312-50V11 · Question #329
A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the ap
The correct answer is C. Cross-site scripting. The analyst injected a VBScript-based IMG tag payload into a search field that executed client-side script in the browser, demonstrating a Cross-site Scripting (XSS) vulnerability.
Question
A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's search form and introduces the following code in the search input field:
IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox ("Vulnerable");>" When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable". Which web applications vulnerability did the analyst discover?
Options
- ACross-site request forgery
- BCommand injection
- CCross-site scripting
- DSQL injection
How the community answered
(41 responses)- A5% (2)
- B10% (4)
- C71% (29)
- D15% (6)
Why each option
The analyst injected a VBScript-based IMG tag payload into a search field that executed client-side script in the browser, demonstrating a Cross-site Scripting (XSS) vulnerability.
Cross-site request forgery involves tricking an authenticated user's browser into sending forged requests, not injecting executable script payloads into input fields.
Command injection targets server-side OS shell interpreters by embedding shell metacharacters, not client-side browser script execution via HTML or VBScript tags.
XSS occurs when an application reflects unvalidated user input back to the browser, allowing malicious scripts to execute in the client context. The injected IMG SRC with vbscript:msgbox() is a classic XSS payload that triggers client-side script execution without touching the server-side database. The browser rendering the popup confirms the application fails to sanitize or encode user-supplied input before outputting it to the page.
SQL injection manipulates database query logic through specially crafted input, not browser-rendered script tags like IMG SRC with vbscript.
Concept tested: Cross-site scripting (XSS) via script injection in input fields
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.