nerdexam
EC-Council

312-50V10 · Question #512

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?

The correct answer is D. Validate and escape all information sent to a server.. Preventing XSS requires validating all user-supplied input and escaping output so that malicious scripts cannot be injected into and executed by a browser.

Hacking Web Applications

Question

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?

Options

  • AUse digital certificates to authenticate a server prior to sending data.
  • BVerify access right before allowing access to protected information and UI controls.
  • CVerify access right before allowing access to protected information and UI controls.
  • DValidate and escape all information sent to a server.

How the community answered

(18 responses)
  • A
    11% (2)
  • B
    6% (1)
  • C
    6% (1)
  • D
    78% (14)

Why each option

Preventing XSS requires validating all user-supplied input and escaping output so that malicious scripts cannot be injected into and executed by a browser.

AUse digital certificates to authenticate a server prior to sending data.

Digital certificates authenticate servers for encrypted transport (TLS/SSL) but do not prevent malicious scripts embedded in web page content from executing in the browser.

BVerify access right before allowing access to protected information and UI controls.

Verifying access rights before granting access to protected resources is an authorization control that prevents privilege escalation, not XSS injection.

CVerify access right before allowing access to protected information and UI controls.

This choice is identical to B and addresses authorization, not XSS prevention through input validation and output encoding.

DValidate and escape all information sent to a server.Correct

XSS attacks occur when untrusted data is sent to a browser without proper validation or escaping, allowing attackers to inject client-side scripts. Validating input to reject unexpected data and escaping all output before rendering it in the browser neutralizes this attack vector by ensuring user-controlled data is never interpreted as executable code. This is the primary defense recommended by OWASP for XSS prevention.

Concept tested: Cross-site scripting (XSS) prevention - input validation and escaping

Source: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Topics

#XSS prevention#input validation#output encoding#web application security

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice