nerdexam
CompTIA

SY0-301 · Question #492

After visiting a website, a user receives an email thanking them for a purchase which they did not request. Upon investigation the security administrator sees the following source code in a pop-up win

The correct answer is C. XSRF. The source code auto-submits a hidden form to a shopping site on page load, which is a classic Cross-Site Request Forgery (XSRF) attack that forces an authenticated user to unknowingly execute a transaction.

Threats, vulnerabilities, and mitigations

Question

After visiting a website, a user receives an email thanking them for a purchase which they did not request. Upon investigation the security administrator sees the following source code in a pop-up window:

<HTML> <body onload="document.getElementByID('badForm').submit()"> <form id="badForm" action="shoppingsite.company.com/purchase.php" method="post" <input name="Perform Purchase" value="Perform Purchase" /> </form></body></HTML> Which of the following has MOST likely occurred?

Options

  • ASQL injection
  • BCookie stealing
  • CXSRF
  • DXSS

How the community answered

(41 responses)
  • A
    5% (2)
  • B
    10% (4)
  • C
    63% (26)
  • D
    22% (9)

Why each option

The source code auto-submits a hidden form to a shopping site on page load, which is a classic Cross-Site Request Forgery (XSRF) attack that forces an authenticated user to unknowingly execute a transaction.

ASQL injection

SQL injection targets database queries with malicious input and the code shown manipulates HTTP form submissions, not database calls.

BCookie stealing

Cookie stealing involves capturing session tokens via network sniffing or script injection and the code shown does not extract or transmit cookies.

CXSRFCorrect

Cross-Site Request Forgery (XSRF/CSRF) works by embedding a hidden form that automatically submits a request to a trusted site using the victim's active session credentials. The onload event triggers the form submission without user interaction, causing the shopping site to process the purchase as if the user initiated it. This exploits the trust a web application has in an authenticated user's browser session.

DXSS

XSS injects malicious scripts into a web page to execute in other users' browsers, whereas this code forges a request from the victim's browser to a third-party site.

Concept tested: Cross-Site Request Forgery (CSRF/XSRF) attack mechanics

Source: https://owasp.org/www-community/attacks/csrf

Topics

#CSRF#cross-site request forgery#web application attack#malicious form submission

Community Discussion

No community discussion yet for this question.

Full SY0-301 Practice