Your organization has a website with a guest book feature, where visitors to your web site can input their names and comments about your website. You notice that each time the guest book web page loads, a message box is prompted with the message You have been Crossed followed by redirection to a different website. Analysis reveal that the no input validation or output encoding is being performed in the web application. This is the basis for the following type of attack?
A.
Denial of Service
B.
Cross-site Scripting (XSS)
C.
Malicious File Execution
D.
Injection Flaws
Explanation:
B: A Web site that allows users to input information for later retrieval by other users, such as a guestbook comment page or blog, without proper input validation, may fail to detect when such input comes in is in the form of active scripting. Without appropriate output encoding, the script can be actively read and executed by the browser causing denial of service (Web site defacement) or other serious impacts. This is the basis of cross-site scripting attacks. Page 177.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.
0
0