Exam CCSP topic 1 question 266 discussion

THE CORRECT ANSWER IS CRF!! Cross-site Request Forgery (CSRF) is a type of confused deputy attack, which leverages the authentication and authorization of the victim when a forged request is being sent to the web server. Therefore, a CSRF vulnerability that affects highly privileged users, such as administrators, could result in a full application compromise. During a successful CSRF attack, the victim’s web browser is tricked by a malicious website into unwanted action – it sends HTTP requests to the web application as intended by the attacker. Normally, such a request would involve submitting forms present on the web application to alter some data. https://www.acunetix.com/blog/articles/cross-site-request-forgery/

The answer should be Cross-site scripting not CSRF.

CSRF exploits a user's authenticated session to trick their browser into executing unauthorized actions on a trusted site without their knowledge. Since the request appears to come from the authenticated user, the server processes it with legitimate credentials and access rights. Why Not the Others? Injection (A): Involves sending malicious input (e.g., SQL, command, or script injection) to manipulate an application's processing. Missing function-level access control (B): A flaw where users can access unauthorized functions due to poor authorization checks. Cross-site scripting (C): Involves injecting malicious scripts into web pages that execute in a victim’s browser but do not rely on their authenticated session for unauthorized actions.

This is D. CSRF attacks trick a user’s browser into performing actions (e.g., transferring funds, changing settings) on a website where the user is authenticated. These actions are executed with the user’s valid credentials, leveraging their legitimate session without their knowledge. The question specifically mentions valid credentials. Key concept is hijacking someone's VALID credentials. XSS doesn't do that. XSS injects malicious scripts into web pages, but it does not perform actions on behalf of an authenticated user with their credentials.

D - CSRF

C: Cross-site scripting (XSS)

Answer is C.

https://books.google.com/books?id=WHLWDwAAQBAJ&pg=PT28&lpg=PT28&dq=Which+of+the+following+threat+types+involves+leveraging+a+user%27s+browser+to+send+untrusted+data+to+be+executed+with+legitimate+access+via+the+user%27s+valid+credentials?&source=bl&ots=Y5ROsIMP2W&sig=ACfU3U3tpq5jrwP9FYzCixYUpJK_mMESwA&hl=en&sa=X&ved=2ahUKEwibnpXm8ff8AhWNkIkEHWwmDqgQ6AF6BAgfEAM#v=onepage&q&f=false states the exact explanation Answer D - CSRF

D is correct because with XSS you don't need to go through validation. Read the question carefully !!

D is wrong. XSS is the right answer so B.

The correct answer is C.

answer is XSS not CSRF CSRF will try to run using commands in the web application XSS will execute on the user desktop

explanation is correct and answer is wrong

Answer - C OWASP 10 - XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Correct Answer: D Cross-Site Request Forgery (CSRF) A CSRF attack forces an authenticated client that a user has open to send forged requests under their own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although an attacker cannot use this type of attack to steal data directly, because they have no way to see the results of the commands, it does open up other ways to compromise an application. If the authenticated user has permissions as a regular user of a system, CSRF could be used to execute any portion of the application where they have access.