CEH v13 312-50v13 ECCouncil Study Notes

In CEH’s web application and mobile security modules, improper session management is defined as a failure to enforce session expiration, token invalidation, or secure session lifecycle controls. When an application does not invalidate a session token after logout, attackers can exploit this by performing a replay attack: reusing previously captured session identifiers to impersonate the user and gain unauthorized access. CEH teaches that replaying a live token is the simplest and most direct exploitation method because it does not require guessing or stealing new tokens—the attacker simply reuses a valid one that should have been invalidated. CSRF relies on exploiting a user’s active session and is not required when the attacker already possesses a reusable token. Brute-forcing session tokens is computationally expensive and unnecessary. SQL injection is unrelated to session lifecycle flaws unless token storage is directly exposed. Therefore, a replay attack is the correct exploitation method.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR '1'='1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR '1'='1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

According to CEH v13 Module 03: Scanning Networks, when using Nmap for service enumeration and fingerprinting, the flag to determine service version and type information is:

-sV — Version Detection Scan

nmap -sV instructs Nmap to actively connect to open ports and probe the services running on those ports. This technique helps identify:

The service name (e.g., Apache, Nginx, etc.)

The version number (e.g., Apache 2.4.54)

The OS or device details (when possible)

This is especially useful when ports like 80 (HTTP) and 443 (HTTPS) are open, as it helps determine which web server is running (e.g., Apache, IIS, Nginx) and its version — which is critical for vulnerability assessment.

Why Other Options Are Incorrect:

A. -sv

❌ Incorrect syntax. Nmap flags are case-sensitive and this is a typo. Correct flag is -sV.

B. -Pn

Skips host discovery (ping scan). It does not provide service version info.

C. -V

Displays Nmap’s version, not the service version on the target.

D. -ss

Incorrect spelling. You may have meant -sS (TCP SYN scan), which is for port scanning, not version detection.

Correct Option is A, assuming the intent is to write the correct syntax as -sV. However, strictly speaking, if this is a case-sensitive exam, and the listed option is -sv (lowercase 'v'), it would be invalid. But based on CEH exam context where minor casing issues are accepted if conceptually correct, A is the best answer.

Reference from CEH v13 Study Guide and Courseware:

Module 03 – Scanning Networks, Section: Nmap Scan Types and Options

EC-Council iLabs: Performing Version Detection Using nmap -sV

Nmap Official Docs (Referenced in CEH):

-h | findstr " -sV" -sV: Probe open ports to determine service/version info

A covert channel is a communication method used to transfer information in a way that violates security policy, often by repurposing legitimate protocols or functions for unauthorized communication.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Covert Communication and Data Exfiltration Techniques

CEH v13 Study Guide states:

“A covert channel exploits unintended uses of legitimate communication protocols. It allows data to be transmitted without detection by hiding the communication inside seemingly benign traffic.”

Incorrect Options:

A: A non-standard port may aid in hiding services, but doesn’t constitute a covert channel.

C: Multiplexing is a normal communication mechanism.

D: WEP is insecure, but this isn’t related to covert channels.