CISSP · Question #953
Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?
The correct answer is D. Not returning any HTML tags to the browser client. The most effective method for mitigating Cross-Site Scripting (XSS) vulnerabilities is to prevent the browser from interpreting user-supplied input as executable HTML tags.
Question
Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?
Options
- AUse antivirus and endpoint protection on the server to secure the web-based application
- BPlace the web-based system in a defined Demilitarized Zone (DMZ)
- CUse .NET framework with .aspx extension to provide a higher level of security to the web
- DNot returning any HTML tags to the browser client
How the community answered
(58 responses)- A3% (2)
- B9% (5)
- C7% (4)
- D81% (47)
Why each option
The most effective method for mitigating Cross-Site Scripting (XSS) vulnerabilities is to prevent the browser from interpreting user-supplied input as executable HTML tags.
Antivirus and endpoint protection primarily secure the server infrastructure from malware but do not prevent client-side script injection into the web application's output, which is the core mechanism of XSS.
Placing a web system in a DMZ provides network-level isolation and security but does not address application-layer vulnerabilities like XSS, which stem from improper handling of user input within the web application itself.
While frameworks like .NET offer security features, merely using them does not automatically mitigate XSS; proper implementation of output encoding/escaping within the application code is still required to prevent such vulnerabilities.
By ensuring that all user-supplied data is properly HTML-encoded or escaped before being displayed, any injected HTML tags, such as <script>, are rendered as literal text instead of executable code. This prevents the browser from executing malicious client-side scripts, effectively neutralizing XSS attacks.
Concept tested: Preventing XSS through output encoding/escaping
Source: https://owasp.org/www-community/attacks/xss/
Topics
Community Discussion
No community discussion yet for this question.