nerdexam
GIAC

GCIH · Question #800

A victim browses to a news aggregator website through a link sent to them by an attacker. The attacker then alters the page delivered to the victim's browser and includes malicious links. What flaw on

The correct answer is B. Reflected XSS. The attacker exploited a Reflected XSS vulnerability by crafting a malicious link that caused the news aggregator to reflect unsanitized content back into the victim's browser.

Web Application Attacks & Post-Exploitation

Question

A victim browses to a news aggregator website through a link sent to them by an attacker. The attacker then alters the page delivered to the victim's browser and includes malicious links. What flaw on the news aggregator website allowed this attack to happen?

Options

  • ASQL Injection
  • BReflected XSS
  • CCross-Site Request Forgery
  • DBuffer Overflow

How the community answered

(51 responses)
  • A
    12% (6)
  • B
    80% (41)
  • C
    2% (1)
  • D
    6% (3)

Why each option

The attacker exploited a Reflected XSS vulnerability by crafting a malicious link that caused the news aggregator to reflect unsanitized content back into the victim's browser.

ASQL Injection

SQL Injection targets backend database queries to manipulate or exfiltrate stored data; it does not alter the HTML or JavaScript content delivered to a victim's browser.

BReflected XSSCorrect

Reflected XSS occurs when an attacker embeds a malicious script payload within a URL and sends it to a victim - when the victim clicks the link, the vulnerable server reflects the unsanitized input back in the HTTP response, causing the script to execute in the victim's browser. The scenario matches exactly: the attacker sent the link, the victim browsed to it, and the page content was altered with malicious inclusions before being rendered.

CCross-Site Request Forgery

Cross-Site Request Forgery tricks an already-authenticated user into submitting unauthorized requests to a site, but it does not modify or inject content into pages delivered to the victim's browser.

DBuffer Overflow

Buffer Overflow exploits memory mismanagement in software to overwrite adjacent memory regions and is a host-level vulnerability, not a web content injection technique.

Concept tested: Reflected XSS via attacker-crafted malicious link

Source: https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks

Topics

#reflected XSS#cross-site scripting#browser injection#web vulnerability

Community Discussion

No community discussion yet for this question.

Full GCIH Practice