During a penetration test, a tester finds that the web

application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?

A. The web application does not have the secure flag set.

B. The session cookies do not have the HttpOnly

flag set.

C. The victim user should not have an endpoint security solution.

D. The victims browser must have ActiveX technology enabled.