GIAC Penetration Tester (GPEN) — Question 52

While performing an assessment on a banking site, you discover the following link: hnps://mybank.com/xfer.aspMer_toMaccount_number]&amount-[dollars]
Assuming authenticated banking users can be lured to your web site, which crafted html tag may be used to launch a XSRF attack?

Answer options

• A. <imgsrc-"java script alert (‘document cookie'):">
• B. <scripi>alert('hnps:/'mybank.com/xfer.a$p?xfer_io-[attacker_account]&amoutn-[dollars]')</script>
• C. <scripr>document.\write('hTtp$://mybankxom/xfer.a$p?xfer_to-[attacker.accountl &amount-[dollars)</script>
• D. <img src-'https/mybank.com/xfer.asp?xfer_to=[artacker_account]&amount= [dollars]">

Correct answer: C

Explanation

Option C is the correct choice because it contains a script that, when executed, would redirect the user's browser to the attacker's specified URL, performing the XSRF attack. The other options either contain syntax errors or are incorrectly formatted, making them ineffective for this attack type.