nerdexam
EC-Council

312-50V9 · Question #395

While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an anima

The correct answer is C. Cross-Site Request Forgery. Kyle's banking session was hijacked because clicking the image triggered a forged request that executed a transaction on his behalf while his browser session was authenticated.

Hacking Web Applications

Question

While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got exploited by the hacker?

Options

  • AClickjacking
  • BWeb Form Input Validation
  • CCross-Site Request Forgery
  • DCross-Site Scripting

How the community answered

(26 responses)
  • A
    12% (3)
  • B
    4% (1)
  • C
    81% (21)
  • D
    4% (1)

Why each option

Kyle's banking session was hijacked because clicking the image triggered a forged request that executed a transaction on his behalf while his browser session was authenticated.

AClickjacking

Clickjacking tricks users into clicking a hidden or overlaid UI element on a legitimate page, but this attack did not involve overlaying a transparent frame over a target site.

BWeb Form Input Validation

Web Form Input Validation refers to sanitizing user-supplied data to prevent injection attacks - it does not describe an attacker exploiting an authenticated session.

CCross-Site Request ForgeryCorrect

Cross-Site Request Forgery (CSRF) exploits the trust a web application has in an authenticated user's browser. When Kyle clicked the image, the attacker's page silently issued a forged HTTP request to the banking site using Kyle's active session cookies, causing the bank to process a fund transfer as if Kyle had authorized it. The animated GIF served as a distraction while the malicious request completed in the background.

DCross-Site Scripting

Cross-Site Scripting (XSS) involves injecting malicious scripts into a trusted web page viewed by other users, which is not what occurred here - no script was injected into the banking site itself.

Concept tested: Cross-Site Request Forgery (CSRF) attack mechanics

Source: https://owasp.org/www-community/attacks/csrf

Topics

#CSRF#cross-site request forgery#session exploitation#web browser security

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice