ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-50v12 All Questions

View all questions & answers for the 312-50v12 exam
Go to Exam

Exam 312-50v12 topic 1 question 217 discussion

Actual exam question from ECCouncil's 312-50v12
Question #: 217
Topic #: 1
[All 312-50v12 Questions]

As part of a penetration testing team, you've discovered a web application vulnerable to Cross-Site Scripting (XSS). The application sanitizes inputs against standard XSS payloads but fails to filter out HTML-encoded characters. On further analysis, you've noticed that the web application uses cookies to track session IDs. You decide to exploit the XSS vulnerability to steal users' session cookies. However, the application implements HTTPOnly cookies, complicating your original plan. Which of the following would be the most viable strategy for a successful attack?

  • A. Build an XSS payload using HTML encoding and use it to exploit the server-side code, potentially disabling the HTTPOnly flag on cookies.
  • B. Develop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS payload to retrieve the cookies.
  • C. Utilize an HTML-encoded XSS payload to trigger a buffer overflow attack, forcing the server to reveal the HTTPOnly cookies.
  • D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by DarioReymag at Feb. 6, 2024, 10:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
qtygbapjpesdayazko
11 months ago
Selected Answer: D
The correct id D:
upvoted 1 times
...
insaniunt
11 months, 3 weeks ago
Selected Answer: D
D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured
upvoted 1 times
...
LeongCC
11 months, 4 weeks ago
Selected Answer: D
D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured, focuses on redirection or other client-side manipulations rather than directly bypassing HTTPOnly protections. This method adheres to the constraints and aims to exploit the vulnerability in a way that can lead to compromising the user's session or data indirectly, such as through phishing or other deceptive means at the redirected location.
upvoted 1 times
...
lukinno
12 months ago
Selected Answer: D
From Copilot: B. Develop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS payload to retrieve the cookies. This option is more promising. If you can find a browser vulnerability or exploit (such as a same-origin policy bypass), you might be able to access the HTTPOnly cookies from client-side JavaScript. However, finding such an exploit can be challenging, and it’s not a guaranteed method. Potentially viable, but difficult. D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured. This strategy is practical. By crafting a clever XSS payload that evades input sanitization, you can execute arbitrary JavaScript on the victim’s browser. Redirecting users to a malicious site allows you to capture their cookies. Most viable option.
upvoted 1 times
...
kennels
12 months ago
Selected Answer: D
https://www.shorebreaksecurity.com/blog/xss-exploitation-with-xhr-response-chaining/
upvoted 2 times
...
przemyslaw1
12 months ago
Selected Answer: B
B. Develop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS payload to retrieve the cookies.
upvoted 1 times
...
qtygbapjpesdayazko
1 year ago
Im a bit hesitant about the effectiveness of this CEH technique
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel