Certified Ethical Hacker (CEH v12) — Question 213

As part of a penetration testing team, you've discovered a web application vulnerable to Cross-Site Scripting (XSS). The application sanitizes inputs against standard XSS payloads but fails to filter out HTML-encoded characters. On further analysis, you've noticed that the web application uses cookies to track session IDs. You decide to exploit the XSS vulnerability to steal users' session cookies. However, the application implements HTTPOnly cookies, complicating your original plan. Which of the following would be the most viable strategy for a successful attack?

Answer options

• A. Build an XSS payload using HTML encoding and use it to exploit the server-side code, potentially disabling the HTTPOnly flag on cookies.
• B. Develop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS payload to retrieve the cookies.
• C. Utilize an HTML-encoded XSS payload to trigger a buffer overflow attack, forcing the server to reveal the HTTPOnly cookies.
• D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured.

Correct answer: D

Explanation

The correct answer is D because it strategically uses HTML encoding to bypass the application's input filters, allowing for successful exploitation of the XSS vulnerability. This method effectively redirects users to a malicious site where their cookies can be captured. The other options either attempt to disable HTTPOnly cookies, which is generally not feasible, or suggest unrealistic attacks that do not directly exploit the XSS vulnerability.