312-50V13 · Question #487
An ethical hacker is testing a web application of a financial firm. During the test, a 'Contact Us' form's input field is found to lack proper user input validation, indicating a potential Cross-Site
The correct answer is C. Utilize a script hosted on the application's domain to test the form. Explanation Option C is correct because the CSP explicitly permits scripts from the application's own domain, making it the only viable method to test the XSS vulnerability within the policy's constraints - if the hacker can reference a script already hosted on the target domain
Question
Options
- ATry to disable the CSP to bypass script restrictions
- BInject a benign script inline to the form to see if it executes
- CUtilize a script hosted on the application's domain to test the form
- DLoad a script from an external domain to test the vulnerability
How the community answered
(56 responses)- A7% (4)
- B5% (3)
- C73% (41)
- D14% (8)
Explanation
Explanation
Option C is correct because the CSP explicitly permits scripts from the application's own domain, making it the only viable method to test the XSS vulnerability within the policy's constraints - if the hacker can reference a script already hosted on the target domain (or upload one), it may execute through the vulnerable form field. Option A is incorrect because CSP is enforced server-side/browser-level and cannot simply be "disabled" by an attacker during a test. Option B fails because the CSP explicitly blocks inline scripts, so injecting an inline script (e.g., <script>alert(1)</script>) would be blocked by the browser before execution. Option D is wrong because the CSP explicitly disallows scripts from external domains, meaning any externally hosted payload would be rejected.
Memory Tip: Think of CSP as a guest list at a club - only those on the list (the application's own domain) get in. Inline scripts and outsiders are turned away at the door, so a smart hacker works with the rules by using a script that's already "on the list."
Topics
Community Discussion
No community discussion yet for this question.