Exam CISSP topic 1 question 397 discussion

Only D makes sense, because you need the ability to set html tags to run scripts.

XSS is a vulnerability that exploits the web browser of the user when it loads some malicious code returned from HTML tags to the web browser

Answer D) https://www.verizon.com/business/resources/articles/s/how-to-mitigate-cross-site-scripting/#:~:text=Whenever%20possible%2C%20prohibit%20HTML%20code%20in%20inputs.%20Preventing%20users%20from%20posting%20HTML%20code%20into%20form%20inputs%20is%20a%20straightforward%20and%20effective%20measure.

D. Not returning any HTML tags to the browser client. Cross-Site Scripting (XSS) vulnerabilities occur when untrusted data is included in a web page and executed as code in a user's browser. By not returning any HTML tags to the browser client, you are effectively preventing any malicious code injection into the page. This approach, known as output encoding or input validation, helps ensure that user input is treated as plain text and not as executable code. It's a fundamental security practice to prevent XSS attacks.

The suggested answer D is correct The most effective method for mitigating Cross-Site Scripting (XSS) vulnerabilities within HTML websites is option D - not returning any HTML tags to the browser client. XSS exploits allow attackers to inject malicious client-side scripts. By not returning any HTML tags at all, you completely prevent the ability for attackers to inject active content that could execute scripts. This stops XSS at the root. Antivirus (A) cannot catch all XSS payloads. DMZs (B) only limit network access, not code injection. .NET (C) helps but does not inherently prevent all XSS like removing HTML tags does. By configuring the application to return no HTML tags, you guarantee malicious scripts have no entry point, shutting down potential XSS vectors altogether. This direct, foolproof approach makes it the most effective mitigation.

Here we go again...mass confusion. I'd go with D. FML

B. At work all web servers are in a DMZ, and this makes sense because the DMZ is separated from the rest of the infrastructure. The question talks about mitigation, even if someone runs a script since it's in the DMZ it won't go anywhere.

I think D would make your website non functional so go with C ?

For the administrator of a website, defenses against XSS include maintaining a patched web server, using web application firewalls, operating a host-based intrusion detection system (HIDS), auditing for suspicious activity, and, most important, performing server-side input validation for length, malicious content, and metacharacter filtering. As a web user, you can defend against XSS by keeping your system patched, running antivirus software, and avoiding nonmainstream websites. There are add-ons for some web browsers, such as NoScript for Firefox and uBlock Origin for Chrome, that allow only scripts of your choosing to be executed.