nerdexam
GIAC

GCIH · Question #717

An organization needs to protect its PHP web applications from Cross-Site Scripting attacks. Which action should they take?

The correct answer is D. Use a third party library to filter input to the application. Cross-Site Scripting attacks are prevented by filtering and sanitizing untrusted user input before it is rendered, which a dedicated third-party library handles reliably.

Web Application Attacks & Post-Exploitation

Question

An organization needs to protect its PHP web applications from Cross-Site Scripting attacks. Which action should they take?

Options

  • AConfigure the development API to use parameterized queries
  • BUse a random element when setting session cookies
  • CConfigure the application to require two-factor authentication
  • DUse a third party library to filter input to the application

How the community answered

(51 responses)
  • A
    12% (6)
  • B
    8% (4)
  • C
    2% (1)
  • D
    78% (40)

Why each option

Cross-Site Scripting attacks are prevented by filtering and sanitizing untrusted user input before it is rendered, which a dedicated third-party library handles reliably.

AConfigure the development API to use parameterized queries

Parameterized queries prevent SQL injection by separating code from data in database queries; they have no effect on XSS, which targets the browser rendering layer.

BUse a random element when setting session cookies

Adding a random element to session cookies mitigates session fixation and CSRF attacks, not script injection through unvalidated input.

CConfigure the application to require two-factor authentication

Two-factor authentication hardens account login security but does not prevent an attacker from injecting malicious scripts into application output.

DUse a third party library to filter input to the applicationCorrect

XSS vulnerabilities arise when untrusted input is reflected or stored and then rendered in a browser without sanitization. A well-maintained third-party library such as HTML Purifier for PHP enforces consistent input filtering and output encoding across the application. This directly eliminates the attack vector by stripping or escaping malicious script content before it reaches the DOM.

Concept tested: XSS prevention via input filtering and output encoding

Source: https://owasp.org/www-community/attacks/xss/

Topics

#XSS#input validation#PHP security#web defense

Community Discussion

No community discussion yet for this question.

Full GCIH Practice