Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Eccouncil Exam 312-96 Topic 1 Question 13 Discussion

Actual exam question for Eccouncil's 312-96 exam
Question #: 13
Topic #: 1
[All 312-96 Questions]

Thomas is not skilled in secure coding. He neither underwent secure coding training nor is aware of the consequences of insecure coding. One day, he wrote code as shown in the following screenshot. He passed 'false' parameter to setHttpOnly() method that may result in the existence of a certain type of vulnerability. Identify the attack that could exploit the vulnerability in the above case.

Show Suggested Answer Hide Answer
Suggested Answer: B

Contribute your Thoughts:

Leanna
6 months ago
I don't think so, Delbert. SQL Injection usually happens when user input is not properly sanitized.
upvoted 0 times
...
Delbert
6 months ago
But could it also result in a SQL Injection Attack? I'm not entirely sure.
upvoted 0 times
...
Karon
6 months ago
I agree with Leanna. Passing 'false' to setHttpOnly() can expose the application to client-side script attacks.
upvoted 0 times
...
Leanna
6 months ago
I think the vulnerability shown in the screenshot could lead to a Client-Side Scripts Attack.
upvoted 0 times
...
Omega
7 months ago
I don't think so, because the issue is more related to client-side script access rather than directory traversal.
upvoted 0 times
...
Annalee
7 months ago
But couldn't it also potentially result in a Directory Traversal Attack?
upvoted 0 times
...
Rolande
7 months ago
I agree with Passing 'false' to setHttpOnly() can allow client-side scripts to access sensitive information.
upvoted 0 times
...
Omega
7 months ago
I think the vulnerability in the code could lead to a Client-Side Scripts Attack.
upvoted 0 times
...
Bernadine
8 months ago
I dunno, you guys. I'm kind of leaning towards the Directory Traversal Attack option. I mean, think about it – if the HttpOnly flag isn't set, the attacker could potentially access sensitive files on the server. That just seems like the most logical answer to me.
upvoted 0 times
...
Hana
8 months ago
Wow, you all are really going for it, huh? I'm just sitting here wondering how Thomas even got this job in the first place. I mean, secure coding training? What is this, rocket science? *laughs* Anyway, I'm going with Client-Side Scripts Attack. Seems like the safest bet.
upvoted 0 times
...
Lashawnda
8 months ago
Hold up, I don't think any of you have it right. This sounds more like a Directory Traversal Attack to me. If the HttpOnly flag isn't set, the attacker could try to access sensitive files or directories on the server. That's way more likely than a SQL Injection or Denial-of-Service attack in this case.
upvoted 0 times
...
Zena
8 months ago
You guys are overthinking this! It's clearly a Denial-of-Service attack. I mean, if the HttpOnly flag isn't set correctly, that could leave the session cookies vulnerable, and a hacker could just bombard the server with requests until it crashes. Easy peasy.
upvoted 0 times
Beatriz
6 months ago
User 4
upvoted 0 times
...
Jules
7 months ago
User 3
upvoted 0 times
...
Jeannetta
7 months ago
User 2
upvoted 0 times
...
Carman
7 months ago
User 1
upvoted 0 times
...
...
Gearldine
8 months ago
Hmm, I'm not so sure about that. I mean, a Client-Side Scripts Attack makes sense, but what if someone tries to do a SQL Injection Attack instead? The way the code is written, it could leave the application vulnerable to that kind of attack as well. Decisions, decisions...
upvoted 0 times
...
Lynette
8 months ago
Oh man, this question is really tricky. Thomas clearly doesn't have a clue about secure coding, and passing 'false' to setHttpOnly() is just asking for trouble. I'm guessing the right answer has to be a Client-Side Scripts Attack, since that's a common vulnerability when you don't set the HttpOnly flag properly.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77