You are concerned with session hijacking by a middle man replaying the session token stored in the HTTP cookie. Which of the following is the least effective control to mitigate the risk?
A. End-to-end encryption between the browser and the web server using TLS
B. Automatic log off if a session ends or expires
C. User data or input validation
D. Long and random Session ID

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. User data or input validation.

Session hijacking frequently happens through XSS (cross-site scripting) or sniffing. The question primarily focuses on sniffing by the middle man. Input validation prevents attackers submit malicious code to hijack users’ sessions through XSS.

• End-to-end encryption using TLS protects messages from sniffing attacks. It reduces the likelihood of session hijacking by a middle man.
• Automatic log off expires or invalidates the session cookie and reduces the impact if a session cookie is stolen and replayed.
• Long and random Session ID makes it more difficult for attackers to guess or spoof the session cookie, thus reduces the likelihood.

Reference

• WHAT IS SESSION HIJACKING AND HOW TO PREVENT IT?
• Session hijacking attacks: understanding and preventing them

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您擔心中間人重播(replay)儲存在HTTP cookie中的會話令牌(session token)，從而造成會話劫持(session hijacking)。 以下哪項是最沒有效的緩解(mitigate)風險的控制措施？
A. 使用TLS來進行瀏覽器和Web服務器之間端到端的加密
B. 如果會話結束或過期，則自動登出
C. 使用者資料或輸入驗證
D. 較長且隨機的會話ID