XSS Security Threats and Impact

Questions and Answers

What is the result of an attacker executing malicious scripts in the victim's browser?

• Defacing web sites
• User sessions hijack and defacing web sites
• Redirecting the user to malicious sites
• All of the above (correct)

What is the primary condition that leads to Cross-Site Scripting (XSS)?

• Escaping special characters in the DOM
• Validating user input data
• Storing user input data on the target server
• Sending untrusted data to the client without validation (correct)

What type of XSS occurs when user input is stored on the target server?

• Reflected XSS
• Persistent XSS
• Stored XSS (correct)
• DOM Based XSS

What is the sink in DOM Based XSS?

The DOM (C)

What should be done to prevent XSS attacks?

Validating user input data and escaping special characters (B)

What happens in Reflected XSS?

User input is immediately returned by a web application (C)

What is the type of attack being executed in the scenario described?

Cross-site Scripting (XSS) attack (D)

What is the username and password used to login in the scenario?

username: Tom, password: tom (B)

What is the purpose of robust validation mechanisms in preventing XSS attacks?

To sanitize user input (B)

What should developers ensure when accepting user input?

That the input is validated against a whitelist (D)

What is the impact of a successful XSS attack?

Much more than just displaying a message box can be performed (C)

What should be escaped based on the HTML context?

All untrusted data (D)