GIAC Security Leadership Certification (GSLC) — Question 22

An attacker discovers a XSS vulnerability on the website www.vulnerability.com. The attacker sends an email to several potential victims with a link that exploits the XSS vulnerability.
What role does the application server for www.vulnerability.com play in this attack?

Answer options

• A. Stores the XSS code in the website’s backend database
• B. Sends the XSS code results back to the attacker’s host
• C. Executes the XSS code on the front end web server
• D. Echoes the XSS code back to the victim’s browser

Correct answer: C

Explanation

The correct answer is C because the application server processes the XSS code, executing it on the front end web server. Option A is incorrect as the XSS code is not necessarily stored in a database, while B is wrong because the results do not need to be sent to the attacker. Option D is also incorrect as the server does not simply echo back the code; it executes it in the context of the victim's browser.