nerdexam
EC-Council

312-50V13 · Question #620

As part of a penetration testing team, you've discovered a web application vulnerable to Cross- Site Scripting (XSS). The application sanitizes inputs against standard XSS payloads but fails to filter

The correct answer is D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input. To exploit an XSS vulnerability in an application that sanitizes standard payloads but not HTML-encoded characters and uses HTTPOnly cookies, the most viable strategy is to craft an HTML-encoded XSS payload to bypass the input filter.

Submitted by yousef_jo· Mar 6, 2026Hacking Web Applications

Question

As part of a penetration testing team, you've discovered a web application vulnerable to Cross- Site Scripting (XSS). The application sanitizes inputs against standard XSS payloads but fails to filter out HTML-encoded characters. On further analysis, you've noticed that the web application uses cookies to track session IDs. You decide to exploit the XSS vulnerability to steal users' session cookies. However, the application implements HTTPOnly cookies, complicating your original plan. Which of the following would be the most viable strategy for a successful attack?

Options

  • ABuild an XSS payload using HTML encoding and use it to exploit the server-side code, potentially
  • BDevelop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS
  • CUtilize an HTML-encoded XSS payload to trigger a buffer overflow attack, forcing the server to
  • DCreate a sophisticated XSS payload that leverages HTML encoding to bypass the input

How the community answered

(41 responses)
  • A
    12% (5)
  • B
    5% (2)
  • C
    2% (1)
  • D
    80% (33)

Why each option

To exploit an XSS vulnerability in an application that sanitizes standard payloads but not HTML-encoded characters and uses HTTPOnly cookies, the most viable strategy is to craft an HTML-encoded XSS payload to bypass the input filter.

ABuild an XSS payload using HTML encoding and use it to exploit the server-side code, potentially

Building an XSS payload to exploit server-side code is a different type of vulnerability (e.g., server-side injection) and not directly related to exploiting a client-side XSS vulnerability where HTML encoding bypasses input filtering.

BDevelop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS

Developing a browser exploit to bypass HTTPOnly is significantly more complex, specific to browser versions, and beyond the scope of a typical XSS vulnerability exploitation against an application; it's an exploit against the browser itself.

CUtilize an HTML-encoded XSS payload to trigger a buffer overflow attack, forcing the server to

Utilizing an HTML-encoded XSS payload to trigger a buffer overflow attack is mixing attack types; XSS is a client-side code injection, and a buffer overflow is typically a server-side memory corruption vulnerability.

DCreate a sophisticated XSS payload that leverages HTML encoding to bypass the inputCorrect

Since the application fails to filter HTML-encoded characters, an attacker can create an XSS payload using HTML encoding (e.g., `<script>`) to bypass the input sanitization filter. Although HTTPOnly cookies prevent client-side scripts from directly accessing the `document.cookie` property, successfully executing an XSS payload via this encoding bypass is the critical first step that enables an attacker to then potentially launch further attacks, such as tricking the browser into sending cookies indirectly or performing actions on the user's behalf.

Concept tested: XSS payload encoding bypass, HTTPOnly limitations

Source: https://learn.microsoft.com/en-us/previous-versions/aspnet/ms972965(v=msdn.10)

Topics

#Cross-Site Scripting (XSS)#HTTPOnly cookies#session hijacking#HTML encoding

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice