CompTIA Security Plus Mock Test Q749

After visiting a website, a user receives an email thanking them for a purchase which they did not request. Upon investigation the security administrator sees the following source code
in a pop-up window:

HTML>
body onload=”document.getElementByID(‘badForm’).submit()”>
form id=”badForm” action=”shoppingsite.company.com/purchase.php” method=”post” >
input name=”Perform Purchase” value=”Perform Purchase”/>
/form>
/body>
/HTML>

Which of the following has MOST likely occurred?

A. SQL injection
B. Cookie stealing
C. XSRF
D. XSS

Correct Answer: C
Section: Application, Data and Host Security

Explanation:
XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application’s trust of a user who known or is supposed to have been
authenticated. This is often accomplished without the user’s knowledge.

Incorrect Answers:
A:; SQL injection attacks use unexpected input to a web application to gain access to the database used by web application. SQL injection attacks typically do not open pop-up browser
windows.
B: Cookie stealing is used in session hijacking. Cookies are one of the mechanisms used to validate a web user’s session. When stolen, it can be used to establish a session with a
host system that thinks it is still communicating with the original user. The original user’s session has been hijacked and no longer receives communication from the host system. They
will thus no receive pop-up windows.
D: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be
mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.

References:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 335, 340
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 195-196