312-50V9 · Question #395
While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an anima
The correct answer is C. Cross-Site Request Forgery. Kyle's banking session was hijacked because clicking the image triggered a forged request that executed a transaction on his behalf while his browser session was authenticated.
Question
While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got exploited by the hacker?
Options
- AClickjacking
- BWeb Form Input Validation
- CCross-Site Request Forgery
- DCross-Site Scripting
How the community answered
(26 responses)- A12% (3)
- B4% (1)
- C81% (21)
- D4% (1)
Why each option
Kyle's banking session was hijacked because clicking the image triggered a forged request that executed a transaction on his behalf while his browser session was authenticated.
Clickjacking tricks users into clicking a hidden or overlaid UI element on a legitimate page, but this attack did not involve overlaying a transparent frame over a target site.
Web Form Input Validation refers to sanitizing user-supplied data to prevent injection attacks - it does not describe an attacker exploiting an authenticated session.
Cross-Site Request Forgery (CSRF) exploits the trust a web application has in an authenticated user's browser. When Kyle clicked the image, the attacker's page silently issued a forged HTTP request to the banking site using Kyle's active session cookies, causing the bank to process a fund transfer as if Kyle had authorized it. The animated GIF served as a distraction while the malicious request completed in the background.
Cross-Site Scripting (XSS) involves injecting malicious scripts into a trusted web page viewed by other users, which is not what occurred here - no script was injected into the banking site itself.
Concept tested: Cross-Site Request Forgery (CSRF) attack mechanics
Source: https://owasp.org/www-community/attacks/csrf
Topics
Community Discussion
No community discussion yet for this question.