nerdexam
EC-Council

312-50V10 · Question #231

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants t

The correct answer is A. Cross-site scripting vulnerability. Disallowing HTML input directly mitigates Cross-Site Scripting (XSS), where attackers inject malicious HTML or JavaScript into pages rendered by other users' browsers.

Hacking Web Applications

Question

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?

Options

  • ACross-site scripting vulnerability
  • BSession management vulnerability
  • CSQL injection vulnerability
  • DCross-site Request Forgery vulnerability

How the community answered

(23 responses)
  • A
    87% (20)
  • C
    4% (1)
  • D
    9% (2)

Why each option

Disallowing HTML input directly mitigates Cross-Site Scripting (XSS), where attackers inject malicious HTML or JavaScript into pages rendered by other users' browsers.

ACross-site scripting vulnerabilityCorrect

XSS vulnerabilities arise when an application accepts user-supplied HTML or JavaScript and outputs it to a browser without sanitization or encoding. An attacker can inject a script tag that executes in victims' browsers to steal session cookies or perform actions on their behalf. Blocking HTML input removes the primary injection vector for both stored and reflected XSS attacks.

BSession management vulnerability

Session management vulnerabilities involve improper issuance, storage, or expiration of session tokens - a problem unrelated to whether HTML is accepted as user input.

CSQL injection vulnerability

SQL injection involves inserting SQL syntax into database query parameters, not HTML markup, so disallowing HTML input does not address this class of vulnerability.

DCross-site Request Forgery vulnerability

CSRF exploits the trust a server places in an authenticated browser session by forging requests; it is not enabled or mitigated by the acceptance of HTML in user input fields.

Concept tested: Cross-site scripting (XSS) input validation and prevention

Source: https://owasp.org/www-community/attacks/xss/

Topics

#XSS#cross-site scripting#input validation#HTML injection

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice