Which vulnerability is characterized by performing unauthorized actions on a web application using an authenticated user’s credentials?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Which vulnerability is characterized by performing unauthorized actions on a web application using an authenticated user’s credentials?

Explanation:
Cross-site request forgery is at work when an attacker makes a user perform actions on a web application using that user’s authenticated session. The user is already logged in, so their browser sends the site's normal credentials (like a session cookie) with the forged request. The site sees a legitimate request from the user and carries out the action, even though the user didn’t intend to perform it. This leverages the trust a site has in the user’s authenticated session. This is different from cross-site scripting, which would inject and execute malicious code in the user’s browser, potentially stealing data or credentials. It’s also not about weaknesses in authentication itself (broken authentication) or about accessing files via directory traversal. CSRF specifically exploits the fact that actions are performed with the user’s existing credentials in an authenticated session. Mitigations include CSRF tokens, SameSite cookies, and requiring extra verification for sensitive actions.

Cross-site request forgery is at work when an attacker makes a user perform actions on a web application using that user’s authenticated session. The user is already logged in, so their browser sends the site's normal credentials (like a session cookie) with the forged request. The site sees a legitimate request from the user and carries out the action, even though the user didn’t intend to perform it. This leverages the trust a site has in the user’s authenticated session.

This is different from cross-site scripting, which would inject and execute malicious code in the user’s browser, potentially stealing data or credentials. It’s also not about weaknesses in authentication itself (broken authentication) or about accessing files via directory traversal. CSRF specifically exploits the fact that actions are performed with the user’s existing credentials in an authenticated session. Mitigations include CSRF tokens, SameSite cookies, and requiring extra verification for sensitive actions.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy