Lecture3 XSS

Question 1

XSS flaws occur when …

Answer 1

user supplied data included in page sent to browser without properly validating or escaping that content

Question 2

A page that is vulnerable to Stored XSS will ….

Answer 2

execute the injected script every time the page is loaded by the browser (persistent XSS)
examples: blog posts, comments, registration, edit profile

Question 3

Stored XSS: Inspecting the source code shows ….

Answer 3

where the data has landed

Question 4

Stored XSS attacks make use of ….

Answer 4

the improper treatment of dynamic content coming
from a backend data store.
The attacker abuses an editable field by inserting some JavaScript code, which is evaluated in the browser when another user visits that page

Question 5

Lack of data sanitisation/ filters reflects untrusted data and opens the door to ….

Answer 5

1) Script Injection
2) iFrame phishing
3) Redirection
4) Cookie stealing
5) Identity theft
6) DoS - website vandalism
7) Financial fraud

Question 6

XSS protection 1

Answer 6

1) Blacklisting (poor protection)
2) Whitelisting
3) html encoding

Question 7

XSS protection 2

Answer 7

1) Whitelist values drop-down list
2) Content Security Policy
3) Sanitise HTML: use HTML sanitization library to stop script injection
4) HTTP-only cookies: cookies will be received, stored, sent by the browser but cannot be modified by JS

Question 8

Content Security Policy

Answer 8

the script that’s running on a web page must be stored on a specific web server