312-50V9 · Question #60
During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerabili
The correct answer is B. The session cookies do not have the HttpOnly flag set.. XSS attacks steal session cookies via JavaScript only when the HttpOnly flag is absent, as it is the control that blocks script access to cookie values.
Question
During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?
Options
- AThe web application does not have the secure flag set.
- BThe session cookies do not have the HttpOnly flag set.
- CThe victim user should not have an endpoint security solution.
- DThe victim's browser must have ActiveX technology enabled.
How the community answered
(33 responses)- A6% (2)
- B70% (23)
- C9% (3)
- D15% (5)
Why each option
XSS attacks steal session cookies via JavaScript only when the HttpOnly flag is absent, as it is the control that blocks script access to cookie values.
The Secure flag restricts cookie transmission to HTTPS connections only; its presence or absence has no bearing on whether JavaScript can read cookie values on the client side.
The HttpOnly attribute on a cookie instructs the browser to block client-side scripts, including JavaScript, from accessing the cookie via the document.cookie API. Without this flag, an injected XSS payload can read and exfiltrate the session token to an attacker-controlled server. This missing flag is the direct technical prerequisite for cookie-theft-based session hijacking via XSS.
The absence of an endpoint security solution may reduce the chance of detection, but it is not a technical condition required for an XSS payload to execute and steal cookies.
XSS payloads execute as standard JavaScript within the browser's scripting engine; ActiveX is an unrelated, legacy Microsoft technology and is not involved in modern XSS exploitation.
Concept tested: HttpOnly cookie flag and XSS session hijacking conditions
Source: https://owasp.org/www-community/HttpOnly
Topics
Community Discussion
No community discussion yet for this question.