312-50V10 · Question #231
A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants t
The correct answer is A. Cross-site scripting vulnerability. Disallowing HTML input directly mitigates Cross-Site Scripting (XSS), where attackers inject malicious HTML or JavaScript into pages rendered by other users' browsers.
Question
A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?
Options
- ACross-site scripting vulnerability
- BSession management vulnerability
- CSQL injection vulnerability
- DCross-site Request Forgery vulnerability
How the community answered
(23 responses)- A87% (20)
- C4% (1)
- D9% (2)
Why each option
Disallowing HTML input directly mitigates Cross-Site Scripting (XSS), where attackers inject malicious HTML or JavaScript into pages rendered by other users' browsers.
XSS vulnerabilities arise when an application accepts user-supplied HTML or JavaScript and outputs it to a browser without sanitization or encoding. An attacker can inject a script tag that executes in victims' browsers to steal session cookies or perform actions on their behalf. Blocking HTML input removes the primary injection vector for both stored and reflected XSS attacks.
Session management vulnerabilities involve improper issuance, storage, or expiration of session tokens - a problem unrelated to whether HTML is accepted as user input.
SQL injection involves inserting SQL syntax into database query parameters, not HTML markup, so disallowing HTML input does not address this class of vulnerability.
CSRF exploits the trust a server places in an authenticated browser session by forging requests; it is not enabled or mitigated by the acceptance of HTML in user input fields.
Concept tested: Cross-site scripting (XSS) input validation and prevention
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.