Certified Cloud Security Professional – CCSP – Question250
Which of the following threat types involves the sending of invalid and manipulated requests through a user's client to execute commands on the application under their own credentials? A. Injection B. Cross-site request forgery C. Missing function-level access control D. Cross-site scripting
Correct Answer: B
Explanation:
Explanation: A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user’s own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although this type of attack cannot be used to steal data directly because the attacker has no way to see the results of the commands, it does open other ways to compromise an application. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user’s browser without going through validation processes.
Please disable your adblocker or whitelist this site!