nerdexam
EC-Council

312-50V11 · Question #287

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerabili

The correct answer is B. The session cookies do not have the HttpOnly flag set.. XSS attacks can steal session cookies only when the HttpOnly flag is absent, as that flag blocks JavaScript from reading cookie values.

Hacking Web Applications

Question

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?

Options

  • AThe web application does not have the secure flag set.
  • BThe session cookies do not have the HttpOnly flag set.
  • CThe victim user should not have an endpoint security solution.
  • DThe victim's browser must have ActiveX technology enabled.

How the community answered

(37 responses)
  • A
    8% (3)
  • B
    84% (31)
  • C
    3% (1)
  • D
    5% (2)

Why each option

XSS attacks can steal session cookies only when the HttpOnly flag is absent, as that flag blocks JavaScript from reading cookie values.

AThe web application does not have the secure flag set.

The Secure flag restricts cookie transmission to HTTPS connections only and does not control JavaScript access to cookie values, making it irrelevant to XSS-based cookie theft.

BThe session cookies do not have the HttpOnly flag set.Correct

The HttpOnly attribute on a cookie instructs the browser to deny access to that cookie via client-side scripts such as document.cookie. Without this flag, a successful XSS payload can exfiltrate the session token to an attacker-controlled server, enabling session hijacking. This is the specific browser-enforced control that directly determines whether XSS can be used to steal cookies.

CThe victim user should not have an endpoint security solution.

Endpoint security solutions may detect or block certain payloads, but their presence or absence is not a technical prerequisite for the vulnerability to be exploitable.

DThe victim's browser must have ActiveX technology enabled.

ActiveX is a legacy Microsoft plugin technology unrelated to XSS, which relies on standard browser JavaScript execution rather than any plugin framework.

Concept tested: XSS session cookie theft and HttpOnly flag

Source: https://owasp.org/www-community/HttpOnly

Topics

#XSS#HttpOnly flag#session cookies#cross-site scripting

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice