312-50V10 · Question #329
A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the ap
The correct answer is C. Cross-site scripting. Injecting a client-side script tag into a web form input field that then executes in the browser is a textbook cross-site scripting (XSS) vulnerability.
Question
A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's search form and introduces the following code in the search input field:
IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox ("Vulnerable");>" When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable". Which web applications vulnerability did the analyst discover?
Options
- ACross-site request forgery
- BCommand injection
- CCross-site scripting
- DSQL injection
How the community answered
(30 responses)- A10% (3)
- B3% (1)
- C83% (25)
- D3% (1)
Why each option
Injecting a client-side script tag into a web form input field that then executes in the browser is a textbook cross-site scripting (XSS) vulnerability.
Cross-site request forgery (CSRF) tricks an authenticated user's browser into sending unintended requests to a trusted site - it does not involve injecting scripts into input fields.
Command injection targets server-side operating system commands via vulnerable application calls, not client-side browser script execution triggered by rendered HTML.
The analyst injected a VBScript-bearing IMG tag into the search input, and the application reflected it back to the browser without sanitization, causing the script to execute and display a pop-up. This is reflected XSS - unsanitized user input is echoed into the page response and interpreted as executable code by the browser. The ASP/MSSQL stack has no bearing on the client-side script injection mechanism itself.
SQL injection manipulates the backend database query through input fields - the payload here contains no SQL syntax and the vulnerability manifests in the browser, not the database.
Concept tested: Cross-site scripting (XSS) identification via script injection
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.