ECCouncil Updated 312-50v13 Exam Questions and Answers by alayah

The activity described is passive session hijacking because Sarah is only observing and capturing session-related information without altering, injecting, or disrupting the live client server communication. In CEH coverage of session hijacking, the key distinction is whether the attacker merely eavesdrops to obtain session identifiers or actively takes control of the session in real time. Passive hijacking focuses on sniffing traffic to collect authentication material such as session IDs, cookies, bearer tokens, or other credentials transmitted in cleartext or exposed through weak transport protections. The prompt explicitly says she “quietly collects session data” and does so “without interfering,” which is the hallmark of passive hijacking.

This is commonly feasible when applications use unencrypted HTTP, weak TLS configurations, or when tokens are exposed in ways that can be captured on the network. Once obtained, the attacker can replay or reuse the stolen token to impersonate the victim, which matches Sarah’s plan to later use the captured tokens to demonstrate risk in a controlled environment. CEH emphasizes that session tokens effectively become the user’s identity after authentication; if an attacker can steal them, they can often bypass login entirely.

Option B, active session hijacking, would involve manipulating the connection, injecting packets, desynchronizing the client, or taking over the session live. Option A, session fixation, involves forcing a victim to use a session ID chosen by the attacker, not sniffing. Option C, man-in-the-browser, requires malware within the browser to intercept or modify transactions, which is not described. Therefore, Passive Session Hijacking is correct.

The behavior described—manipulating request parameters so the application retrieves and exposes files from the server’s local directories—is characteristic of Local File Inclusion (LFI). LFI occurs when an application uses user-controllable input to construct a file path (often for templates, language files, includes, or uploads) and fails to properly validate or constrain it. An attacker can then supply values such as relative path traversal sequences to force the application to access unintended local resources, leading to disclosure of sensitive files (configuration files, credentials, keys, environment files) and sometimes further impact depending on context.

In the scenario, Sophia is testing a “template upload feature,” then “modifying the input parameters in an upload request” to “trick the application into retrieving sensitive files from the server’s local directories,” allowing her to view internal configuration files. That is a textbook LFI outcome: unauthorized read access to local files through a web interface, caused by improper input validation and insecure file path handling.

Why the other options are less accurate:

Insecure deserialization (A) involves unsafe processing of serialized objects, often leading to remote code execution; it is not about retrieving local files via path manipulation.

Cookie poisoning (B) is tampering with cookie values to escalate privileges or alter application behavior; it does not inherently explain local file retrieval.

File injection (C) is a broader term and can refer to multiple file-related abuses, but the specific pattern of including or reading local files via parameters is most precisely labeled Local File Inclusion.

Therefore, the correct answer is D. Local File Inclusion.

The CEH Web Application Security module explains that race conditions occur when systems improperly handle simultaneous requests, leading to unexpected behavior. In token-based authentication systems, poor synchronization between token expiration checks and validation logic can allow attackers to exploit timing gaps.

The observed pattern—failed attempts with expired tokens followed by successful access—suggests the attacker exploited a race condition where the application inconsistently validated token state.

Option C is correct.

Option A would not involve expired tokens.

Option B is highly impractical given secure token entropy.

Option D typically succeeds without repeated failures.

CEH highlights race conditions as subtle but dangerous logic flaws.

Tailgating, as defined in CEH v13 Social Engineering, is a physical social engineering attack where an unauthorized individual gains access by following an authorized person into a restricted area.

The attacker exploits human courtesy rather than technical vulnerabilities. Options B, C, and D describe phishing, pretexting, and baiting respectively.

Thus, option A is the correct representation of tailgating.