312-50V11 · Question #287
During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerabili
The correct answer is B. The session cookies do not have the HttpOnly flag set.. XSS attacks can steal session cookies only when the HttpOnly flag is absent, as that flag blocks JavaScript from reading cookie values.
Question
During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?
Options
- AThe web application does not have the secure flag set.
- BThe session cookies do not have the HttpOnly flag set.
- CThe victim user should not have an endpoint security solution.
- DThe victim's browser must have ActiveX technology enabled.
How the community answered
(37 responses)- A8% (3)
- B84% (31)
- C3% (1)
- D5% (2)
Why each option
XSS attacks can steal session cookies only when the HttpOnly flag is absent, as that flag blocks JavaScript from reading cookie values.
The Secure flag restricts cookie transmission to HTTPS connections only and does not control JavaScript access to cookie values, making it irrelevant to XSS-based cookie theft.
The HttpOnly attribute on a cookie instructs the browser to deny access to that cookie via client-side scripts such as document.cookie. Without this flag, a successful XSS payload can exfiltrate the session token to an attacker-controlled server, enabling session hijacking. This is the specific browser-enforced control that directly determines whether XSS can be used to steal cookies.
Endpoint security solutions may detect or block certain payloads, but their presence or absence is not a technical prerequisite for the vulnerability to be exploitable.
ActiveX is a legacy Microsoft plugin technology unrelated to XSS, which relies on standard browser JavaScript execution rather than any plugin framework.
Concept tested: XSS session cookie theft and HttpOnly flag
Source: https://owasp.org/www-community/HttpOnly
Topics
Community Discussion
No community discussion yet for this question.