CompTIA Security Plus Mock Test Q748

The BEST methods for a web developer to prevent the website application code from being vulnerable to cross-site request forgery (XSRF) are to: (Select TWO).

A. Permit redirection to Internet-facing web URLs.
B. Ensure all HTML tags are enclosed in angle brackets, e.g., ”<” and “>”.
C. Validate and filter input on the server side and client side.
D. Use a web proxy to pass website requests between the user and the application.
E. Restrict and sanitize use of special characters in input and URLs.


Correct Answer: C,E
Section: Application, Data and Host Security

Explanation:
XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application’s trust of a user who known or is supposed to have been
authenticated. This is often accomplished without the user’s knowledge.
XSRF can be prevented by adding a randomization string (called a nonce) to each URL request and session establishment and checking the client HTTP request header referrer for
spoofing.

Incorrect Answers:
A: Permitting redirection to Internet-facing web URLs is to do with redirecting data traffic. It is not used to prevent XSS attacks.
B: Ensuring all HTML tags are enclosed in angle brackets is not used to prevent XSS attacks. The use of angle brackets is standard practice in HTML code. Without angle brackets,
the HTML code would not work.
D: Web proxies tend to be used for caching web page content and/or restricting access to websites to aid compliance with company Internet usage policies. Web proxies are not used
to prevent XSS attacks.

References:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Cross-site_scripting#Reducing_the_threat