312-50V10 · Question #712
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?
The correct answer is C. Validate and escape all information sent to a server.. This question tests knowledge of the primary technical countermeasure for preventing Cross-Site Scripting (XSS) vulnerabilities in web applications.
Question
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?
Options
- AUse security policies and procedures to define and implement proper security settings.
- BUse digital certificates to authenticate a server prior to sending data.
- CValidate and escape all information sent to a server.
- DVerify acces right before allowing access to protected information and UI controls.
How the community answered
(21 responses)- A5% (1)
- B5% (1)
- C76% (16)
- D14% (3)
Why each option
This question tests knowledge of the primary technical countermeasure for preventing Cross-Site Scripting (XSS) vulnerabilities in web applications.
Security policies and procedures are administrative controls that define standards but do not technically prevent the injection of malicious scripts into web pages.
Digital certificates authenticate the server's identity via TLS/SSL but have no mechanism to inspect or sanitize user-supplied input for script injection.
XSS attacks occur when untrusted data is sent to a browser without proper validation or escaping, allowing attackers to inject malicious scripts. Validating input on the server side ensures data conforms to expected formats, while output encoding or escaping neutralizes script characters (such as converting < to <) so the browser renders them as data rather than executable code. Together, these two controls directly address the root cause of XSS as defined by OWASP.
Verifying access rights is an authorization control that restricts what authenticated users can do, but it does not prevent malicious script payloads from being injected and reflected to other users.
Concept tested: Cross-Site Scripting (XSS) prevention via input validation and output encoding
Source: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.