nerdexam
EC-Council

312-50V10 · Question #287

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerabili

The correct answer is B. The session cookies do not have the HttpOnly flag set.. XSS can be used to steal session cookies via injected JavaScript, but only if the HttpOnly flag is absent, which would otherwise block script access to cookies.

Hacking Web Applications

Question

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?

Options

  • AThe web application does not have the secure flag set.
  • BThe session cookies do not have the HttpOnly flag set.
  • CThe victim user should not have an endpoint security solution.
  • DThe victim's browser must have ActiveX technology enabled.

How the community answered

(25 responses)
  • A
    4% (1)
  • B
    80% (20)
  • C
    4% (1)
  • D
    12% (3)

Why each option

XSS can be used to steal session cookies via injected JavaScript, but only if the HttpOnly flag is absent, which would otherwise block script access to cookies.

AThe web application does not have the secure flag set.

The 'Secure' flag controls whether a cookie is sent only over HTTPS connections, not whether JavaScript can read it, so its absence does not directly enable XSS-based cookie theft.

BThe session cookies do not have the HttpOnly flag set.Correct

The HttpOnly flag instructs the browser to prevent JavaScript from accessing a cookie via document.cookie. Without this flag, a successful XSS payload can read the victim's session cookie and exfiltrate it to the attacker, enabling session hijacking. This is the primary exploitation path for cookie theft via XSS.

CThe victim user should not have an endpoint security solution.

Endpoint security solutions may detect or block malicious activity, but their absence is not a required condition to exploit an XSS vulnerability in a web application.

DThe victim's browser must have ActiveX technology enabled.

XSS exploits standard browser JavaScript execution and does not require ActiveX, which is a legacy Microsoft technology unrelated to cross-site scripting.

Concept tested: XSS exploitation via missing HttpOnly cookie flag

Source: https://owasp.org/www-community/HttpOnly

Topics

#XSS#HttpOnly flag#session cookies#cross-site scripting

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice