Preparing for your next security certification exam? After trying your hand at this practice test question, join the FREE CertMike Study Group for the CISSP, Security+, CySA+, or SSCP certification to receive new questions each week. You’ll also receive free access to my customized study strategies.

Tonya is developing a web application and is embedding a session ID in the application that is exchanged with each network communication. What type of attack is Tonya most likely trying to prevent?


A. Replay
B. Man-in-the-middle
C. Buffer overflow
D. SQL injection


Correct Answer: A.


Session tokens, or session IDs, are used to prevent an eavesdropper from stealing authentication credentials and reusing them in a different session, in what is known as a replay attack. The use of session IDs would not prevent an attacker from carrying out an application layer attack, such as a buffer overflow or injection. It also would not be effective against a man-in-the-middle attack, as the attacker could simply establish a secure session with the server and would, therefore, have access to the session ID.