101 · Question #407
Which is NOT an ASM protection method for cross site scripting?
The correct answer is C. Token injection. ASM uses signatures, URL character set limiting, and parameter character set limiting to protect against XSS. Token injection is a CSRF protection mechanism, not an XSS protection method.
Question
Which is NOT an ASM protection method for cross site scripting?
Options
- ASignatures
- BURl character set limiting
- CToken injection
- DParameter character set limiting
How the community answered
(54 responses)- A2% (1)
- B6% (3)
- C91% (49)
- D2% (1)
Why each option
ASM uses signatures, URL character set limiting, and parameter character set limiting to protect against XSS. Token injection is a CSRF protection mechanism, not an XSS protection method.
Signatures are a core ASM XSS protection method that match incoming requests against known XSS attack patterns to detect and block them.
URL character set limiting restricts which characters are permitted in URLs, preventing XSS payloads from being smuggled through URL parameters.
Token injection in ASM is a protection mechanism for Cross-Site Request Forgery (CSRF), not Cross-Site Scripting (XSS). It works by embedding unique tokens in web forms to validate request origin, which addresses CSRF threats rather than XSS injection attacks. Because it targets a different vulnerability class entirely, it is not categorized as an XSS protection method.
Parameter character set limiting enforces allowed character sets on request parameters, blocking XSS injection attempts embedded in form fields or query strings.
Concept tested: ASM cross-site scripting protection methods
Source: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-asm-implementations/protecting-against-cross-site-scripting.html
Topics
Community Discussion
No community discussion yet for this question.