CISSP · Question #1411
An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed
The correct answer is A. Cross-Site Scripting (XSS). This question tests knowledge of web application attack types, specifically which attack involves injecting malicious scripts into a browser to steal session data.
Question
An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?
Options
- ACross-Site Scripting (XSS)
- BExtensible Markup Language (XML) external entities
- CSQL injection (SQLI)
- DCross-Site Request Forgery (CSRF)
How the community answered
(16 responses)- A88% (14)
- C6% (1)
- D6% (1)
Why each option
This question tests knowledge of web application attack types, specifically which attack involves injecting malicious scripts into a browser to steal session data.
Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into a web page that are then executed by a victim's browser. When the script runs in the user's browser context, it can access sensitive data like session cookies and transmit them to the attacker, which precisely matches the scenario described where a user visited a compromised site and had their session cookie stolen via script execution.
XML External Entity (XXE) attacks exploit vulnerabilities in XML parsers to read server-side files or perform server-side request forgery, and do not involve injecting browser-executed scripts to steal session cookies.
SQL Injection targets back-end databases by inserting malicious SQL statements into input fields to manipulate database queries, and does not involve client-side script execution or direct session cookie theft via the browser.
Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into sending unwanted requests to a trusted site, exploiting the trust the site has in the user's browser, but does not involve executing a script to directly steal and exfiltrate session cookie data.
Concept tested: Cross-Site Scripting (XSS) attack and session hijacking
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.