CEH materials explain that modern web applications deploy multiple layers of security-HTTPS, secure cookies, HttpOnly flags, and strict session regeneration-to defend against standard hijacking methods such as token theft through XSS or fixation. When these protections are properly implemented, attackers must compromise the underlying trust relationship between the client and server to successfully intercept or manipulate session tokens. One of the most advanced techniques described in CEH is compromising a trusted certificate authority or injecting a forged certificate into the victim's trust store. This enables the attacker to perform a transparent MITM attack despite HTTPS protections. Because the victim's browser trusts the forged certificate, encrypted traffic-including session tokens-is exposed to the attacker without generating browser warnings or IDS alerts. Timing side-channel attacks are not considered session hijacking methods; XSS is mitigated by secure flags; and session fixation is ineffective when session regeneration occurs.
Therefore, compromising a trusted certificate authority to enable an undetectable MITM attack is the most viable method.

Passive reconnaissance focuses on collecting intelligence without interacting with the target's systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server's specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like
httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

This scenario precisely matches Time-Based Blind SQL Injection, a technique detailed in CEH v13 Web Application Hacking. When applications suppress error messages and sanitize outputs, attackers rely on response timing to infer whether injected SQL statements are executed.
In time-based SQL injection, the attacker injects database-specific delay functions (such as WAITFOR DELAY, DBMS_LOCK.SLEEP, or SLEEP()). If the injected condition is true, the database pauses execution, causing a noticeable delay.
The key indicators described-no visible output but increased response time-are classic signs of time- based SQL injection. CEH v13 explains that this method is particularly useful when:
* Errors are hidden
* UNION queries fail
* Output is not reflected
Union-based and out-of-band SQL injections require data exfiltration channels or visible outputs, which are absent here. "Heavy query-based" is not a formal CEH classification.
Thus, Option A is the correct answer.

This scenario clearly describes the need for Time-Based Blind SQL Injection, an advanced SQL injection technique covered in the CEH v13 Web Application Hacking module. Blind SQL injection is used when an application does not return database errors or visible output, making traditional techniques ineffective.
According to CEH v13, Time-Based Blind SQL Injection is particularly useful when:
* The backend database type is unknown
* Error messages are suppressed
* UNION queries fail
* No direct data is returned in responses
In this technique, attackers inject SQL statements that deliberately introduce time delays using database- specific functions such as SLEEP(), WAITFOR DELAY, or BENCHMARK(). The ethical hacker then observes the application's response time to determine whether the injected condition is true or false.
For example:
' OR IF(1=1, SLEEP(5), 0) --
If the application response is delayed, it confirms that the injected SQL statement was executed successfully.
CEH v13 categorizes this method as behavioral-based inference, where the attacker extracts information one bit at a time by analyzing timing differences.
Other options are incorrect because:
* Content-Based Blind SQL Injection relies on visible differences in responses, which the question states are unavailable.
* Union-Based SQL Injection requires knowing column count and data types.
* Error-Based SQL Injection depends on database error messages being displayed.
CEH v13 emphasizes Time-Based Blind SQL Injection as a last-resort yet highly effective technique when dealing with hardened applications that suppress output, making it a frequent exam-tested concept.