ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-50 All Questions

View all questions & answers for the 312-50 exam
Go to Exam

Exam 312-50 topic 3 question 54 discussion

Actual exam question from ECCouncil's 312-50
Question #: 54
Topic #: 3
[All 312-50 Questions]

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?

  • A. The web application does not have the secure flag set.
  • B. The session cookies do not have the HttpOnly flag set.
  • C. The victim user should not have an endpoint security solution.
  • D. The victim's browser must have ActiveX technology enabled. B
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by sardarji2u at Dec. 30, 2019, 8:13 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
thinkinconcept
6 months, 2 weeks ago
Selected Answer: B
https://owasp.org/www-community/HttpOnly
upvoted 1 times
...
Novmejst
7 months, 2 weeks ago
Selected Answer: B
HTTP Only flag je varnostni ukrep, ki preprečuje dostop do piškotkov s strani skriptov na strani odjemalca (npr. JavaScripta). Piškotki so majhne datoteke, ki jih spletni strežniki pošljejo brskalniku uporabnika, in se nato shranijo na uporabnikovem računalniku.
upvoted 1 times
...
salei
1 year ago
Selected Answer: B
https://owasp.org/www-community/HttpOnly
upvoted 1 times
...
WZ1122
1 year, 8 months ago
The Secure flag is used to declare that the cookie may only be transmitted using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send the cookie if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks. Note that this flag can only be set during an HTTPS connection. If it is set during an HTTP connection, the browser ignores it.
upvoted 1 times
...
WZ1122
1 year, 8 months ago
Cross-site scripting (XSS) attacks are often aimed at stealing session cookies. In such an attack, the cookie value is accessed by a client-side script using JavaScript (document.cookie). However, in everyday use, web applications rarely need to access cookies via JavaScript. Therefore, a method of protecting cookies from such theft was devised: a flag that tells the web browser that the cookie can only be accessed through HTTP – the HttpOnly flag.
upvoted 1 times
...
Marvelous
3 years, 1 month ago
Agree! The session cookies do not have the HttpOnly flag set.
upvoted 2 times
...
Karzee
3 years, 2 months ago
yes b is the correct answer
upvoted 1 times
...
brider
3 years, 7 months ago
B. The session cookies do not have the HttpOnly flag set.
upvoted 2 times
...
sardarji2u
3 years, 11 months ago
Answer must be The session cookies do not have the HttpOnly flag set.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel