DOM-Based Vulnerabilities Quiz

Questions and Answers

______ is a web browser's representation of the elements on a page.

The DOM

What is the DOM?

• A security feature
• A web browser's representation of the elements on a page (correct)
• A type of vulnerability
• A programming language

What is the DOM?

• A programming language
• A social media platform.
• A type of computer virus.
• A web browser's representation of the elements on a page (correct)

What can insecure processing of DOM data lead to?

Vulnerabilities (A)

What can insecure processing of DOM data lead to?

Vulnerabilities. (B)

JavaScript that handles data insecurely can enable various ______.

attacks

DOM-based vulnerabilities arise when a website passes ______-controllable data from a source to a sink, which then handles the data in an unsafe way.

attacker

What type of attacks can insecurely handled data enable?

Cyber attacks. (A)

What kind of attacks can JavaScript that handles data insecurely enable?

Cross-site scripting attacks (A)

What are DOM-based vulnerabilities?

Vulnerabilities that arise from client-side code (C)

What is taint flow?

The transfer of attacker-controllable data from a source to a sink. (B)

Taint flow is the transfer of ______-controllable data from a source to a sink.

attacker

What is taint flow?

The transfer of attacker-controllable data from a source to a sink (C)

What are common sources of taint-flow vulnerabilities?

The URL and user input. (D)

Common sources of taint-flow vulnerabilities include the ______ and user input.

URL

What are common sinks that can lead to DOM-based vulnerabilities?

eval(), innerHTML, and location. (C)

Common sinks that can lead to DOM-based vulnerabilities include eval(), innerHTML, and ______.

location

What are common sources of taint-flow vulnerabilities?

The URL and user input (A)

The most effective way to avoid DOM-based vulnerabilities is to avoid allowing data from any ______ source to dynamically alter the value that is transmitted to any sink.

untrusted

What are common sinks that can lead to DOM-based vulnerabilities?

eval(), innerHTML, and location (C)

What is the most effective way to avoid DOM-based vulnerabilities?

Implementing defenses within the client-side code (D)

Flashcards are hidden until you start studying

Study Notes

• The DOM is a web browser's representation of the elements on a page.
• Insecure processing of DOM data can introduce vulnerabilities.
• JavaScript that handles data insecurely can enable various attacks.
• DOM-based vulnerabilities arise when a website passes attacker-controllable data from a source to a sink, which then handles the data in an unsafe way.
• Taint flow is the transfer of attacker-controllable data from a source to a sink.
• Common sources of taint-flow vulnerabilities include the URL and user input.
• Common sinks that can lead to DOM-based vulnerabilities include eval(), innerHTML, and location.
• The most effective way to avoid DOM-based vulnerabilities is to avoid allowing data from any untrusted source to dynamically alter the value that is transmitted to any sink.
• Defenses can be implemented within the client-side code, such as validating data on a whitelist basis or sanitizing/encoding data.
• DOM clobbering is an advanced technique in which HTML is injected into a page to manipulate the DOM and ultimately change the behavior of JavaScript on the website.