Home » ECCouncil » 312-50 » What kind of Web application vulnerability likely exists in their software?
A company’s Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
A. Cross-site scripting vulnerability
B. Cross-site Request Forgery vulnerability
C. SQL injection vulnerability
D. Web site defacement vulnerability
Correct Answer: A
Explanation/Reference:
Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as <b>very</b> large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "<b>very</b> large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting code.
References: https://en.wikipedia.org/wiki/Cross-site_scripting#Safely_validating_untrusted_HTML_input
Free dumps for 312-50v11 in Printable PDF format.
High quality PDF and software. VALID exam to help you pass.
|
|
Download Printable PDF. VALID exam to help you PASS.
|
|
strong
title
yo
strong
title
You can eliminate the rest to find out that A is correct.
A. includes HTML characters such as
B. needs a URL that points to another site and that includes an action on the GET parameters and a logged in user to click on that URL.
C. is not HTML characters but SQLi characters such as single quote.
D. does not exists as a vulnerability term.
Seems like your html code is removed! Input sanitization in action.
test