nerdexam
EC-Council

312-50V9 · Question #237

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants t

The correct answer is A. Cross-site scripting vulnerability. Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as &lt;b&gt;very&lt;/b&gt; large) will not suffice since the user i

Hacking Web Applications

Question

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?

Options

  • ACross-site scripting vulnerability
  • BCross-site Request Forgery vulnerability
  • CSQL injection vulnerability
  • DWeb site defacement vulnerability

How the community answered

(30 responses)
  • A
    93% (28)
  • B
    3% (1)
  • C
    3% (1)

Explanation

Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as <b>very</b> large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "<b>very</b> large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting code. https://en.wikipedia.org/wiki/Cross-site_scripting#Safely_validating_untrusted_HTML_input

Topics

#XSS#input validation#HTML injection#web vulnerability mitigation

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice