nerdexam
EC-Council

312-50V11 · Question #512

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?

The correct answer is D. Validate and escape all information sent to a server.. XSS is prevented by validating and escaping all user-supplied data before it is processed or rendered, neutralizing injected scripts.

Hacking Web Applications

Question

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?

Options

  • AUse digital certificates to authenticate a server prior to sending data.
  • BVerify access right before allowing access to protected information and UI controls.
  • CVerify access right before allowing access to protected information and UI controls.
  • DValidate and escape all information sent to a server.

How the community answered

(46 responses)
  • A
    7% (3)
  • B
    11% (5)
  • C
    2% (1)
  • D
    80% (37)

Why each option

XSS is prevented by validating and escaping all user-supplied data before it is processed or rendered, neutralizing injected scripts.

AUse digital certificates to authenticate a server prior to sending data.

Digital certificates secure server authentication and encrypt transport via TLS, but do not prevent XSS, which exploits how a server processes and reflects user input back to the browser.

BVerify access right before allowing access to protected information and UI controls.

Verifying access rights is an authorization control that governs what authenticated users may access, but does not sanitize user input or prevent script injection into web pages.

CVerify access right before allowing access to protected information and UI controls.

Checking access rights before exposing UI controls addresses authorization, not the injection of malicious client-side scripts caused by unescaped user input.

DValidate and escape all information sent to a server.Correct

XSS attacks occur when untrusted input is sent to a browser without proper sanitization, allowing malicious scripts to execute in the victim's session. Validating input on the server side and HTML-escaping output ensures user-supplied content is treated as plain text rather than executable code, which is the primary mitigation strategy recommended by OWASP.

Concept tested: Cross-site scripting prevention via input validation and escaping

Source: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Topics

#XSS prevention#input validation#output escaping#web application security

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice