A user's login credentials were recently compromised. During the investigation, the security analyst determined the user input credentials into a pop-up window when prompted to confirm the username and password. However, the trusted website does not use a pop-up for entering user credentials. Which of the following attacks occurred?
The user's login credentials were compromised after inputting them into a pop-up window that did not belong to the legitimate website. This situation strongly indicates a DNS poisoning attack. In DNS poisoning, the user is redirected to a malicious website that looks similar to the trusted site. Since the legitimate site does not use pop-up windows for credentials, it is likely that the user was on a fake site created by the attacker to harvest credentials, which aligns with DNS poisoning rather than cross-site scripting.
The question is quite vague, with the limited info we have here I would say DNS poisoning, we have no info or indication of any XSS, however "However, the trusted website does not use a pop-up for entering user credentials." which leads me to believe that the user is not on the trusted website Therefore his DNS has been poisoned and has been redirected to a malicious website Also see Q551
Seems like A. The attacker most probably used XSS to show a popup window for the user.
but the user was not on the trusted website in this scenario, so it would not be A.
a trusted website could have a vulnerability that an attacker would use to insert XSS code to display a popup window and send the credentials back to the attacker
a simple javascript prompt(); function may do the pop-up, answer A: XSS attack
The scenario described is indicative of a cross-site scripting (XSS) attack. In an XSS attack, an attacker injects malicious scripts into a trusted website, which then executes those scripts in the browsers of unsuspecting users. This can happen when the website fails to properly validate and sanitize user input, allowing the attacker to inject malicious code. In this case, the pop-up window used to collect user credentials is not a legitimate part of the trusted website's design. The attacker has injected a script that creates the pop-up and tricks the user into entering their login credentials into the fake form. The credentials are then captured and sent to the attacker, compromising the user's account. To prevent XSS attacks, web applications should implement proper input validation and output encoding to ensure that user-supplied data is treated as data and not executable code. Additionally, using security mechanisms like Content Security Policy (CSP) and sanitizing user input can help protect against XSS vulnerabilities.
I find it weird that the attacker needs to create a pop-up to ask the user to re-enter his credentials when he could have just exfiltrated the credentials inputted into the vulnerable field in the first place. Its as though he is pulling down his pants just to fart. Reference (for scraping credentials with XSS): https://www.trustedsec.com/blog/scraping-login-credentials-with-xss/
Guys, I have an exam on 27-Aug-2023, if this question comes, I try to inform you if it has the same wording as here or not. seems we need more wording to decide A to C.
GL chap!
how was the exam
This is a re-worded question from another. I believe it to be DNS poisoning - fake website redirection is classic dns poisoning
DNS poisoning redirects you to a fake website by altering your DNS cache. Since the user was on the trusted website it cannot be C. DNS poisoning. The answer is A. XSS, which is when an attacker injects code into a trusted website with a vulnerability so that when users access the website the attacker's code is run. In this case an attacker had code to display a popup window on the trusted website whenever someone accessed it
" Since the user was on the trusted website " this is your assumption, which was not stated in the question. Also, I find it weird that the attacker needs to create a pop-up to ask the user to re-enter his credentials when he could have just exfiltrated the credentials inputted into the vulnerable field in the first place. Its as though he is pulling down his pants just to fart. Reference (for scraping credentials with XSS): https://www.trustedsec.com/blog/scraping-login-credentials-with-xss/
the comment ' the trusted website does not use a pop-up for entering user credentials' would mean that the victim was not on the original website, which would mean that C makes the most sense.
It is most probable be DNS poisoning. The user was redirected to a fake site that mimic the original site. User is asked to provide credentials.
I meant C
Yes, the website was safe, but what about the browser?
its just my opinion that Comptia deliberately made things complicated by not providing enough information for us to make a choice. By choosing A. XSS, we are assuming that the user indeed tried to log in using the legitimate webpage (i.e. there was no dns poisoning). also, it seems like we are making assumption that it is stored XSS instead of reflected xss since no hints were given towards reflected xss which requires users to click on link to legitimate but vulnerable webpage embedded with malicious script in the input field. By choosing C. DNS poisoning, we are making the opposite assumption. I feel like Comptia did us dirty here if in fact this is the actual question. there is too much ambiguity in the question that we can really argue it to be A or C. But I really hope I am missing something here and that someone can enlighten me..
Maybe A.. Specific Mention of Pop-up Window: The question explicitly states that the user inputted credentials into a pop-up window. DNS poisoning typically involves redirecting users to malicious websites by altering DNS records, which might not always involve pop-up windows for credential input. Focus on User Interaction: The scenario seems to emphasize the user's direct interaction with a pop-up window. DNS poisoning, on the other hand, usually redirects users to a fake website without their direct initiation of a pop-up window or interaction with the site. Lack of Indication: The question does not provide any indication that the user was redirected to a different website or experienced unexpected behavior in their browser, which are common signs of DNS poisoning.
The attack that occurred in this scenario is Cross-site scripting (XSS). In an XSS attack, malicious code is injected into a web application, often via user input fields. In this case, the pop-up window tricked the user into revealing their credentials on a fake site.
DNS poisoning doesn’t involve pop-up windows or tricking users directly.
Would go with A
Correct Answer is A. Here is the link the documents it. https://brutelogic.com.br/blog/xss101/
A and C both seem like great answers, I'm so confused