The BEST methods for a web developer to prevent the website application code from being vulnerable to
cross-site request forgery (XSRF) are to: (Select TWO).
A.
Permit redirection to Internet-facing web URLs.
B.
Ensure all HTML tags are enclosed in angle brackets, e.g., ”<” and “>”.
C.
Validate and filter input on the server side and client side.
D.
Use a web proxy to pass website requests between the user and the application.
E.
Restrict and sanitize use of special characters in input and URLs.
Explanation:
XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web
application’s trust of a user who known or is supposed to have been authenticated. This is often
accomplished without the user’s knowledge.
XSRF can be prevented by adding a randomization string (called a nonce) to each URL request and session
establishment and checking the client HTTP request header referrer for spoofing.
Incorrect Answers:
A: Permitting redirection to Internet-facing web URLs is to do with redirecting data traffic. It is not used to
prevent XSS attacks.B: Ensuring all HTML tags are enclosed in angle brackets is not used to prevent XSS attacks. The use of
angle brackets is standard practice in HTML code. Without angle brackets, the HTML code would not
work.
D: Web proxies tend to be used for caching web page content and/or restricting access to websites to aid
compliance with company Internet usage policies. Web proxies are not used to prevent XSS attacks.http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Cross-site_scripting#Reducing_the_threat