Your organization has a website with a guest book feature, where visitors to your web site can input their names and comments about your website. You notice that each time the guest book web page loads, a message box is prompted with the message You have been Crossed followed by redirection to a different website. Analysis reveal that the no input validation or output encoding is being performed in the web application. This is the basis for the following type of attack?
A.
Denial of Service
B.
Cross-site Scripting (XSS)
C.
Malicious File Execution
D.
Injection Flaws
Explanation:
B: A Web site that allows users to input information for later retrieval by other users, such as a guestbook comment page or blog, without proper input validation, may fail to detect when such input comes in is in the form of active scripting. Without appropriate output encoding, the script can be actively read and executed by the browser causing denial of service (Web site defacement) or other serious impacts. This is the basis of cross-site scripting attacks. Page 177.