CEH v13 Domain 4.4 Practice Test 003

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 4 (Session Hijacking) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 4.4 Practice Test 003

10 questions • 8 single-answer, 2 multi-select

Question 1

A penetration tester on a red team engagement intercepts HTTP traffic between a client and web application using Wireshark and captures a valid session cookie transmitted in cleartext over an unencrypted channel. The tester replaces their own browser's cookie with the captured value and gains full authenticated access to the target user's account without knowing the credentials. Which attack technique best describes this action?

A. Session Fixation B. Cookie Hijacking C. Cross-Site Request Forgery D. Clickjacking

Question 2

Clark is targeting a legacy industrial control network where a Telnet session is established between an engineering workstation and a SCADA server with no encryption or integrity protections. He passively monitors the TCP stream, calculates the next expected acknowledgment number based on captured packets, and injects a spoofed packet carrying that sequence number to insert malicious commands into the active session. What network-level technique is Clark performing?

A. ARP Cache Poisoning B. RST Hijacking C. TCP Session Hijacking D. UDP Flooding

Question 3

Jane discovers a reflected cross-site scripting vulnerability in the search field of a financial web application and crafts a malicious URL that executes a JavaScript payload in the victim's browser context. When a logged-in victim clicks the link, the script silently reads the document.cookie value and transmits it to Jane's remote collection server via an HTTP GET request. What session attack is Jane executing?

A. SQL Injection B. XSS-Based Session Hijacking C. Session Fixation D. HTTP Response Splitting

Question 4

Elijah compromises a target user's workstation by deploying browser malware that hooks into the browser's API layer, intercepts an online banking transfer after the user authenticates, and silently alters the recipient account and transfer amount before the request reaches the bank's server. The bank's server receives the request within a legitimately authenticated session, rendering server-side fraud detection controls ineffective. Which attack is Elijah performing?

A. Man-in-the-Middle B. SSL Stripping C. Man-in-the-Browser D. Session Splicing

Question 5

Select all that apply

An enterprise network security analyst reviewing IDS alerts finds evidence that an attacker successfully hijacked an established TCP session between two internal application servers and injected unauthorized commands into the data stream. The analyst determines that the attacker combined two distinct network-level techniques to accomplish the hijacking without triggering IP-based access controls. Which two techniques are characteristic of network-level TCP session hijacking? (Choose two)

A. IP Spoofing B. DNS Cache Poisoning C. Sequence Number Prediction D. ICMP Redirect Attack E. VLAN Hopping

Question 6

A security team auditing a web application discovers that the application assigns a session token to unauthenticated visitors and does not issue a new token upon successful login, retaining the same pre-authentication identifier throughout the session lifecycle. An attacker plants a known session token in a target user's browser via a crafted link and waits for the victim to log in, after which the attacker uses that same known token to access the authenticated account. What vulnerability class is being exploited?

A. Session Sidejacking B. Broken Access Control C. Session Fixation D. Cookie Poisoning

Question 7

A wireless network penetration tester uses a tool that passively sniffs HTTP traffic on open Wi-Fi networks, automatically extracts session cookies from captured packets, and presents a clickable list of active user sessions that can be hijacked with no technical expertise required. The tool was released in 2010 as a Firefox browser extension and dramatically raised public awareness of session sidejacking risks on unencrypted public networks. Which tool is being described?

A. Wireshark B. Ettercap C. Firesheep D. Hamster

Question 8

Select all that apply

Following a successful session hijacking penetration test that demonstrated both cookie theft in transit and session token reuse after re-authentication, an organization's web application security team must implement controls that directly address both attack vectors. The team has limited development resources and needs to prioritize the two most impactful session hijacking countermeasures. Which two controls most directly mitigate session hijacking? (Choose two)

A. Enforcing HTTPS with HSTS B. Disabling HTTP OPTIONS method C. Regenerating session tokens after login D. Implementing perimeter firewall ACLs E. Enabling verbose server-side error messages

Question 9

A cloud-based SaaS platform uses JSON Web Tokens for stateless session management, and a security researcher discovers that the application's token verification library trusts the 'alg' field within the JWT header without server-side validation. The researcher modifies a captured JWT by changing the 'alg' field value to 'none' and stripping the signature segment, then submits the altered token and gains administrative access because the server skips signature verification entirely. Which attack technique is being exploited?

A. JWT Algorithm Confusion B. OAuth Token Theft C. XML Signature Wrapping D. Padding Oracle Attack

Question 10

Kevin is assessing a web application that binds session tokens to the authenticated user's IP address as its only anti-hijacking control, and he positions himself on the same NAT segment as the victim so both share an identical external IP address. He intercepts the victim's session cookie via ARP poisoning, replays the token from his machine, and gains full access because the server's IP binding check passes for both hosts behind the same NAT. Which session security deficiency does this scenario illustrate?

A. Missing Secure Cookie Flag B. Insufficient Session Binding C. Weak Token Entropy D. Missing HttpOnly Flag

Related Posts

Leave a Comment Cancel Reply