During a web-application penetration test, a team receives credentials for a staging bug-tracking portal. Testers can create bug tickets that accept rich-text comments and are reflected back to any user who views the ticket. One tester suspects the comment field may be vulnerable to cross-site scripting (XSS) because no client-side filtering is observed in the browser's developer tools. Before documenting the finding, the lead wants concrete proof that any user-supplied text is rendered and executed by the browser at run time.
Which action will MOST effectively confirm exactly how the application processes user-supplied text in the comment field?
Review the web application's configuration files for input-filtering or request-validation settings.
Apply the latest operating-system patches to the host running the bug-tracking portal.
Search the web-server and application logs for entries that contain script tags or unusual HTML.
Use an intercepting proxy to inject a JavaScript payload into the comment field and observe the rendered ticket in a browser.
An intercepting proxy such as Burp Suite allows the tester to edit the outbound HTTP request and insert a harmless JavaScript payload (for example,). After forwarding the modified request and reloading the ticket, execution of the alert in the browser demonstrates that the server reflected the input without proper encoding or output sanitization, conclusively proving an XSS condition. Reviewing server or application logs may reveal suspicious strings but cannot show whether the browser actually executed code. Examining configuration files might indicate that some request-filtering rules exist, yet it still does not verify runtime behavior. Applying operating-system updates is unrelated to how the web application renders user content.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an intercepting proxy and how is it used in penetration testing?
Open an interactive chat with Bash
What is cross-site scripting (XSS), and why is it dangerous?
Open an interactive chat with Bash
Why is inserting a JavaScript payload more effective than checking logs or configuration files for verifying an XSS vulnerability?