nerdexam
(ISC)2

CISSP · Question #1411

An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed

The correct answer is A. Cross-Site Scripting (XSS). This question tests knowledge of web application attack types, specifically which attack involves injecting malicious scripts into a browser to steal session data.

Submitted by wei.xz· Mar 5, 2026Software Development Security

Question

An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?

Options

  • ACross-Site Scripting (XSS)
  • BExtensible Markup Language (XML) external entities
  • CSQL injection (SQLI)
  • DCross-Site Request Forgery (CSRF)

How the community answered

(16 responses)
  • A
    88% (14)
  • C
    6% (1)
  • D
    6% (1)

Why each option

This question tests knowledge of web application attack types, specifically which attack involves injecting malicious scripts into a browser to steal session data.

ACross-Site Scripting (XSS)Correct

Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into a web page that are then executed by a victim's browser. When the script runs in the user's browser context, it can access sensitive data like session cookies and transmit them to the attacker, which precisely matches the scenario described where a user visited a compromised site and had their session cookie stolen via script execution.

BExtensible Markup Language (XML) external entities

XML External Entity (XXE) attacks exploit vulnerabilities in XML parsers to read server-side files or perform server-side request forgery, and do not involve injecting browser-executed scripts to steal session cookies.

CSQL injection (SQLI)

SQL Injection targets back-end databases by inserting malicious SQL statements into input fields to manipulate database queries, and does not involve client-side script execution or direct session cookie theft via the browser.

DCross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into sending unwanted requests to a trusted site, exploiting the trust the site has in the user's browser, but does not involve executing a script to directly steal and exfiltrate session cookie data.

Concept tested: Cross-Site Scripting (XSS) attack and session hijacking

Source: https://owasp.org/www-community/attacks/xss/

Topics

#XSS#web application security#session hijacking#script injection

Community Discussion

No community discussion yet for this question.

Full CISSP Practice