While assessing an e-commerce site's product search feature, you observe that whatever text a user supplies in the "q" parameter is echoed back in the resulting HTML without any encoding. According to the OWASP Web Security Testing Guide v4.2, which specific test case should you perform next to confirm and document this vulnerability?
Testing for Reflected Cross-Site Scripting (WSTG-INPV-01)
Testing for Stored Cross-Site Scripting (WSTG-INPV-02)
Testing for SQL Injection (WSTG-INPV-05)
Testing for HTTP Parameter Pollution (WSTG-INPV-04)
Testing for Reflected Cross-Site Scripting (WSTG-INPV-01) is the correct next step because the issue involves user input that is immediately reflected in the response, a hallmark of reflected XSS. That test outlines payload injection, reflection analysis, and impact verification procedures needed to prove the flaw. Stored XSS focuses on data that is persisted server-side; HTTP Parameter Pollution targets duplicate parameters to bypass validation; SQL Injection probes for database-layer manipulation. None of those directly confirm the observed reflection behavior.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is input validation in the context of web applications?
Open an interactive chat with Bash
What are some common attacks that input validation helps prevent?
Open an interactive chat with Bash
How is input validation typically implemented in web applications?