ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request—usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user’s active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

This scenario matches a session fixation attack because Michael sets up a valid session identifier with the application first, then forces the victim to authenticate while using that same pre-established session. In CEH terms, session fixation occurs when an attacker “fixes” or plants a known session ID in the victim’s browser, typically via a crafted URL parameter, cookie setting through a subdomain, or a redirect that preserves a session token. If the application does not regenerate the session ID after login, the victim’s authentication becomes bound to the attacker-known session. The attacker can then reuse that same session ID to access the application as the victim, exactly as described when Michael “uses that session to access the portal” after the employee logs in.

The other options do not fit the mechanism. Session sniffing relies on capturing session tokens from network traffic, usually when encryption is missing or weak, but the question focuses on a link and a pre-initialized session rather than intercepting traffic. Session replay generally refers to capturing and replaying authentication exchanges or tokens, not pre-setting a session before the victim authenticates. “Session donation” is not the standard CEH label for this behavior and is not the best match to the described flow.

CEH-recommended mitigations include regenerating session IDs immediately after authentication and privilege changes, rejecting session IDs supplied in URLs, setting Secure and HttpOnly cookie flags, enforcing SameSite where appropriate, implementing short idle timeouts, and adding server-side controls to detect concurrent use or abnormal session binding changes.

According to the CEH System Hacking and Web Application Security modules, Man-in-the-Browser (MitB) attacks are among the most sophisticated and difficult session-hijacking techniques to detect. In MitB attacks, malware operates inside the victim’s browser, allowing attackers to intercept, modify, or inject transactions after authentication has occurred.

CEH documentation highlights that MitB attacks bypass:

Multi-factor authentication

Encrypted cookies

HTTPS/TLS protections

Because the malicious activity occurs at the browser level, security controls perceive transactions as legitimate.

Option B is correct.

Option A (XSS) is detectable via content security policies.

Option C is mitigated by regenerating session IDs.

Option D is ineffective against encrypted sessions.

CEH emphasizes MitB attacks as a critical threat to online banking systems.

CEH v13 outlines insertion attacks as IDS evasion methods in which attackers send packets deliberately crafted so that the IDS processes them differently from the target host. In an insertion attack, malformed packets appear legitimate to the IDS—allowing malicious traffic to blend with benign inspection results—while the end host rejects or modifies the packets due to incorrect checksums, invalid flags, or protocol inconsistencies. As a result, the IDS sees one set of reconstructed data, while the actual host processes a different version or nothing at all. CEH emphasizes that intrusion detection systems may not follow full TCP/IP stack validation, making them susceptible to deception by malformed or borderline-conformant packets. Polymorphic shellcode (Option B) changes payload signatures, not packet structure. Session splicing (Option C) splits payload across packets to evade pattern matching but does not rely on checksum manipulation. Fragmentation attacks (Option D) divide traffic into smaller fragments, not alter validity fields. The described behavior fits insertion attacks precisely.

The attack described is spear phishing because it is a targeted phishing attempt crafted for a specific individual using personal and organizational context. In CEH social engineering coverage, spear phishing differs from generic phishing by its customization: the attacker addresses the victim by name, references the victim’s job function, and tailors the message to create credibility and urgency. Here, the email is addressed specifically to Clara and mentions her role in the accounts team, which increases the likelihood she will trust the message and comply.

The message uses classic phishing psychological triggers emphasized in CEH materials: urgency and fear. By claiming a “critical system vulnerability” and threatening account suspension, the attacker pressures Clara to act quickly and ignore verification steps. The inclusion of a link to a login page that “resembles the company’s internal portal” indicates credential harvesting, where the attacker’s goal is to capture usernames and passwords or other authentication tokens. The subtle misspelling in the sender’s domain is a common indicator of lookalike or typosquatting domains used to mimic legitimate corporate email addresses and bypass casual inspection.

The other options do not match as well. Impersonation is a broader category, but spear phishing is the specific technique using an email lure with personalization. Quid pro quo involves offering a benefit or service in exchange for information, which is not present. Vishing is voice-based phishing via phone calls, not email. Recommended defenses in CEH guidance include verifying sender domains, using out-of-band confirmation with IT, enabling email security controls like SPF, DKIM, and DMARC, and enforcing phishing awareness training and MFA to reduce credential theft impact.

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker ' s code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

CEH materials explain that modern web applications deploy multiple layers of security—HTTPS, secure cookies, HttpOnly flags, and strict session regeneration—to defend against standard hijacking methods such as token theft through XSS or fixation. When these protections are properly implemented, attackers must compromise the underlying trust relationship between the client and server to successfully intercept or manipulate session tokens. One of the most advanced techniques described in CEH is compromising a trusted certificate authority or injecting a forged certificate into the victim’s trust store. This enables the attacker to perform a transparent MITM attack despite HTTPS protections. Because the victim’s browser trusts the forged certificate, encrypted traffic—including session tokens—is exposed to the attacker without generating browser warnings or IDS alerts. Timing side-channel attacks are not considered session hijacking methods; XSS is mitigated by secure flags; and session fixation is ineffective when session regeneration occurs. Therefore, compromising a trusted certificate authority to enable an undetectable MITM attack is the most viable method.

In CEH v13, IDS effectiveness is closely tied to proper signature tuning and sensitivity thresholds. When IDS alerts are triggered by legitimate user behavior, the most common cause is overly sensitive configuration, resulting in false positives.

False positives occur when normal traffic patterns match intrusion signatures. CEH v13 emphasizes that IDS systems must be calibrated to the organization’s baseline traffic profile. Without tuning, IDS logs become noisy and reduce analyst effectiveness.

Firewall issues (Option A) and outdated IDS signatures (Option B) can cause missed detections, not excessive alerts. Users unintentionally triggering protocols (Option D) is not a root cause but a symptom of misconfiguration.

Thus, excessive IDS sensitivity is the correct explanation.

CEH v13 identifies AI-powered malware as an emerging advanced threat that adapts its execution based on environmental cues and user behavior. Unlike traditional polymorphic malware, AI-driven malware can dynamically decide when and how to execute actions to avoid detection.

The described traits—behavioral adaptation, idle-time exfiltration, encrypted communication—are hallmarks of AI-assisted malware.

Polymorphic viruses change signatures but do not adapt behavior intelligently. Rootkits focus on hiding presence. Worms propagate aggressively.

Therefore, Option A is correct.

Client-side controls, such as JavaScript validation and CAPTCHA enforcement, are explicitly described in CEH v13 as inherently untrustworthy, since they run on the user’s device. The most effective way to bypass them is by intercepting and modifying HTTP requests after client-side validation but before server-side processing.

Using a proxy tool (such as Burp Suite) allows the tester to manipulate parameters invisibly, without disabling JavaScript or injecting code that could raise alarms. This makes Option B the most stealthy and effective method.

Disabling JavaScript (Option A) is noisy and easily detected. Injecting JavaScript (Option C) may trigger client-side protections. Reverse-engineering encryption (Option D) is complex and unnecessary.

CEH v13 emphasizes proxy-based manipulation as the preferred technique for bypassing client-side security mechanisms. Therefore, Option B is correct.

The Certified Ethical Hacker (CEH) Cryptography module explains that one of the primary challenges in encryption is secure key distribution. Asymmetric encryption, also known as public-key cryptography, was specifically designed to address this issue.

In asymmetric encryption, each entity possesses a public key and a private key. The public key can be shared openly, allowing anyone to encrypt data securely, while only the corresponding private key can decrypt it. CEH documentation highlights that this model eliminates the need to transmit secret keys over insecure channels.

Option D is correct because asymmetric encryption enables secure key exchange without prior trust.

Option B (symmetric encryption) requires a shared secret key and suffers from key distribution challenges.

Option A refers to data-at-rest protection, not key exchange.

Option C provides integrity verification, not encryption.

CEH emphasizes that asymmetric encryption underpins secure protocols such as TLS and digital certificates.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses, indicating ARP table manipulation.

This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.