Cross-Site Scripting (XSS)

D.

Explanation - Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without going through any validation or sanitization processes, or perhaps the code is not properly escaped from processing by the browser.

The code is then executed on the user's browser with their own access and permissions, allowing the attacker to redirect the user's web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access.

Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call.

An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.

Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.

The correct answer to the question is C. Cross-site scripting.

Cross-site scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web page viewed by other users. This code can be used to steal sensitive information, such as login credentials or financial data, from unsuspecting users.

XSS attacks typically involve an attacker inserting a malicious script into a web page that is then executed by the victim's browser. The script can be triggered by various means, such as clicking on a link, submitting a form, or simply viewing the page. The script can then do things like steal cookies, modify the page content, or redirect the user to a malicious site.

One type of XSS attack is called "stored XSS," which involves the attacker injecting a script that is permanently stored on the server and executed every time the page is viewed by a victim. Another type is "reflected XSS," which involves the attacker tricking the victim into clicking on a specially crafted link that includes the malicious script as a parameter, which is then reflected back to the victim's browser and executed.

XSS attacks can be particularly dangerous because they allow the attacker to leverage the victim's legitimate access to a site or application. For example, if a user is logged in to a banking site and is targeted by an XSS attack, the attacker can potentially steal the user's login credentials and access their account.

In contrast, injection attacks (A) involve exploiting vulnerabilities in an application's input validation to inject malicious code into the application's database or execution environment. Missing function-level access control (B) involves failing to enforce proper authorization checks on user actions, allowing unauthorized users to perform privileged actions. Cross-site request forgery (D) involves tricking a victim into unwittingly sending a malicious request to a target site or application, often using the victim's valid credentials.