nerdexam
EC-Council

312-50V13 · Question #487

An ethical hacker is testing a web application of a financial firm. During the test, a 'Contact Us' form's input field is found to lack proper user input validation, indicating a potential Cross-Site

The correct answer is C. Utilize a script hosted on the application's domain to test the form. Explanation Option C is correct because the CSP explicitly permits scripts from the application's own domain, making it the only viable method to test the XSS vulnerability within the policy's constraints - if the hacker can reference a script already hosted on the target domain

Submitted by kevin_r· Mar 6, 2026Hacking Web Applications

Question

An ethical hacker is testing a web application of a financial firm. During the test, a 'Contact Us' form's input field is found to lack proper user input validation, indicating a potential Cross-Site Scripting (XSS) vulnerability. However, the application has a stringent Content Security Policy (CSP) disallowing inline scripts and scripts from external domains but permitting scripts from its own domain. What would be the hacker's next step to confirm the XSS vulnerability?

Options

  • ATry to disable the CSP to bypass script restrictions
  • BInject a benign script inline to the form to see if it executes
  • CUtilize a script hosted on the application's domain to test the form
  • DLoad a script from an external domain to test the vulnerability

How the community answered

(56 responses)
  • A
    7% (4)
  • B
    5% (3)
  • C
    73% (41)
  • D
    14% (8)

Explanation

Explanation

Option C is correct because the CSP explicitly permits scripts from the application's own domain, making it the only viable method to test the XSS vulnerability within the policy's constraints - if the hacker can reference a script already hosted on the target domain (or upload one), it may execute through the vulnerable form field. Option A is incorrect because CSP is enforced server-side/browser-level and cannot simply be "disabled" by an attacker during a test. Option B fails because the CSP explicitly blocks inline scripts, so injecting an inline script (e.g., <script>alert(1)</script>) would be blocked by the browser before execution. Option D is wrong because the CSP explicitly disallows scripts from external domains, meaning any externally hosted payload would be rejected.

Memory Tip: Think of CSP as a guest list at a club - only those on the list (the application's own domain) get in. Inline scripts and outsiders are turned away at the door, so a smart hacker works with the rules by using a script that's already "on the list."

Topics

#Cross-Site Scripting (XSS)#Content Security Policy (CSP)#Web Application Vulnerabilities#Exploitation Techniques

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice