If a user closes a browser on a public computer without logging out, and an attacker later reuses the same browser session to impersonate the user, which vulnerability type best describes this exploitation?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

If a user closes a browser on a public computer without logging out, and an attacker later reuses the same browser session to impersonate the user, which vulnerability type best describes this exploitation?

Explanation:
The main idea here is session management and how long a user’s authenticated session remains valid. When a user logs in, a session is established and a session token (often in a cookie) is used to prove the user is authenticated. If the user closes a public computer without logging out, that session can remain active on the server and the browser. Later, someone can reuse the same browser session by sending the same session token, effectively impersonating the user. This demonstrates a timeout-related vulnerability: the window to misuse the session exists because the session wasn’t immediately invalidated or terminated, and the session can be reused before it times out or is explicitly expired. The other options don’t fit this scenario. Session ID in URLs would involve the session token being exposed in the URL itself, which isn’t the issue here. I/O exploitation refers to exploiting input/output channels, not reusing a live session. Password exploitation concerns stealing or cracking passwords, not hijacking an existing session. To mitigate this, enforce proper session termination on logout, implement short idle timeouts, and invalidate sessions promptly when a user closes a browser on shared devices or after inactivity. Use secure, HttpOnly cookies and require re-authentication for sensitive actions.

The main idea here is session management and how long a user’s authenticated session remains valid. When a user logs in, a session is established and a session token (often in a cookie) is used to prove the user is authenticated. If the user closes a public computer without logging out, that session can remain active on the server and the browser. Later, someone can reuse the same browser session by sending the same session token, effectively impersonating the user. This demonstrates a timeout-related vulnerability: the window to misuse the session exists because the session wasn’t immediately invalidated or terminated, and the session can be reused before it times out or is explicitly expired.

The other options don’t fit this scenario. Session ID in URLs would involve the session token being exposed in the URL itself, which isn’t the issue here. I/O exploitation refers to exploiting input/output channels, not reusing a live session. Password exploitation concerns stealing or cracking passwords, not hijacking an existing session.

To mitigate this, enforce proper session termination on logout, implement short idle timeouts, and invalidate sessions promptly when a user closes a browser on shared devices or after inactivity. Use secure, HttpOnly cookies and require re-authentication for sensitive actions.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy