nerdexam
EC-Council

312-50V10 · Question #373

While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site: <script>alert(" Testing Testing Testing ")</script>

The correct answer is D. Cross-site scripting. The successful execution of an injected JavaScript alert via a search field confirms a Cross-Site Scripting (XSS) vulnerability, where user-supplied input is rendered and executed as code in the browser.

Hacking Web Applications

Question

While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site:

<script>alert(" Testing Testing Testing ")</script> Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text:

"Testing Testing Testing". Which vulnerability has been detected in the web application?

Options

  • ABuffer overflow
  • BCross-site request forgery
  • CDistributed denial of service
  • DCross-site scripting

How the community answered

(28 responses)
  • A
    4% (1)
  • C
    7% (2)
  • D
    89% (25)

Why each option

The successful execution of an injected JavaScript alert via a search field confirms a Cross-Site Scripting (XSS) vulnerability, where user-supplied input is rendered and executed as code in the browser.

ABuffer overflow

A buffer overflow involves writing data beyond a memory buffer's boundary to corrupt adjacent memory or execute arbitrary code - it is not triggered by injecting HTML or JavaScript into a form field.

BCross-site request forgery

Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into submitting unintended requests to a trusted site; it does not involve injecting or executing scripts within the application itself.

CDistributed denial of service

A Distributed Denial of Service (DDoS) attack overwhelms a target with traffic from multiple sources to deny availability; injecting a script tag into a search box is unrelated to service disruption.

DCross-site scriptingCorrect

Cross-Site Scripting (XSS) occurs when a web application accepts untrusted input and includes it in output without proper encoding or sanitization, causing the browser to execute it as script. The injected `<script>alert(...)` tag being rendered and executed as a pop-up confirms the application does not sanitize or encode user input, making it vulnerable to reflected or stored XSS attacks that could steal session cookies or redirect users.

Concept tested: Cross-Site Scripting XSS reflected input execution

Source: https://owasp.org/www-community/attacks/xss/

Topics

#cross-site scripting#XSS#script injection#web application vulnerability

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice