Effective CISSP Questions

You are concerned with session hijacking by a middle man replaying the session token stored in the HTTP cookie. Which of the following is the least effective control to mitigate the risk?
A. End-to-end encryption between the browser and the web server using TLS
B. Automatic log off if a session ends or expires
C. User data or input validation
D. Long and random Session ID

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. User data or input validation.

Session hijacking frequently happens through XSS (cross-site scripting) or sniffing. The question primarily focuses on sniffing by the middle man. Input validation prevents attackers submit malicious code to hijack users’ sessions through XSS.

  • End-to-end encryption using TLS protects messages from sniffing attacks. It reduces the likelihood of session hijacking by a middle man.
  • Automatic log off expires or invalidates the session cookie and reduces the impact if a session cookie is stolen and replayed.
  • Long and random Session ID makes it more difficult for attackers to guess or spoof the session cookie, thus reduces the likelihood.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您擔心中間人重播(replay)儲在HTTP cookie中的會話令牌(session token),從而造成會話劫持(session hijacking)。 以下哪項是最沒有效的緩解(mitigate)風險的控制措施?
A. 使用TLS來進行瀏覽器和Web服務器之間端到端的加密
B. 如果會話結束或過期,則自動登出
C. 使用者資料或輸入驗證
D. 較長且隨機的會話ID

1 thought on “CISSP PRACTICE QUESTIONS – 20210212

  1. Pingback: 會話劫持( session hijacking ) – Choson資安大小事

Leave a Reply