Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerab

admin2013-12-19 57

问题 Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerability occurs when a victim is tricked into opening a URL programmed with a rogue script to steal sensitive information?

选项 A、Persistent XSS vulnerability
B、Nonpersistent XSS vulnerability
C、Second-order vulnerability
D、DOM-based vulnerability

答案B

解析 B正确。跨站脚本攻击(Cross-Site Scripting，XSS)指的是攻击者把他们的恶意代码插入到脆弱网站的攻击行为。当毫无戒备的用户访问受感染的网页时，恶意代码会在受害者的浏览器上执行，并可能导致cookie被盗、会话被劫持、恶意软件被执行、访问控制被绕过或浏览器的漏洞被利用等情况的出现。XSS漏洞主要有三种类型：永久的XSS、非永久的XSS和基于DOM的XSS。当攻击者欺骗受害者打开一个用恶意脚本编写的URL以偷取受害者的敏感信息(比如cookie或会话ID)时，便会出现非永久漏洞(也叫反射漏洞)。这个攻击的原理在于利用了动态网站上缺乏适当的输入或输出验证这一弱点。诸如此类的XSS攻击可能造成大规模破坏。cookie被盗可能导致Web邮件系统受损、博客攻击、银行账户被关闭。大多数钓鱼攻击都是由XSS漏洞引起的。
A不正确。因为永久漏洞针对的是允许将用户输入的数据存储在数据库或类似地方(比如论坛或消息板)的网站。这类攻击的代码能够自动呈现，而无须诱使用户访问第三方网站。克服XSS漏洞的最好方法是培养安全编程习惯。Web应用程序开发人员必须确保过滤每个用户输入。用户输入应该仅仅允许有限的、已知且安全的字符。
C不正确。因为二阶漏洞(second-order Vulnerability)是永久XSS漏洞的另外一个名称，它针对的是允许用户输入存储在数据库上的数据的网站。
D不正确。因为在基于DOM的XSS漏洞中，攻击者使用文件对象模型(Document Object Mode，DOM)环境来修改原始的客户端JavaScript，进而导致受害者的浏览器执行得到的被篡改的JavaScript代码。因此，跨站攻击可以用来发现受害者Web浏览器的漏洞。一旦攻击者成功破解这个系统，他可能会进一步渗入到该网络上的其他系统或者执行可在内部网络上传播的脚本。对客户端而言，防止XSS攻击的最有效方法是禁用浏览器对脚本语言支持。如果这个方法不可行，那么可以使用内容过滤代理服务器。

转载请注明原文地址:https://www.kaotiyun.com/show/oyhZ777K

CISSP认证

相关试题推荐

随机试题

最新回复(0)

Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerab

CISSP认证

Individualsandbusinesseshavelegalprotectionforintellectualpropertytheycreateandown.Intellectualproper【C1】______fro

Theterme-commercereferstoallcommercialtransactionsconductedovertheInternet,includingtransactionsbyconsumersandb

Theterme-commercereferstoallcommercialtransactionsconductedovertheInternet,includingtransactionsbyconsumersandb

Inthe1930s,anAmericanmeatcompanycameoutwithaspicedhamproductsoldinacan.Beforelong,Spam,asitwascalled,be

In2009theEuropeanCommissioncarriedoutaninvestigationintoMicrosoft.TheAmericansoftwaregianttiedInternetExplorer,

[A]Meetingdifferentneeds[B]Smallerisbetter[C]Betterproductmakesgreaterquantity[D]Qualityvsquantity[E]Chillyc

[A]Marketforglasscraftsisgrowing[B]Dependenceofcomputerdevelopmentonglass[C]Behindtheadaptabilityofglass[D]

DespiteincreasedairportsecuritysinceSeptember11th,2001,thetechnologytoscanbothpassengersandbaggageforweaponsan

Companieshaveembarkedonwhatlookslikethebeginningsofare-runofthemergersandacquisitions(M&A)wavethatdefinedth

Americanfarmershavebeencomplainingoflaborshortagesforseveralyearsnow.Givenamulti-yeardeclineinillegalimmigrati

A．非同步电复律B．同步电复律C．阿托品1～2mg静脉注射D．静脉注射胺碘酮心室停搏患者，应首先采取哪种措施

施工设计阶段的卫生审查首先核查

甲是某期货公司的债权人，期货公司对甲的债务届期不能清偿。如果甲起诉期货公司并申请人民法院保全财产，人民法院保全的范围可以包括()。

银行业从业人员根据所在机构和客户之间的契约而产生的服务方式的差异，是歧视客户的表现。()

下列各项中，属于固定资产减值测试时预计其未来现金流量不应考虑的因素有()。

下列属于条件抑制的是()。

Accordingtothepassage,a"pacing"device______.Whenyouarereadinganovel,youshouldcheckyourunderstandingoftheco

Itwasthedistrictsportsmeeting.Myfootstillhadn’thealed(痊愈)froma(n)【C1】injury.Ihad【C2】whetherornot

Likemanyofmygeneration,Ihaveaweaknessforheroworship.Atsomepoint,however,wealltoquestionourheroesandourne

Bythemid-nineteenthcentury,theterm"icebox"hadenteredtheAmericanlanguage,buticewasstillonlybeginningtoaffectt

Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerab

CISSP认证

Individualsandbusinesseshavelegalprotectionforintellectualpropertytheycreateandown.Intellectualproper【C1】______fro

Theterme-commercereferstoallcommercialtransactionsconductedovertheInternet,includingtransactionsbyconsumersandb

Theterme-commercereferstoallcommercialtransactionsconductedovertheInternet,includingtransactionsbyconsumersandb

Inthe1930s,anAmericanmeatcompanycameoutwithaspicedhamproductsoldinacan.Beforelong,Spam,asitwascalled,be

In2009theEuropeanCommissioncarriedoutaninvestigationintoMicrosoft.TheAmericansoftwaregianttiedInternetExplorer,

[A]Meetingdifferentneeds[B]Smallerisbetter[C]Betterproductmakesgreaterquantity[D]Qualityvsquantity[E]Chillyc

[A]Marketforglasscraftsisgrowing[B]Dependenceofcomputerdevelopmentonglass[C]Behindtheadaptabilityofglass[D]

DespiteincreasedairportsecuritysinceSeptember11th,2001,thetechnologytoscanbothpassengersandbaggageforweaponsan

Companieshaveembarkedonwhatlookslikethebeginningsofare-runofthemergersandacquisitions(M&A)wavethatdefinedth

Americanfarmershavebeencomplainingoflaborshortagesforseveralyearsnow.Givenamulti-yeardeclineinillegalimmigrati

A．非同步电复律B．同步电复律C．阿托品1～2mg静脉注射D．静脉注射胺碘酮心室停搏患者，应首先采取哪种措施

施工设计阶段的卫生审查首先核查

甲是某期货公司的债权人，期货公司对甲的债务届期不能清偿。如果甲起诉期货公司并申请人民法院保全财产，人民法院保全的范围可以包括()。

银行业从业人员根据所在机构和客户之间的契约而产生的服务方式的差异，是歧视客户的表现。()

下列各项中，属于固定资产减值测试时预计其未来现金流量不应考虑的因素有()。

下列属于条件抑制的是()。

Accordingtothepassage,a"pacing"device______.Whenyouarereadinganovel,youshouldcheckyourunderstandingoftheco

Itwasthedistrictsportsmeeting.Myfootstillhadn’thealed(痊愈)froma(n)【C1】______injury.Ihad【C2】______whetherornot

Likemanyofmygeneration,Ihaveaweaknessforheroworship.Atsomepoint,however,wealltoquestionourheroesandourne

Bythemid-nineteenthcentury,theterm"icebox"hadenteredtheAmericanlanguage,buticewasstillonlybeginningtoaffectt

Itwasthedistrictsportsmeeting.Myfootstillhadn’thealed(痊愈)froma(n)【C1】injury.Ihad【C2】whetherornot