A security architect is advising the application team to implement the following controls in the application before it is released:
• Least privilege
• Blocklist input validation for the following characters: \<>;, ="#+
Based on the requirements, which of the following attacks is the security architect trying to prevent?
The security architect is trying to prevent Cross-Site Scripting (XSS) attacks. XSS attacks involve injecting malicious scripts into web pages that are viewed by other users, using special characters such as <, >, ;, =, and #. Blocklisting these characters is a common method to prevent such scripts from being executed. Additionally, the principle of least privilege is a general security measure that can help mitigate the impact of XSS and other vulnerabilities by limiting the permissions of users and processes.
answer is B according to OWAPS https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
Thanks for the reference site. It convinced me without a doubt it's B - LDAP injection. I urge everyone to review Defense Option 1 and Defense Option 3 from the site as they address both requirements.
Based on the controls advised by the security architect, the attacks being prevented are Cross-Site Scripting (XSS) attacks, where the <>;, ="#+ characters can be used in input to inject malicious scripts that can be executed in the user's browser. commonly used in LDAP injection attacks include: • Asterisk (*) • Left parenthesis ( • Right parenthesis ) • Backslash () • Null byte (0x00) For XML injection, some of the characters that are commonly used to exploit vulnerabilities are: < (less than) (greater than) & (ampersand) " (double quote) ' (single quote)
I know this was almost 10 months ago, but Geofab's link (scenarios 1 and 3) hit the exact points that the question is targeting. I really think the answer is B base on the link. https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
https://brightsec.com/blog/ldap-injection
LDAP injection. Not only are those common characters used according to OWASP, implementing lease privilege is another suggested prevention mechanism.
xss is ok
i go D
This is B
XSS. Answer is D
The security architect is trying to prevent D. XSS (Cross-Site Scripting) attacks. XSS attacks occur when an attacker injects malicious scripts into web pages viewed by other users. These scripts can steal information or perform actions on behalf of the user without their consent. The blocklist input validation for the characters <>;, ="#+ is a common method to prevent XSS, as these characters are often used in scripting. The principle of least privilege, which involves giving a user account or process the bare minimum privileges it needs to perform its function, is a general security practice that can help mitigate the impact of any security vulnerability, not just XSS.
Given the special characteristics, they align with LDAP more than XSS
Use chatGPT and ask the question below: commonly used in XSS attacks include which keyboard characters and commonly used in LDAP injection attacks include whicc keyboard characters only XSS has & and #. XSS all the way!
In regards to COmptia material the answer should be LDAP. B. Will change my answer based on that, but it could be XSS as well
To hell with it. Will stick to XSS -> final answer in D
LDAP injections typically use brackets, asterisks, ampersands, or quotes, but the input validation more closely aligns with XSS per the OWASP XSS cheat sheet.
It's been over 10 months since I've gone through these questions and I'm finally taking the exam next week. I've reread the reference site and found something I've overlooked this entire time. The OWASP cheat sheet for LDAP injection shows the additional defenses are: - Least Privilege - Allow-List Input Validation. An Allow-List and a Block-List are two completely different things so if the security architect is "block-listing" those special characters, he/she is actually trying to prevent XSS, not LDAP injections. Therefore, I'm changing my answer to D: XSS.
Compare out put from Gemini, Chat GPT, Copilot and common knowledge
It's B
XSS is the answer.
As Geofab mentions, the answer is B according to OWAPS https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html