Which statement best describes Cross-Site Scripting (XSS)?

Study for the SANS560 GIAC Penetration Tester (GPEN) Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

Which statement best describes Cross-Site Scripting (XSS)?

Explanation:
Cross-Site Scripting is about attacker-supplied script running in a victim’s browser within a trusted web page. The attacker injects code into the page (through unsanitized input, reflected input, or stored data), and the browser executes that script as if it came from the site. This lets the attacker access cookies, session tokens, or other sensitive data, or perform actions in the user’s context. That makes the statement describing a browser script injected into a site that then runs in the victim’s browser the best fit. It captures the core behavior: execution of injected code on the client side, inside the target page, rather than requiring the server to reveal data or perform actions on behalf of the attacker. Why the others don’t fit as well: tricking a user into submitting credentials describes phishing or social engineering more than XSS’s mechanism; CSRF is about forged requests exploiting a user’s authenticated session and does not inherently involve injected scripts on the site; requiring server-side SQL errors points to SQL injection, not XSS.

Cross-Site Scripting is about attacker-supplied script running in a victim’s browser within a trusted web page. The attacker injects code into the page (through unsanitized input, reflected input, or stored data), and the browser executes that script as if it came from the site. This lets the attacker access cookies, session tokens, or other sensitive data, or perform actions in the user’s context.

That makes the statement describing a browser script injected into a site that then runs in the victim’s browser the best fit. It captures the core behavior: execution of injected code on the client side, inside the target page, rather than requiring the server to reveal data or perform actions on behalf of the attacker.

Why the others don’t fit as well: tricking a user into submitting credentials describes phishing or social engineering more than XSS’s mechanism; CSRF is about forged requests exploiting a user’s authenticated session and does not inherently involve injected scripts on the site; requiring server-side SQL errors points to SQL injection, not XSS.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy