nerdexam
F5

101 · Question #162

A security audit has determined that your web application is vulnerable to a crosssite scripting attack. Which of the following measures are appropriate when building a security policy? (Choose 2)

The correct answer is B. Attack signature sets must be applied to any user input parameters. D. Parameter data entered for flowlevel parameters must allow some metacharacters but not others.. Mitigating XSS in BIG-IP ASM requires applying attack signature sets to user input parameters and restricting metacharacter usage in flow-level parameters.

Section 4: Security Basics

Question

A security audit has determined that your web application is vulnerable to a crosssite scripting attack. Which of the following measures are appropriate when building a security policy? (Choose 2)

Options

  • ACookie length must be restricted to 1024 bytes.
  • BAttack signature sets must be applied to any user input parameters.
  • CParameter data entered for explicit objects must be checked for minimum and maximum values.
  • DParameter data entered for flowlevel parameters must allow some metacharacters but not others.

How the community answered

(45 responses)
  • A
    13% (6)
  • B
    82% (37)
  • C
    4% (2)

Why each option

Mitigating XSS in BIG-IP ASM requires applying attack signature sets to user input parameters and restricting metacharacter usage in flow-level parameters.

ACookie length must be restricted to 1024 bytes.

Restricting cookie length to 1024 bytes addresses potential cookie-based overflow issues, not cross-site scripting vulnerabilities in user input.

BAttack signature sets must be applied to any user input parameters.Correct

Attack signature sets contain patterns that detect known XSS payloads within user-supplied input parameters, blocking script injection attempts before they reach the application. Applying these signatures to any user input parameter is a direct and standard ASM countermeasure against XSS.

CParameter data entered for explicit objects must be checked for minimum and maximum values.

Enforcing minimum and maximum value ranges on explicit parameters is an input validation technique against overflow or range-based attacks, not a targeted defense against XSS injection.

DParameter data entered for flowlevel parameters must allow some metacharacters but not others.Correct

Flow-level parameters that selectively allow or block metacharacters (such as angle brackets and quotation marks used in XSS payloads) prevent attackers from injecting script tags or event handlers through those parameters, directly reducing XSS exposure.

Concept tested: BIG-IP ASM security policy configuration to prevent XSS

Source: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-application-security-manager-implementations/preventing-cross-site-scripting-xss-attacks.html

Topics

#cross-site scripting#XSS#attack signatures#parameter metacharacters

Community Discussion

No community discussion yet for this question.

Full 101 Practice