1_3_2 Section 1 – Attacks, Threats, and Vulnerabilities - 1.3 – Application Attacks - Cross-site Scripting

Questions and Answers

What is cross-site scripting often abbreviated as?

XST

CSS

XSS (correct)

XTS

Why is cross-site scripting referred to as 'cross-site'?

It allows websites to share user input fields

It enables websites to communicate with each other directly

Due to the sharing of information between different websites (correct)

Because it involves sharing style information across websites

What is a major concern with cross-site scripting for web-based applications?

Displaying incorrect style sheets

Slow website performance

Excessive browser caching issues

Information leakage to attackers (correct)

Which scripting language is commonly exploited in cross-site scripting attacks?

JavaScript

What distinguishes a non-persistent cross-site scripting attack?

It is also known as a reflected attack

Why is preventing cross-site scripting important for developers of web-based applications?

To safeguard user data and prevent potential exploits

What kind of link does the attacker need the victim to click in a reflective cross-site scripting attack?

A specially-crafted link with malicious scripts embedded within

How does an attacker encourage the victim to click the malicious link in a reflective cross-site scripting attack?

By using social engineering tactics

What information can an attacker gather from a victim's machine in a reflective cross-site scripting attack?

User credentials

What issue did the individual face with the login token and session ID?

The token never expired

What is the purpose of embedding malicious scripts in a reflected cross-site scripting attack?

To steal session IDs and personal information

How could an attacker gain access to a user's account details on the Subaru website?

By gaining access to the authentication token

How does a stored cross-site scripting attack differ from a reflective one?

It affects anyone visiting the infected page

In a stored cross-site scripting attack, where is the malicious script typically embedded?

Within messages or forum posts on websites

What vulnerability did the Subaru website have in one of its input fields?

Cross-site scripting vulnerability

What happens when someone interacts with a page infected by a stored cross-site scripting attack?

They unknowingly run the malicious script on their local machine

Why does the text advise against clicking links in emails?

To prevent malware from being downloaded

How did Aaron Guzman discover a vulnerability on the Subaru website in June 2017?

By accident while browsing the website

What is suggested as a practical alternative to disabling JavaScript entirely?

Installing a browser extension or security tool for JavaScript management

For developers, what practice is recommended to prevent cross-site scripting vulnerabilities on their websites?

Validating all fields on the website

What information was given to Aaron Guzman when he logged into the Subaru website?

Session information and a token

What is the potential consequence if an attacker gains access to session ID information?

Ability to authenticate as the victim on websites without credentials

What is cross-site scripting commonly abbreviated as?

XSS

Why is it important for developers to prevent cross-site scripting vulnerabilities in web-based applications?

To prevent attackers from gathering user information

What type of vulnerability is a non-persistent or reflected cross-site scripting attack?

Persistent cross-site scripting

Which scripting language is commonly exploited in cross-site scripting attacks?

JavaScript

Where was the original association made that led to the naming of cross-site scripting?

In browser vulnerabilities

What makes JavaScript an important tool for both legitimate and malicious purposes in web browsing?

Its potential for automation and added functionality

What was the consequence of the login token never expiring for the user?

Automatic authentication without re-entering credentials

What risk did the user face due to the unexpiring authentication token?

Potential unauthorized access to account details

How could an attacker gain access to the victim's car online capabilities?

Add their email address to the victim's car through a security vulnerability

Why does the text recommend against clicking links in emails?

To avoid hidden malicious information in the links

What is suggested as a more practical alternative to disabling JavaScript entirely?

Using browser extensions or security tools to manage JavaScript usage

What is recommended for developers to prevent cross-site scripting vulnerabilities on their websites?

Validating all fields on a website

What is the main method used by an attacker to encourage a victim to click and trigger a reflective cross-site scripting attack?

Sending an email with a specially-crafted link

In a stored cross-site scripting attack, where is the malicious script typically embedded?

Within a post or message on a website

What type of information is usually obtained by an attacker in a reflective cross-site scripting attack?

Session IDs and user credentials

Why did the text mention that attackers often don't display alerts on the victim's workstation in cross-site scripting attacks?

To ensure the victim interacts with the alert

What distinguishes a stored cross-site scripting attack from its reflective counterpart?

Stored attacks impact all visitors of a webpage

How can a stored cross-site scripting attack quickly propagate across social media platforms?

By embedding malicious scripts in shared posts or messages

What type of field in a web application is often exploited in cross-site scripting attacks?

Text input fields like search bars or forum posts

What could an attacker potentially gain access to if they successfully exploit a reflective cross-site scripting attack?

Session ID information and user credentials