nerdexam
EC-Council

312-50V11 · Question #373

While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site: <script>alert(" Testing Testing Testing ")</script>

The correct answer is D. Cross-site scripting. The tester's injected script executed in the browser, confirming the application does not sanitize user input before rendering it - a textbook Cross-Site Scripting (XSS) vulnerability.

Hacking Web Applications

Question

While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site:

<script>alert(" Testing Testing Testing ")</script> Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text:

"Testing Testing Testing". Which vulnerability has been detected in the web application?

Options

  • ABuffer overflow
  • BCross-site request forgery
  • CDistributed denial of service
  • DCross-site scripting

How the community answered

(33 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    6% (2)
  • D
    88% (29)

Why each option

The tester's injected script executed in the browser, confirming the application does not sanitize user input before rendering it - a textbook Cross-Site Scripting (XSS) vulnerability.

ABuffer overflow

Buffer overflow involves writing data beyond allocated memory boundaries in an application, not injecting scripts that execute in a browser.

BCross-site request forgery

Cross-site request forgery (CSRF) tricks authenticated users into submitting unintended requests to a site where they are logged in, and does not involve injecting executable scripts into input fields.

CDistributed denial of service

Distributed denial of service floods a target with traffic from multiple sources to exhaust resources, which has no relation to script injection in a search field.

DCross-site scriptingCorrect

Cross-site scripting occurs when an application accepts unsanitized user input and reflects or stores it so browsers execute it as script. The pop-up appearing confirms the <script> tag was rendered and executed by the browser rather than treated as plain text, which is the defining characteristic of a reflected XSS vulnerability.

Concept tested: Reflected Cross-Site Scripting (XSS) detection

Source: https://owasp.org/www-community/attacks/xss/

Topics

#cross-site scripting#XSS#JavaScript injection#reflected XSS

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice