312-50V11 · Question #373
While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site: <script>alert(" Testing Testing Testing ")</script>
The correct answer is D. Cross-site scripting. The tester's injected script executed in the browser, confirming the application does not sanitize user input before rendering it - a textbook Cross-Site Scripting (XSS) vulnerability.
Question
While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site:
<script>alert(" Testing Testing Testing ")</script> Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text:"Testing Testing Testing". Which vulnerability has been detected in the web application?
Options
- ABuffer overflow
- BCross-site request forgery
- CDistributed denial of service
- DCross-site scripting
How the community answered
(33 responses)- A3% (1)
- B3% (1)
- C6% (2)
- D88% (29)
Why each option
The tester's injected script executed in the browser, confirming the application does not sanitize user input before rendering it - a textbook Cross-Site Scripting (XSS) vulnerability.
Buffer overflow involves writing data beyond allocated memory boundaries in an application, not injecting scripts that execute in a browser.
Cross-site request forgery (CSRF) tricks authenticated users into submitting unintended requests to a site where they are logged in, and does not involve injecting executable scripts into input fields.
Distributed denial of service floods a target with traffic from multiple sources to exhaust resources, which has no relation to script injection in a search field.
Cross-site scripting occurs when an application accepts unsanitized user input and reflects or stores it so browsers execute it as script. The pop-up appearing confirms the <script> tag was rendered and executed by the browser rather than treated as plain text, which is the defining characteristic of a reflected XSS vulnerability.
Concept tested: Reflected Cross-Site Scripting (XSS) detection
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.