Cross-Site Scripting (XSS) is one of the most well-known application security risks in the OWASP Top 10. The attacker sends text-based attack scripts that exploit the interpreter in the browser to hijack user sessions, insert hostile content, redirect users, etc. Which of the following statements about XSS is correct? (Wentz QOTD)
A. Detection of most XSS flaws is fairly easy via testing or code analysis.
B. XSS is initiated only if a user clicks a link or button that activates malicious scripts.
C. XSS is subject to and thwarted by the Cross-Origin Resource Sharing (CORS) policy.
D. Malicious scripts that hijack user sessions are stored and executed on the webserver.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Detection of most XSS flaws is fairly easy via testing or code analysis.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

OWASP Top 10 – 2013 states “Detection of most XSS flaws is fairly easy via testing or code analysis.”

Reference

• Cross Site Scripting (XSS)
• Types of XSS
• “Same origin policy” and XSS
• SOP, CORS, CSRF and XSS simply explained with examples
• Web security

---

跨站腳本 (XSS) 是 OWASP Top 10 中最著名的應用程序安全風險之一。 攻擊者發送基於文本的攻擊腳本，利用瀏覽器中的直譯器劫持用戶會話、插入惡意內容、及重定向用戶等。 以下關於 XSS 的說法正確的是？ (Wentz QOTD)
A. 通過測試或代碼分析可以很容易地檢測到大多數 XSS 漏洞。
B. 僅當用戶單擊激活惡意腳本的鏈接或按鈕時才會啟動 XSS。
C. XSS 受跨源資源共享 (CORS) 政策的約束和阻礙。
D. 劫持用戶會話的惡意腳本在網絡服務器上存儲和執行。