nerdexam
ExamsCAS-002Questions#790
CompTIA

CAS-002 · Question #790

CAS-002 Question #790: Real Exam Question with Answer & Explanation

The correct answer is B: Filter metacharacters. Cross-site scripting (XSS) attacks in comment fields rely on injecting special HTML and script metacharacters; filtering those characters server-side is the most direct and effective countermeasure.

Question

It has come to the IT administrator's attention that the "post your comment" field on the company blog page has been exploited, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the "post your comment" field from being exploited?

Options

  • AUpdate the blog page to HTTPS
  • BFilter metacharacters
  • CInstall HIDS on the server
  • DPatch the web application
  • EPerform client side input validation

Explanation

Cross-site scripting (XSS) attacks in comment fields rely on injecting special HTML and script metacharacters; filtering those characters server-side is the most direct and effective countermeasure.

Common mistakes.

  • A. HTTPS encrypts data in transit between client and server but has no effect on the content of user-submitted input; a malicious script submitted over HTTPS is just as dangerous as one submitted over HTTP.
  • C. A host-based intrusion detection system monitors OS-level events and file integrity on the server but does not inspect or sanitize web application input fields.
  • D. Patching the web application is a valid general practice but is too vague to be the most effective specific control; the root cause is unsanitized input, not an unpatched software vulnerability.
  • E. Client-side input validation can be trivially bypassed by an attacker using browser developer tools or a proxy, so it provides no real security guarantee and must not be relied upon as a sole defense.

Concept tested. Server-side input filtering to prevent XSS attacks

Reference. https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice