nerdexam
EC-Council

312-50V10 · Question #739

While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and

The correct answer is C. Cross-Sire Request Forgery. Cross-Site Request Forgery (CSRF) exploits an authenticated browser session by tricking the user into loading a malicious resource that silently issues forged requests to a trusted site using the user's existing session credentials.

Hacking Web Applications

Question

While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user?

Options

  • AClickjacking
  • BCross-Sire Scripting
  • CCross-Sire Request Forgery
  • DWeb form input validation

How the community answered

(49 responses)
  • A
    4% (2)
  • B
    8% (4)
  • C
    73% (36)
  • D
    14% (7)

Why each option

Cross-Site Request Forgery (CSRF) exploits an authenticated browser session by tricking the user into loading a malicious resource that silently issues forged requests to a trusted site using the user's existing session credentials.

AClickjacking

Clickjacking overlays invisible UI elements to trick users into clicking something other than what they see; this scenario involves no hidden UI layer or deceptive click target - the malicious action is triggered automatically by loading the page.

BCross-Sire Scripting

Cross-Site Scripting (XSS) injects malicious scripts into a trusted web page that execute in the victim's browser; this scenario does not involve injecting code into the banking site itself.

CCross-Sire Request ForgeryCorrect

In CSRF, the attacker crafts a malicious link or page that, when loaded by an authenticated user, causes the user's browser to send unauthorized HTTP requests to a target site - in this case the bank - using the user's active session cookie. The bank cannot distinguish the forged request from a legitimate one because it carries valid credentials. The cat video serves as a decoy while the forged transaction executes in the background using the user's authenticated banking session.

DWeb form input validation

Web form input validation is a defensive control that sanitizes user-supplied data before processing; it is not an attack vector and is unrelated to the session-hijacking mechanism described in this scenario.

Concept tested: Cross-Site Request Forgery session-based attack mechanism

Source: https://owasp.org/www-community/attacks/csrf

Topics

#CSRF#cross-site request forgery#session-based attack#web browser security

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice