312-50V13 · Question #628
During a penetration test, an ethical hacker is exploring the security of a complex web application. The application heavily relies on JavaScript for client-side input sanitization, with an apparent a
The correct answer is D. Launch a Cross-Site Scripting (XSS) attack, aiming to bypass the client-side sanitization and. Explanation Launching a Cross-Site Scripting (XSS) attack is the most effective strategy because it directly exploits both identified vulnerabilities simultaneously - client-side-only JavaScript sanitization (which can be bypassed by crafting malicious payloads that circumvent or
Question
Options
- AInstigate a Distributed Denial of Service (DDoS) attack to overload the server, capitalizing on
- BImplement an SQL Injection attack to take advantage of potential unvalidated input and gain
- CEmploy a brute-force attack to decipher user credentials, considering the lack of server-side
- DLaunch a Cross-Site Scripting (XSS) attack, aiming to bypass the client-side sanitization and
How the community answered
(15 responses)- A13% (2)
- B7% (1)
- C27% (4)
- D53% (8)
Explanation
Explanation
Launching a Cross-Site Scripting (XSS) attack is the most effective strategy because it directly exploits both identified vulnerabilities simultaneously - client-side-only JavaScript sanitization (which can be bypassed by crafting malicious payloads that circumvent or are injected outside the sanitization logic) and the missing HttpOnly flag, which allows injected scripts to access and steal session cookies. XSS is purpose-built for exactly this attack surface, enabling session hijacking with minimal friction.
- Option A (DDoS) is wrong because it targets availability, not the specific vulnerabilities identified; it neither exploits JavaScript sanitization gaps nor cookie exposure.
- Option B (SQL Injection) targets database input handling, but the scenario's vulnerabilities are centered on client-side sanitization and cookie management - not necessarily unvalidated database queries.
- Option C (Brute-force) attacks authentication credentials through repetition and has no relevance to the JavaScript sanitization or HttpOnly cookie vulnerabilities described.
Memory Tip: Think "XSS = Cookie Monster" - whenever you see missing HttpOnly flag + client-side-only sanitization, XSS is the attacker's best friend because it lets scripts steal cookies directly from the browser.
Topics
Community Discussion
No community discussion yet for this question.