Which of the following threat types involves leveraging a user's browser to send untrusted data to be executed with legitimate access via the user's valid credentials?
Which of the following threat types involves leveraging a user's browser to send untrusted data to be executed with legitimate access via the user's valid credentials?
Cross-site scripting (XSS) involves injecting harmful scripts into web pages viewed by other users. This untrusted data is executed in the context of the user's browser, leveraging their valid session and access credentials. When a user visits a page containing a malicious script, the script runs with their permissions, allowing attackers to steal data, impersonate the user, and perform unauthorized actions. CSRF, on the other hand, tricks the user's browser into making an unwanted request, but it doesn't specifically involve executing untrusted data through the user's valid credentials.
THE CORRECT ANSWER IS CRF!! Cross-site Request Forgery (CSRF) is a type of confused deputy attack, which leverages the authentication and authorization of the victim when a forged request is being sent to the web server. Therefore, a CSRF vulnerability that affects highly privileged users, such as administrators, could result in a full application compromise. During a successful CSRF attack, the victim’s web browser is tricked by a malicious website into unwanted action – it sends HTTP requests to the web application as intended by the attacker. Normally, such a request would involve submitting forms present on the web application to alter some data. https://www.acunetix.com/blog/articles/cross-site-request-forgery/
The answer should be Cross-site scripting not CSRF.
Correct Answer: D Cross-Site Request Forgery (CSRF) A CSRF attack forces an authenticated client that a user has open to send forged requests under their own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although an attacker cannot use this type of attack to steal data directly, because they have no way to see the results of the commands, it does open up other ways to compromise an application. If the authenticated user has permissions as a regular user of a system, CSRF could be used to execute any portion of the application where they have access.
Answer - C OWASP 10 - XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
answer is XSS not CSRF CSRF will try to run using commands in the web application XSS will execute on the user desktop
explanation is correct and answer is wrong
C: Cross-site scripting (XSS)
The correct answer is C.
D is wrong. XSS is the right answer so B.
D is correct because with XSS you don't need to go through validation. Read the question carefully !!
Answer is C.
https://books.google.com/books?id=WHLWDwAAQBAJ&pg=PT28&lpg=PT28&dq=Which+of+the+following+threat+types+involves+leveraging+a+user%27s+browser+to+send+untrusted+data+to+be+executed+with+legitimate+access+via+the+user%27s+valid+credentials?&source=bl&ots=Y5ROsIMP2W&sig=ACfU3U3tpq5jrwP9FYzCixYUpJK_mMESwA&hl=en&sa=X&ved=2ahUKEwibnpXm8ff8AhWNkIkEHWwmDqgQ6AF6BAgfEAM#v=onepage&q&f=false states the exact explanation Answer D - CSRF
Sorry - now I think my above reference is incorrect - I believe it is Cross-site scripting (Answer C)
D - CSRF
This is D. CSRF attacks trick a user’s browser into performing actions (e.g., transferring funds, changing settings) on a website where the user is authenticated. These actions are executed with the user’s valid credentials, leveraging their legitimate session without their knowledge. The question specifically mentions valid credentials. Key concept is hijacking someone's VALID credentials. XSS doesn't do that. XSS injects malicious scripts into web pages, but it does not perform actions on behalf of an authenticated user with their credentials.
CSRF exploits a user's authenticated session to trick their browser into executing unauthorized actions on a trusted site without their knowledge. Since the request appears to come from the authenticated user, the server processes it with legitimate credentials and access rights. Why Not the Others? Injection (A): Involves sending malicious input (e.g., SQL, command, or script injection) to manipulate an application's processing. Missing function-level access control (B): A flaw where users can access unauthorized functions due to poor authorization checks. Cross-site scripting (C): Involves injecting malicious scripts into web pages that execute in a victim’s browser but do not rely on their authenticated session for unauthorized actions.