A web developer is creating a new feature that allows users to post comments on articles. The developer decides to trust that all user input will be benign and renders the comments directly into the webpage's HTML without any form of validation or sanitization. Which of the following vulnerabilities is most likely to be introduced by this practice?
The correct answer is Cross-site scripting (XSS). XSS vulnerabilities occur when a web application takes untrusted data, such as user comments, and sends it to a web browser without properly validating or encoding it. This allows attackers to inject malicious scripts into the webpage, which then execute in the browsers of other users. SQL injection is incorrect because it involves unsanitized input being used in database queries, not rendered directly to HTML. Cross-site request forgery involves tricking a user into performing an unwanted action, and directory traversal is an attack to access unauthorized files; neither is the direct result of rendering un-sanitized content.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cross-site Scripting (XSS)?
Open an interactive chat with Bash
How does XSS differ from SQL Injection?
Open an interactive chat with Bash
What can developers do to prevent XSS vulnerabilities?