Fundamentals of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in Web Application Security MCQs

XSS is an attack where malicious scripts are injected into web pages viewed by other users.

Reflected XSS injects scripts that are immediately executed, while Stored XSS stores scripts on the server for future execution.

CSRF attacks aim to manipulate or forge requests on behalf of an authenticated user.

Same-Origin Policy restricts web pages from making requests to a different origin than the one that served the web page, helping prevent XSS attacks.

Encoding user input prevents the execution of injected malicious scripts, enhancing security.

Input validation contributes to preventing XSS attacks by validating and sanitizing user input.

Secure coding practices, such as validating and escaping output, ensure that user input is properly validated and sanitized before being displayed.

Proper session management validates and secures user sessions to prevent unauthorized requests, contributing to CSRF prevention.

Anti-CSRF tokens verify the authenticity of requests, preventing CSRF attacks.

User education programs can educate users about the risks of clicking on suspicious links and sharing sensitive information, contributing to prevention.

CSP defines and enforces a set of rules to mitigate XSS risks, contributing to security.

X-Frame-Options prevents web pages from being embedded within iframes on other sites, enhancing security.

HSTS instructs browsers to only connect to the website over secure (HTTPS) connections, enhancing security.

X-Content-Type-Options prevents browsers from interpreting files as a different MIME type than declared, enhancing security.

Referrer-Policy controls how much information is included in the HTTP Referer header when navigating to external sites, enhancing security.

CORP controls which origins are allowed to make requests for a resource, enhancing security.

Feature-Policy controls which browser features and APIs can be used by a web page, enhancing security.

Expect-CT instructs browsers to enforce certificate transparency requirements for the site's SSL/TLS certificates, enhancing security.

HPKP associates a set of public keys with a web server to prevent man-in-the-middle attacks, enhancing security.

Cache-Control controls how content is cached by browsers and intermediary caches, contributing to security.

Stored XSS attacks involve the long-term persistence of malicious scripts in the server's database.

Input validation and sanitization help differentiate between legitimate and malicious user input, preventing XSS attacks.

A successful CSRF attack can lead to unauthorized actions performed on behalf of the user without their consent.

Same-Site cookie attribute restricts when cookies are sent in cross-site requests, reducing the risk of CSRF.

Checking the Origin or Referer header validates that requests originate from the expected domain, contributing to CSRF prevention.

HTTP-only cookies restrict cookie access to client-side scripts, reducing the risk of theft in the context of XSS.

Proper error handling avoids the disclosure of sensitive information in error messages, contributing to XSS prevention.

CSP defines and enforces a set of rules to mitigate XSS risks, contributing to prevention.

Nonce values are unique values associated with scripts to prevent unauthorized execution in the context of XSS.

SRI verifies the integrity of external scripts to prevent tampering and injection, contributing to XSS prevention.