312-50V10 · Question #697
This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data. What is this attack?
The correct answer is A. Cross-site-scripting attack. Cross-site scripting (XSS) is the attack where a website reflects un-sanitized user input back to browsers, enabling malicious script execution in victims' sessions. It exploits a site's failure to validate or encode user-provided output.
Question
This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data. What is this attack?
Options
- ACross-site-scripting attack
- BSQL Injection
- CURL Traversal attack
- DBuffer Overflow attack
How the community answered
(36 responses)- A94% (34)
- B3% (1)
- C3% (1)
Why each option
Cross-site scripting (XSS) is the attack where a website reflects un-sanitized user input back to browsers, enabling malicious script execution in victims' sessions. It exploits a site's failure to validate or encode user-provided output.
XSS occurs when a web application includes unvalidated, un-sanitized user-supplied data in its HTML output, allowing attackers to inject client-side scripts that execute in other users' browsers. The attack leverages the browser's trust in content served from the legitimate site, enabling session hijacking, credential theft, or malicious redirects. The key indicator in this question is 'un-sanitized user-provided data displayed by the site,' which is the precise definition of reflected XSS.
SQL Injection targets back-end database queries by injecting malicious SQL syntax, not client-side script execution through unsanitized web page content.
URL traversal (path traversal) attacks manipulate file paths in URLs to access unauthorized server-side files, which is unrelated to injecting scripts into displayed content.
Buffer overflow attacks exploit memory management flaws in compiled applications to overwrite memory, which is unrelated to web content rendering or user-supplied HTML output.
Concept tested: Cross-site scripting (XSS) via unsanitized user input
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.