GCIH · Question #800
A victim browses to a news aggregator website through a link sent to them by an attacker. The attacker then alters the page delivered to the victim's browser and includes malicious links. What flaw on
The correct answer is B. Reflected XSS. The attacker exploited a Reflected XSS vulnerability by crafting a malicious link that caused the news aggregator to reflect unsanitized content back into the victim's browser.
Question
A victim browses to a news aggregator website through a link sent to them by an attacker. The attacker then alters the page delivered to the victim's browser and includes malicious links. What flaw on the news aggregator website allowed this attack to happen?
Options
- ASQL Injection
- BReflected XSS
- CCross-Site Request Forgery
- DBuffer Overflow
How the community answered
(51 responses)- A12% (6)
- B80% (41)
- C2% (1)
- D6% (3)
Why each option
The attacker exploited a Reflected XSS vulnerability by crafting a malicious link that caused the news aggregator to reflect unsanitized content back into the victim's browser.
SQL Injection targets backend database queries to manipulate or exfiltrate stored data; it does not alter the HTML or JavaScript content delivered to a victim's browser.
Reflected XSS occurs when an attacker embeds a malicious script payload within a URL and sends it to a victim - when the victim clicks the link, the vulnerable server reflects the unsanitized input back in the HTTP response, causing the script to execute in the victim's browser. The scenario matches exactly: the attacker sent the link, the victim browsed to it, and the page content was altered with malicious inclusions before being rendered.
Cross-Site Request Forgery tricks an already-authenticated user into submitting unauthorized requests to a site, but it does not modify or inject content into pages delivered to the victim's browser.
Buffer Overflow exploits memory mismanagement in software to overwrite adjacent memory regions and is a host-level vulnerability, not a web content injection technique.
Concept tested: Reflected XSS via attacker-crafted malicious link
Source: https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
Topics
Community Discussion
No community discussion yet for this question.