CISSP Question #1411: Real Exam Question with Answer & Explanation

Question

An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?

Options

• ACross-Site Scripting (XSS)
• BExtensible Markup Language (XML) external entities
• CSQL injection (SQLI)
• DCross-Site Request Forgery (CSRF)

Explanation

This question tests knowledge of web application attack types, specifically which attack involves injecting malicious scripts into a browser to steal session data.

Common mistakes.

• B. XML External Entity (XXE) attacks exploit vulnerabilities in XML parsers to read server-side files or perform server-side request forgery, and do not involve injecting browser-executed scripts to steal session cookies.
• C. SQL Injection targets back-end databases by inserting malicious SQL statements into input fields to manipulate database queries, and does not involve client-side script execution or direct session cookie theft via the browser.
• D. Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into sending unwanted requests to a trusted site, exploiting the trust the site has in the user's browser, but does not involve executing a script to directly steal and exfiltrate session cookie data.

Concept tested. Cross-Site Scripting (XSS) attack and session hijacking

Reference. https://owasp.org/www-community/attacks/xss/

No community discussion yet for this question.