Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › CROSS-SITE SCRIPTING (XSS) allows an attacker to
CROSS-SITE SCRIPTING (XSS) allows an attacker to
Amodify server files directly
Bencrypt all user files
Ccrash the database server
Dinject JS into another user's browser
Answer & Solution
Correct answer: D. inject JS into another user's browser
1. XSS: web app accepts untrusted input and embeds it into a page WITHOUT proper escaping/encoding.
2. Result: attacker-controlled JavaScript runs in the VICTIM'S browser, with the victim's session.
3. THREE TYPES:
• REFLECTED: input in URL is reflected back in the response (e.g. search results page).
• STORED: malicious script saved to DB and served to other users (e.g. blog comment).
• DOM-based: client-side JS reads URL/inputs and modifies DOM unsafely.
4. MITIGATIONS: contextual OUTPUT ENCODING (HTML, JS, URL), Content-Security-Policy header, framework escaping (React's curly braces auto-escape).
5. Falls under A03: Injection in OWASP Top 10 2021 (XSS was its own category in 2017).
_Source: OWASP Top 10 2017 — A7 (XSS); 2021 — A03 (Injection)._
Related questions
What does HTTPS provide over plain HTTP?Which OWASP category covers using libraries with KNOWN CVEs?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseAn IDOR (Insecure Direct Object Reference) attack happens whenCROSS-SITE REQUEST FORGERY (CSRF) is best mitigated byWhich mitigation is the SINGLE most effective defense against SQL Injection?SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens whenWhat does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?