312-50V9 · Question #237
A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants t
The correct answer is A. Cross-site scripting vulnerability. Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as <b>very</b> large) will not suffice since the user i
Question
A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?
Options
- ACross-site scripting vulnerability
- BCross-site Request Forgery vulnerability
- CSQL injection vulnerability
- DWeb site defacement vulnerability
How the community answered
(30 responses)- A93% (28)
- B3% (1)
- C3% (1)
Explanation
Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as <b>very</b> large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "<b>very</b> large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting code. https://en.wikipedia.org/wiki/Cross-site_scripting#Safely_validating_untrusted_HTML_input
Topics
Community Discussion
No community discussion yet for this question.