Exam 350-701 topic 1 question 49 discussion

Cross-site Scripting is an attack where code is executed from the server side, whereas SQL Injection is an attack where code is executed from the client side.

The correct answer is: B. Cross-site Scripting is an attack where code is executed from the client side, whereas SQL Injection is an attack where code is executed from the server side. In Cross-site scripting (XSS) the attacker injects malicious code into a web page viewed by other users, the code is executed by the client's browser. SQL Injection is a server-side attack, where the attacker manipulates an SQL statement by injecting malicious code into the query. The malicious code is executed on the server, often with the goal of accessing or modifying sensitive data in the database

The answer is B

B is correct

SQL is injected in browser and runs on server. XSS is injected in browser and loaded into server database then executes on clients browser

Can't be A because XSS is not whaling. Can't be D because XSS because code is injected into the web app and not database: https://owasp.org/www-community/attacks/xss/ ; and SQL Injection is more about browser input rather than injecting code into a browser: https://owasp.org/www-community/attacks/SQL_Injection

Option A is the closest to being correct, as executives in a corporation can be considered targeted users of a website, and XSS is a client-side vulnerability that targets other users of the application. So, to summarize: XSS is a client-side vulnerability where malicious code is injected into a website and targets other users of the application, including executives in a corporation. SQLi is a server-side vulnerability where an attacker can manipulate the database of a website by injecting malicious SQL commands.

Answer B appears to be the Cisco's choice as correct. Key Concepts of XSS XSS is a web-based attack performed on vulnerable web applications. In XSS attacks, the victim is the user and not the application. In XSS attacks, malicious content is delivered to users using JavaScript.

I would say D is most accurate. For XSS malicious links can be inserted into databases, If webpages store and pull links to append to their HTML (instead of manually typing each one in their code <a href="$database_value" />click me</a>) so when an unsuspecting user download the page and pulls the links from the database, they unknowingly pull those malicious links as well. The reason why it isn't B is because XSS isn't executed on the server, it is executed on the clients browser when the user initially downloads the HTML page and all associated scripts (.js .css etc). SQL code is sent from the user using HTML form (POST) submission and executed on the server when the server opens a connection to the database and executes the SQL commands. The answer could equally be A as well however, XSS isn't just targeted at executives, It could be targeted at anyone providing there is a vulnerability to exploit.

D Explination: Therefore only answer D is left. In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other users follow his links, their web browsers are redirected to websites where attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST parameters. Note: The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Answer is B as XSS happens when Client is exploited and used to run code on another site. 2nd part where SQL injection happens from client end and run on server. Notice the wording it says FROM client which is correct.

If anything definitely A. XSS is a client side side attack, the code is executed from the clients browser. SQL injection is a server side attack, code is executed on the server side. B is wrong. C+D are completely wrong.

B is correct. The key word there is "from". They are talking about the origin of the code not where it's being executed.

I think maybe can mean stored XSS and SQL inject A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. https://owasp.org/www-community/attacks/SQL_Injection

Its B The only problem with A is @Cross-site Scripting is when executives in a corporation are attacked@

This question is so bad, but I would go with A and here is why. First, all other options is messed up and obviously wrong without questioning. Now, if we look at A, the second part is perfect description for SQL “ SQL Injection is when a database is manipulated” So what about XSS? I would say that because all other options are wrong that leaves us to the fact that when XSS are performed on the corporation internal website, executives and everyone else is attacked. I’m assuming this is why they chose A, the rest of options is so bad.