ECCouncil Updated 312-50v13 Exam Questions and Answers by demi

CEH v13 describes Agent Smith–style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third-party marketplaces. Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android’s APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern.

In CEH v13 Cloud Computing, serverless architectures introduce unique security challenges, particularly around Function-as-a-Service (FaaS) permissions. When a serverless function is compromised through an insecure third-party API, the damage depends largely on what the function is allowed to do.

Implementing function-level permission models and enforcing the principle of least privilege ensures that even if a function is exploited, its ability to execute malicious actions is strictly limited. CEH v13 strongly emphasizes granular IAM controls in serverless environments.

While cloud-native security platforms (Option A) and CASBs (Option C) provide visibility and governance, they do not directly prevent excessive permissions. Regular patching (Option D) is important but does not mitigate permission abuse.

CEH v13 identifies least privilege as the single most critical control in preventing serverless abuse and privilege escalation. Therefore, Option B is the correct answer.

CEH v13 identifies Man-in-the-Browser (MitB) attacks as one of the most dangerous and difficult-to-detect session hijacking techniques, especially in online banking environments. In MitB attacks, malware operates inside the user’s browser, intercepting and manipulating transactions in real time.

Unlike XSS or session fixation attacks, MitB bypasses server-side security controls entirely. Even strong encryption, multi-factor authentication, and secure cookies are ineffective because the attack occurs after authentication, within a trusted session.

Passive sniffing is limited by encryption, and session fixation relies on poor session management. Covert XSS requires injection points and is more easily mitigated.

CEH v13 emphasizes that MitB attacks can modify transaction details without user awareness, making detection extremely difficult. Therefore, Option B is correct.

The correct answer is C. Regenerate the session ID after a successful login to prevent session fixation attacks because the weakness described is the textbook condition for session fixation. In session fixation, an attacker sets or predicts a victim’s session identifier before the victim authenticates (for example, by sending a crafted link containing a session ID, forcing a known token into the victim’s browser via a URL parameter, or leveraging an application behavior that creates a session for unauthenticated users). If the application fails to issue a new session identifier after authentication, the attacker can reuse the already-known session ID once the victim logs in, effectively taking over the authenticated session.

The scenario explicitly states that “the same authentication token assigned before login continues to be valid without being refreshed,” and that the attacker could “trick a victim into authenticating with a value already known to the attacker.” Those statements describe session fixation precisely: authentication is “bound” to a pre-existing session identifier rather than a newly generated post-login token. The most direct and widely recommended mitigation is to invalidate the old session and regenerate a fresh session ID immediately after successful authentication (and also after privilege changes such as elevating to an admin role). This breaks the attacker’s knowledge advantage, because even if they forced a pre-login session ID, it becomes useless after login.

Why the other options are less correct: A (SSL/TLS) protects confidentiality and integrity in transit but does not prevent an attacker from fixing a session ID if they can set it through other means. B (restrictive cache directives) helps prevent sensitive pages from being stored in caches but does not address session ID reuse. D can reduce exposure by limiting pre-auth sessions, but many applications legitimately require them (shopping carts, CSRF tokens), and it is not as direct or complete as regenerating the session identifier at authentication boundaries.

Therefore, the correct countermeasure is to regenerate the session ID after login.