PrepAway - Latest Free Exam Questions & Answers

Which of the following types of cross-site scripting attacks does Mark intend to perform?

Mark, a malicious hacker, submits Cross-Site Scripting (XSS) exploit code to the Website of the Internet forum for online discussion. When a user visits the infected Web page, the code gets automatically executed and Mark can easily perform acts such as account hijacking, history theft, etc. Which of the following types of cross-site scripting attacks does Mark intend to perform?

PrepAway - Latest Free Exam Questions & Answers

A.
Non-persistent

B.
Persistent

C.
Document Object Model (DOMJ

D.
SAX

Explanation:
Mark intends to perform a persistent type of cross-site scripting attack. A persistent type of Cross- Site Scripting (XSS) exists when data provided to a Web application by a user is first stored persistently on the server (in a database, or other location), and later displayed to users in a Web page without being encoded using HTML entities. An example of this is online message boards or Internet forums where users are allowed to post HTML-formatted messages for other users to read.

Answer option A is incorrect. A non-persistent type of Cross-Site Scripting (XSS) occurs when data provided by a Web client is used immediately by server-side scripts to generate a page of results for that user. If invalidated user-supplied data are included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. One of the most common examples of this is a search engine.

Answer option C is incorrect. With a DOM-based cross-site scripting attack, the problem exists within the pages of a client-side script, if a piece of JavaScript accesses a URL request parameter

and uses this information to write some HTML to its own page. However, this information is not encoded using HTML entities; a Cross-Site Scripting (XSS) hole will likely be present. This written data will be re-interpreted by browsers as HTML, which could include additional client-side scripts.

Answer option D is incorrect. SAX is not a type of cross-site scripting attack. SAX is a parsing mechanism for XML.


Leave a Reply