Certified Ethical Hacker (CEH v13) — Question 43

As part of a penetration testing team, you've discovered a web application vulnerable to Cross-Site Scripting (XSS). The application sanitizes inputs against standard XSS payloads but fails to filter out HTML-encoded characters. On further analysis, you've noticed that the web application uses cookies to track session IDs. You decide to exploit the XSS vulnerability to steal users' session cookies. However, the application implements HTTPOnly cookies, complicating your original plan. Which of the following would be the most viable strategy for a successful attack?

Answer options

• A. Build an XSS payload using HTML encoding and use it to exploit the server-side code, potentially disabling the HTTPOnly flag on cookies.
• B. Develop a browser exploit to bypass the HTTPOnly restriction, then use a HTML-encoded XSS payload to retrieve the cookies.
• C. Utilize an HTML-encoded XSS payload to trigger a buffer overflow attack, forcing the server to reveal the HTTPOnly cookies.
• D. Create a sophisticated XSS payload that leverages HTML encoding to bypass the input sanitization, and then use it to redirect users to a malicious site where their cookies can be captured.

Correct answer: D

Explanation

The correct answer is D because it involves crafting a sophisticated XSS payload that can bypass the application's input sanitization, allowing the attacker to redirect users to a malicious site where their cookies can be captured. Option A incorrectly suggests manipulating server-side code to disable HTTPOnly, which is not feasible. Option B proposes using a browser exploit that is not typically possible, and option C inaccurately describes using a buffer overflow to access HTTPOnly cookies, which is unrelated to XSS vulnerabilities.