Exam CAS-004 topic 1 question 240 discussion

answer is B according to OWAPS https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html

Based on the controls advised by the security architect, the attacks being prevented are Cross-Site Scripting (XSS) attacks, where the <>;, ="#+ characters can be used in input to inject malicious scripts that can be executed in the user's browser. commonly used in LDAP injection attacks include: • Asterisk (*) • Left parenthesis ( • Right parenthesis ) • Backslash () • Null byte (0x00) For XML injection, some of the characters that are commonly used to exploit vulnerabilities are: < (less than) (greater than) & (ampersand) " (double quote) ' (single quote)

XSS (Cross-Site Scripting) involves injecting malicious scripts (often JavaScript) into web pages that are then executed in the context of another user's browser. This can occur when input is not properly sanitized, allowing attackers to inject script tags or JavaScript code into a webpage. Special characters like <, >, ", ;, =, and + are commonly involved in XSS attacks, especially in HTML and JavaScript contexts. The input blocklist of characters like <>, =, ", ;, and + seems designed to prevent XSS attacks, as these characters are often used in HTML or JavaScript injection.

It's been over 10 months since I've gone through these questions and I'm finally taking the exam next week. I've reread the reference site and found something I've overlooked this entire time. The OWASP cheat sheet for LDAP injection shows the additional defenses are: - Least Privilege - Allow-List Input Validation. An Allow-List and a Block-List are two completely different things so if the security architect is "block-listing" those special characters, he/she is actually trying to prevent XSS, not LDAP injections. Therefore, I'm changing my answer to D: XSS.

Compare out put from Gemini, Chat GPT, Copilot and common knowledge

The security architect is trying to prevent D. XSS (Cross-Site Scripting) attacks. XSS attacks occur when an attacker injects malicious scripts into web pages viewed by other users. These scripts can steal information or perform actions on behalf of the user without their consent. The blocklist input validation for the characters <>;, ="#+ is a common method to prevent XSS, as these characters are often used in scripting. The principle of least privilege, which involves giving a user account or process the bare minimum privileges it needs to perform its function, is a general security practice that can help mitigate the impact of any security vulnerability, not just XSS.

Given the special characteristics, they align with LDAP more than XSS

It's B

XSS is the answer.

As Geofab mentions, the answer is B according to OWAPS https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html

Use chatGPT and ask the question below: commonly used in XSS attacks include which keyboard characters and commonly used in LDAP injection attacks include whicc keyboard characters only XSS has & and #. XSS all the way!

LDAP injections typically use brackets, asterisks, ampersands, or quotes, but the input validation more closely aligns with XSS per the OWASP XSS cheat sheet.

LDAP injection. Not only are those common characters used according to OWASP, implementing lease privilege is another suggested prevention mechanism.

xss is ok

i go D

This is B

https://brightsec.com/blog/ldap-injection