312-50V13 · Question #166
This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data. What is this attack?
The correct answer is A. Cross-site-scripting attack. Cross-site scripting (XSS) is a web vulnerability where unsanitized user input is reflected in web pages, allowing attackers to execute malicious scripts in other users' browsers.
Question
Options
- ACross-site-scripting attack
- BSQL Injection
- CURL Traversal attack
- DBuffer Overflow attack
How the community answered
(42 responses)- A90% (38)
- B5% (2)
- C2% (1)
- D2% (1)
Why each option
Cross-site scripting (XSS) is a web vulnerability where unsanitized user input is reflected in web pages, allowing attackers to execute malicious scripts in other users' browsers.
A Cross-site scripting (XSS) attack specifically occurs when a web application takes untrusted user input and includes it in the generated HTML page without proper sanitization. This allows an attacker to inject client-side scripts, which are then executed by other users' browsers, potentially leading to session hijacking, defacement, or redirection.
SQL Injection attacks involve injecting malicious SQL queries into data input fields to manipulate or extract data from a database, not to execute scripts in a user's browser via unsanitized display.
URL Traversal (or Directory Traversal) attacks exploit vulnerabilities that allow an attacker to access files or directories outside the intended web root by manipulating path elements in a URL, which is different from script execution in a browser.
Buffer Overflow attacks occur when a program attempts to write more data into a fixed-size buffer than it can hold, overwriting adjacent memory and potentially executing arbitrary code; this is a low-level memory vulnerability, typically server-side, not a web content display issue.
Concept tested: Cross-site scripting (XSS) vulnerability
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.