Exam CCSP topic 1 question 46 discussion

This is 100% cross site request forgery.... the basic way it works is someone sends you a link to execute commands on a website you are already authenticated with (hence it runs with users credentials being the key)

Certainly B. XSS means user loads a site he/she trusts which has an injected script of attacker and that user's browser executes that attacker's script with the authentication of that user because he/she may be logged in to the site at that time. With CSRF, an attacker tricks a user's brower into issuing requests which are first sent by the attacker to the user, and the website executes the attacker's requests. Here, the website trusts the user not the other way around. There is no script from the attacker that is stored on the website in this case. Both attacks relate to lack of authenticating/validating user input.

B. Cross-site scripting (XSS): XSS vulnerabilities occur when an application includes untrusted data on a web page without proper validation or escaping, allowing attackers to execute malicious scripts in the user's browser. These scripts run in the context of the user's session, potentially using their credentials and access. C. Cross-site request forgery (CSRF): CSRF attacks involve tricking a user into making unwanted actions on a web application where they are authenticated. It doesn't involve injecting and executing untrusted scripts in the user's browser.

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf (though note that this is not true of login CSRF, a special form of the attack described below). For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim. Correct Answer is C

key word is trig the user

The answer is C, CSRF. https://owasp.org/www-community/attacks/csrf

good discussion here. My first thought was XSS but you may have convinced me that it should be CSRF. I hope I don't have that question on my test tomorrow.

Answer is C (CSRF) . Just have a look on any digram of CSRF, you will notice the hacker will send a users with phishing link where the user will enter his credential.

untrusted data is the key, Forgery is the one I pick.

Cross site forgery oils the answer

CSRF is the coorect answer

B.Cross-Site Request Forgery (CSRF) is a type of attack that tricks the victim into submitting a malicious request. It infiltrates a victim's browser and then forces it to send an HTTP request to a target site to which the victim is already authenticated. The crucial difference is that with CSRF, the malicious request is sent to the site with the victim's credentials, meaning it's the site that's fooled into thinking the request is legitimate. With Cross-Site Scripting (XSS), malicious scripts are executed in the user's browser, not the server.

B definitaley

C definitely

B. XSS CSRF attacks require the authenticated user to be in an active session, while the XSS attack does not. In an XSS attack, payloads can be stored and delivered whenever the user logs in.

B: XSS

Answer is B, XSS Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application.