Cross-Site Scripting (XSS) Attacks

B.

Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without going through any validation or sanitization processes, or where the code is not properly escaped from processing by the browser.

The code is then executed on the user's browser with the user's own access and permissions, allowing an attacker to redirect their web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access.

The correct answer is B. Cross-site scripting (XSS).

Cross-site scripting (XSS) is a type of security vulnerability in web applications where an attacker injects malicious code into a web page viewed by other users. The injected code can execute in the victim's browser with the victim's privileges and access, allowing the attacker to steal sensitive data, perform unauthorized actions, and take over user accounts.

The attacker can inject the malicious code in different ways, including:

• Reflected XSS: The attacker sends a specially crafted link to the victim, and when the victim clicks it, the browser sends a request to the web application that includes the malicious code. The web application reflects the code back to the victim's browser, which executes it.
• Stored XSS: The attacker injects the malicious code directly into the web application, such as in a comment field or a message board. When other users view the infected page, the code executes in their browsers.
• DOM-based XSS: The attacker exploits a vulnerability in the client-side script code of a web application to inject the malicious code into the Document Object Model (DOM) of the page, causing it to execute in the victim's browser.

To prevent XSS attacks, web developers must properly validate and sanitize all user input, including form data, query parameters, and HTTP headers. They should also use web application firewalls (WAFs) and browser security mechanisms, such as Content Security Policy (CSP) and HTTP-only cookies, to limit the impact of successful attacks.

The other answer options are also types of web application vulnerabilities:

• Missing function level access control: This vulnerability occurs when the web application fails to properly restrict user access to certain functions or resources based on their roles or permissions. Attackers can exploit this weakness to perform unauthorized actions, such as accessing sensitive data or executing arbitrary code.
• Cross-site request forgery (CSRF): This vulnerability involves tricking a victim into performing unintended actions on a web application that they are authenticated to. The attacker sends a specially crafted request to the web application that includes the victim's authentication credentials, causing the application to execute the action on behalf of the victim.
• Injection: This vulnerability involves inserting malicious code or commands into a web application input field, such as a login form or a search box, with the goal of manipulating or accessing the underlying database or server. Examples include SQL injection and command injection.