A web application security auditor notices that a company’s web application displays search results directly in the web page without sanitizing or encoding the user's input. The auditor suspects that this behavior could allow an attacker to execute a type of vulnerability related to injecting malicious scripts. What type of vulnerability is likely to be present in this scenario?
Reflected cross-site scripting is the correct answer because it occurs when an application receives data in a request and includes that data in the immediate response in an unsafe way. In the scenario described, the web application reflects user input directly in the response, which is a classic example of a reflected cross-site scripting vulnerability. Persistent cross-site scripting requires the injected script to be stored on the server and then displayed in subsequent responses to any user visiting the affected page. Cross-site request forgery (CSRF) involves tricking a user into making a request to perform an action that they are authorized to perform, typically without their knowledge, which is not indicated in this scenario. Lastly, SQL injection occurs when an attacker is able to manipulate a SQL query through user input, which is unrelated to script injection reflected in web responses.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is reflected cross-site scripting (XSS)?
Open an interactive chat with Bash
How can web applications prevent reflected XSS vulnerabilities?
Open an interactive chat with Bash
What is the difference between reflected and persistent XSS?