312-50V10 · Question #373
While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site: <script>alert(" Testing Testing Testing ")</script>
The correct answer is D. Cross-site scripting. The successful execution of an injected JavaScript alert via a search field confirms a Cross-Site Scripting (XSS) vulnerability, where user-supplied input is rendered and executed as code in the browser.
Question
While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site:
<script>alert(" Testing Testing Testing ")</script> Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text:"Testing Testing Testing". Which vulnerability has been detected in the web application?
Options
- ABuffer overflow
- BCross-site request forgery
- CDistributed denial of service
- DCross-site scripting
How the community answered
(28 responses)- A4% (1)
- C7% (2)
- D89% (25)
Why each option
The successful execution of an injected JavaScript alert via a search field confirms a Cross-Site Scripting (XSS) vulnerability, where user-supplied input is rendered and executed as code in the browser.
A buffer overflow involves writing data beyond a memory buffer's boundary to corrupt adjacent memory or execute arbitrary code - it is not triggered by injecting HTML or JavaScript into a form field.
Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into submitting unintended requests to a trusted site; it does not involve injecting or executing scripts within the application itself.
A Distributed Denial of Service (DDoS) attack overwhelms a target with traffic from multiple sources to deny availability; injecting a script tag into a search box is unrelated to service disruption.
Cross-Site Scripting (XSS) occurs when a web application accepts untrusted input and includes it in output without proper encoding or sanitization, causing the browser to execute it as script. The injected `<script>alert(...)` tag being rendered and executed as a pop-up confirms the application does not sanitize or encode user input, making it vulnerable to reflected or stored XSS attacks that could steal session cookies or redirect users.
Concept tested: Cross-Site Scripting XSS reflected input execution
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.