After visiting a website, a user receives an email thanking them for a purchase which they did not
request. Upon investigation the security administrator sees the following source code in a pop-up
window:
<HTML>
<body onload=”document.getElementByID(‘badForm’).submit()”>
<form id=”badForm” action=”shoppingsite.company.com/purchase.php” method=”post”
<input name=”Perform Purchase” value=”Perform Purchase” />
</form></body></HTML>
Which of the following has MOST likely occurred?
A.
SQL injection
B.
Cookie stealing
C.
XSRF
D.
XSS
Explanation:
The language in here is clearly HTML- This eliminates SQL Injection.
There is no cookie monster in here, so no one is stealing any cookies
XSS – Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
Explanation:
XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application’s trust of a user who known or is supposed to have been authenticated.
This is often accomplished without the user’s knowledge.
0
0