Chapter 32 Β· Quiz

Cross-Site Scripting Quiz

Multiple choice, matching, analysis, and evaluation questions.

Part A β€” Multiple Choice

Q1
What does XSS exploit, and why is JavaScript its most common weapon?
βœ… Correct: C. XSS attacks the client β€” it exploits the browser's trust in sites it visits. JavaScript is the preferred tool because it runs in every browser, is enabled by default, and has full access to session cookies, DOM content, form data, and the ability to make requests silently. The attack happens client-side, not on the server.
Q2
An attacker crafts a URL for a legitimate online banking site that includes a JavaScript payload in the search parameter. They email this link to a bank customer. When the customer clicks it, the script runs and sends their session cookie to the attacker. Which XSS type is this?
βœ… Correct: B. Reflected XSS: the script is in the URL, not stored on the server. It is delivered to a specific victim via email (crafted link). The server reflects the URL content back in the response without storing it. The script executes only when the specific crafted link is clicked. These are the defining characteristics of non-persistent/reflected XSS.
Q3
A social media platform has an XSS vulnerability in its post rendering. An attacker creates a post containing a hidden script. Every user who views the post has their session cookie silently sent to the attacker, and the script automatically re-posts itself to the viewer's profile. What XSS type is this, and what makes it especially dangerous?
βœ… Correct: C. Stored XSS: the script is saved in the database and executed by every viewer automatically. The self-propagating behavior β€” where the script re-posts itself β€” creates an XSS worm that can spread exponentially across a social network from a single post, compromising thousands of accounts without any individual crafted link being sent.
Q4
Which developer control is the MOST effective primary defense against XSS?
βœ… Correct: B. Output encoding fixes the root cause β€” it prevents the browser from interpreting user content as executable script. HTTPS (A) protects data in transit but doesn't prevent injection. Passwords (C) don't prevent anonymous or authenticated users from submitting script content. Disabling JavaScript on the server (D) is not how XSS works β€” scripts execute in the browser, not the server.
Q5
In the Subaru 2017 vulnerability discovered by Aaron Guzman, what was the role of XSS in the overall attack chain?
βœ… Correct: B. XSS was the delivery mechanism β€” the malicious link exploited the XSS vulnerability to capture the authentication token from the victim's browser. The real power came from the token's properties: it never expired and allowed any service request including adding emails to other accounts. XSS was the hand that stole the key; the token's design was the vault it opened.

Part B β€” Matching

Match each XSS concept to its correct description.

CONCEPT

Reflected XSS
Stored XSS
Output Encoding
Content Security Policy

DESCRIPTION

HTTP header that restricts which script sources the browser is permitted to execute β€” blocks unauthorized inline scripts
Script saved in the server database; executes automatically for every user who views the infected page β€” no link required
Converts HTML special characters to entity equivalents so browsers display user content as text rather than executing it as code
Script embedded in a URL; server reflects it in the response; delivered to a specific victim via crafted link β€” not stored

Part C β€” Analysis

Q6 β€” Analyze
A development team adds a filter that blocks any input containing the string <script>. They conclude their application is now protected from XSS. Why might this be insufficient?
βœ… Correct: B. Blocking the literal <script> string is a denylist approach β€” attackers can bypass it with case variations (<ScRiPt>), URL encoding (%3Cscript%3E), using event handlers (<img src=x onerror=...>), or SVG tags. The correct approach is output encoding (allowlist) β€” encode all user content before rendering so the browser sees it as text regardless of what it contains.

Part D β€” Evaluation

Q7 β€” Evaluate
A security manager argues: "Users can protect themselves from XSS by disabling JavaScript in their browsers β€” this eliminates the risk entirely and no code changes are needed." Evaluate this claim.
βœ… Correct: C. Disabling JavaScript breaks virtually all modern web applications β€” banking portals, email clients, e-commerce, news sites. It's impractical for most users and not a real solution. It also only addresses JavaScript-based XSS; HTML injection and other attack variants may not require JavaScript. The curriculum explicitly states this "offers limited protection." The real fix is in the code β€” output encoding prevents user content from being interpreted as executable script, regardless of what JavaScript settings the user has.
0/7
Questions Answered Correctly