
3.The victim accesses the web application login page and logs in to the application. After authenticating, the web application treats anyone who uses this session ID as if they were this user.
4.The attacker uses the session ID to access the web application, take over the user session, and impersonate the victim.

LIBUNB · Answer

Correct answer is 
C. Session donation attack

AjaxFar · Answer

C: session donation is correct answer, after an attacker being logged in with his credentials and later donate it to the victims, unlike fixation where he fixed it ahead for him without involving his own credential

sis_net_sec · Answer

C is the correct answer

egz21 · Answer

in my opinion the correct answers is C !!

K3nz0420 · Answer

Session donation is the correct answer. Attacker first obtains. Validation session

APOLLO1113 · Answer

Session Donation

alfteezy91 · Answer

Session Donation is Correct

jijin · Answer

Session fixation attack
Session Fixation is an attack that allows an attacker to hijack a sound user session. The attack explores a limitation within the means the net application manages the session ID, a lot of specifically the vulnerable web application. once authenticating a user, it doesn’t assign a new session ID, creating it possible to use an existent session ID. The attack consists of getting a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, then hijacking the user-validated session by the data of the used session ID. The attacker has got to give a legitimate internet application session ID and try to make the victim’s browser use it.

eusoueu · Answer

This correct awser is session donation aattack

Fedrehopsu · Answer

Page number 1414 in Ec Council material

sn30 · Answer

Correct answer is C, session donation

asadeyemo · Answer

The attack is session donation:
In session donation, the account is an attacker's account page, the attacker deceives the victim to provide his personal details as if he owns the account page.
In session fixation:  The pre-determined the session ID of the victim, used it to create a session and fix it for the victim.

victorfs · Answer

The correct option is D: sesión fixation attack.
The options A y C dont exists!
The option B is about SSL/TLS so not is for this question.

Alvinjegan · Answer

Simple example of Session Fixation attack
(1)The attacker has to establish a legitimate connection with the web server which (2) issues a session ID or, the attacker can create a new session with the proposed session ID, then, (3) the attacker has to send a link with the established session ID to the victim, they have to click on the link sent from the attacker accessing the site, (4) the Web Server saw that session was already established and a new one need not to be created, (5) the victim provides their credentials to the Web Server, (6) knowing the session ID, the attacker can access the user’s account.

ostorgaf · Answer

In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation.

MH2 · Answer

In a session donation attack, the attacker donates their own session ID to the target user. In this attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker’s account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered details are linked to the attacker’s account. To initiate this attack, the attacker can send their session ID using techniques such as cross-site cooking, an MITM attack, and session fixation. A session donation attack involves the following steps. CEH pg 920

BallCS · Answer

Key differences between Session Donation Attack and Session Fixation Attack:
Session Donation Attack:

Attacker willingly shares their valid session with victims
Often appears as legitimate sharing of access
Usually requires victim's cooperation
Common in scenarios where sharing access seems beneficial

Session Fixation Attack:

Attacker forces a known session ID onto victim
No willing participation from victim
Works by pre-establishing session before victim logs in
Attacker maintains control of session throughout attack
More malicious and deceptive in nature

The key distinction is control and consent - donation involves willing sharing while fixation involves forced session manipulation.

312-50v11 Exam - Question 188

Discussion