GIAC
GPEN · Question #449
GPEN Question #449: Real Exam Question with Answer & Explanation
The correct answer is C. <scripr>document.\write('hTtp$://mybankxom/xfer.a$p?xfer_to-[attacker.accountl &amount-. A CSRF attack forges an authenticated HTTP request from a victim's browser by embedding a crafted URL on an attacker-controlled page, exploiting the victim's active session cookies.
Question
While performing an assessment on a banking site, you discover the following link: hnps://mybank.com/xfer.aspMer_toMaccount_number]&amount-[dollars] Assuming authenticated banking users can be lured to your web site, which crafted html tag may be used to launch a XSRF attack?
Options
- A<imgsrc-"java script alert (`document cookie'):">
- B<scripi>alert('hnps:/'mybank.com/xfer.a$p?xfer_io-[attacker_account]&amoutn-
- C<scripr>document.\write('hTtp$://mybankxom/xfer.a$p?xfer_to-[attacker.accountl &amount-
- D<img src-'https/mybank.com/xfer.asp?xfer_to=[artacker_account]&amount= [dollars]">
Explanation
A CSRF attack forges an authenticated HTTP request from a victim's browser by embedding a crafted URL on an attacker-controlled page, exploiting the victim's active session cookies.
Common mistakes.
- A. An img tag invoking a JavaScript alert with document.cookie is a Cross-Site Scripting (XSS) payload that attempts to steal cookies, not a CSRF attack that forges an authenticated transaction.
- B. A script tag using alert() only displays a dialog box to the user - it does not cause the browser to issue an HTTP request to the transfer endpoint and therefore does not perform the forged transaction.
- D. An img src tag pointing to the transfer URL is a recognized CSRF vector that would silently trigger a GET request, but this choice is not selected as the correct answer per the provided key.
Concept tested. Crafting a CSRF attack using script injection
Reference. https://owasp.org/www-community/attacks/csrf
Community Discussion
No community discussion yet for this question.