nerdexam
EC-Council

312-50V10 · Question #7

What type of vulnerability/attack is it when the malicious person forces the user's browser to send an authenticated request to a server?

The correct answer is A. Cross-site request forgery. Cross-site request forgery (CSRF) tricks an authenticated user's browser into sending an unauthorized request to a server on the attacker's behalf. The server acts on the request because it carries the victim's valid session credentials.

Hacking Web Applications

Question

What type of vulnerability/attack is it when the malicious person forces the user's browser to send an authenticated request to a server?

Options

  • ACross-site request forgery
  • BCross-site scripting
  • CSession hijacking
  • DServer side request forgery

How the community answered

(63 responses)
  • A
    90% (57)
  • B
    5% (3)
  • C
    2% (1)
  • D
    3% (2)

Why each option

Cross-site request forgery (CSRF) tricks an authenticated user's browser into sending an unauthorized request to a server on the attacker's behalf. The server acts on the request because it carries the victim's valid session credentials.

ACross-site request forgeryCorrect

In a CSRF attack, the attacker crafts a malicious request (such as a hidden form or image tag) that the victim's browser automatically sends to a target site where the victim is already authenticated. Because the browser attaches session cookies automatically, the server cannot distinguish the forged request from a legitimate one, allowing the attacker to perform actions as the victim without stealing credentials.

BCross-site scripting

Cross-site scripting (XSS) involves injecting malicious scripts into web pages that execute in other users' browsers, targeting the client side - it does not force the browser to send authenticated requests to a server.

CSession hijacking

Session hijacking involves stealing or intercepting an active session token so the attacker can impersonate the user directly, rather than forcing the victim's own browser to send the request.

DServer side request forgery

Server-side request forgery (SSRF) causes the server itself to make requests to internal or external resources on the attacker's behalf, not the user's browser.

Concept tested: Cross-site request forgery (CSRF) attack mechanism

Source: https://owasp.org/www-community/attacks/csrf

Topics

#CSRF#authenticated request forgery#browser exploitation#web application attacks

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice