SY0-301 · Question #492
After visiting a website, a user receives an email thanking them for a purchase which they did not request. Upon investigation the security administrator sees the following source code in a pop-up win
The correct answer is C. XSRF. The source code auto-submits a hidden form to a shopping site on page load, which is a classic Cross-Site Request Forgery (XSRF) attack that forces an authenticated user to unknowingly execute a transaction.
Question
After visiting a website, a user receives an email thanking them for a purchase which they did not request. Upon investigation the security administrator sees the following source code in a pop-up window:
<HTML> <body onload="document.getElementByID('badForm').submit()"> <form id="badForm" action="shoppingsite.company.com/purchase.php" method="post" <input name="Perform Purchase" value="Perform Purchase" /> </form></body></HTML> Which of the following has MOST likely occurred?Options
- ASQL injection
- BCookie stealing
- CXSRF
- DXSS
How the community answered
(41 responses)- A5% (2)
- B10% (4)
- C63% (26)
- D22% (9)
Why each option
The source code auto-submits a hidden form to a shopping site on page load, which is a classic Cross-Site Request Forgery (XSRF) attack that forces an authenticated user to unknowingly execute a transaction.
SQL injection targets database queries with malicious input and the code shown manipulates HTTP form submissions, not database calls.
Cookie stealing involves capturing session tokens via network sniffing or script injection and the code shown does not extract or transmit cookies.
Cross-Site Request Forgery (XSRF/CSRF) works by embedding a hidden form that automatically submits a request to a trusted site using the victim's active session credentials. The onload event triggers the form submission without user interaction, causing the shopping site to process the purchase as if the user initiated it. This exploits the trust a web application has in an authenticated user's browser session.
XSS injects malicious scripts into a web page to execute in other users' browsers, whereas this code forges a request from the victim's browser to a third-party site.
Concept tested: Cross-Site Request Forgery (CSRF/XSRF) attack mechanics
Source: https://owasp.org/www-community/attacks/csrf
Topics
Community Discussion
No community discussion yet for this question.