Which one of the following threat types to applications and services involves the sending of requests that are invalid and manipulated through a user's client to execute commands on the application under the user's own credentials?

A. Injection

B. Missing function-level access control

C. Cross-site scripting

D. Cross-site request forgery








 

Suggested Answer: D

Community Answer: D

A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user's own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although this type of attack cannot be used to steal data directly because the attacker has no way of seeing the results of the commands, it does open other ways to compromise an application. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.

This question is in CCSP Certified Cloud Security Professional Exam
For getting Certified Cloud Security Professional (CCSP) Certificate






Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by ISC. 
Trademarks, certification & product names are used for reference only and belong to ISC.
The website does not contain actual questions and answers from ISC's Certification Exams.