Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerability occurs when a victim is tricked into opening a URL programmed with a rogue script to steal sensitive information?

A.
Persistent XSS vulnerability

B.
Nonpersistent XSS vulnerability

C.
Second-order vulnerability

D.
DOM-based vulnerability

Explanation:
B: XSS attacks enable an attacker to inject their malicious code into vulnerable Web pages. When an unsuspecting user visits the infected page, the malicious code executes
on the victim’s browser and may lead to stolen cookies, hijacked sessions, malware execution, bypassed access control, or aid in exploiting browser vulnerabilities. There are
three different XSS vulnerabilities: persistent, nonpersistent, and DOM-based. A nonpersistent vulnerability (also called a reflected vulnerability) occurs when an attacker tricks
the victim into opening a URL programmed with a rogue script to steal the victim’s sensitive information, such as a cookie or session ID. The principle behind this attack lies in
exploiting the lack of proper input or output validation on dynamic Web sites. An XSS attack such as this can potentially cause damage on a huge scale. The stolen cookies can
lead to compromised Web mail systems, flooded blogs, and disclosed bank accounts. Most of the phishing attacks are caused by XSS vulnerabilities.
A is incorrect because a persistent vulnerability is targeted at Web sites that allow users to input data that is stored in a database or similar location, such as a forum or
message board. The code for this type of attack can be rendered automatically without the need of luring a user to a third party Web site. The best way to overcome the XSS
vulnerability is through secure programming practices. Web application developers must ensure that every user input is filtered. Only a limited set of known and secure
characters should be allowed for user input.
C is incorrect because a second-order vulnerability is another name for a persistent XSS vulnerability, which targets Web sites that allow users to input data that is stored in a
database.
D is incorrect because in a DOM-based XSS vulnerability the attacker uses the Document Object Model (DOM) environment to modify the original client-side JavaScript. This
causes the victim’s browser to execute the resulting abusive JavaScript code. Thus, cross-site attacks can be used to exploit vulnerabilities in the victim’s Web browser. Once
the system is successfully compromised by the attacker, he may further penetrate into other systems on the network or execute scripts that may spread through the internal
network. As for the client’s side, the most effective way to prevent XSS attacks is to disable scripting language support in the browser. If this is not feasible, then content filtering
proxy servers may be used.