312-50V13 Question #376: Real Exam Question with Answer & Explanation

Question

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?

Options

• ACross-site scripting vulnerability
• BSQL injection vulnerability
• CWeb site defacement vulnerability
• DGross-site Request Forgery vulnerability

Explanation

Cross-Site Scripting (XSS) is the vulnerability here because it occurs when attackers inject malicious HTML or JavaScript code into a web application's input fields, which then gets rendered and executed in other users' browsers. By disallowing HTML input, the team is directly targeting this attack vector, since XSS relies on the browser interpreting injected markup as code rather than plain text.

Why the distractors are wrong:

• B (SQL Injection) involves injecting malicious SQL commands into database query fields, not HTML - the mitigation would involve parameterized queries, not blocking HTML.
• C (Website Defacement) is an outcome of an attack (altering a site's appearance), not a specific vulnerability class tied to HTML input.
• D (Cross-Site Request Forgery/CSRF) tricks authenticated users into submitting unwanted requests, and is mitigated with tokens - blocking HTML input has no effect on it.

Memory Tip: Think "XSS = X-tra Sneaky Scripts" - anytime you see a security concern about users entering HTML or JavaScript into input fields, it's pointing to Cross-Site Scripting. The "cross-site" part refers to the malicious script affecting other users who view the compromised page.

No community discussion yet for this question.