Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Eccouncil Exam 312-96 Topic 1 Question 13 Discussion

Actual exam question for Eccouncil's 312-96 exam
Question #: 13
Topic #: 1
[All 312-96 Questions]

Thomas is not skilled in secure coding. He neither underwent secure coding training nor is aware of the consequences of insecure coding. One day, he wrote code as shown in the following screenshot. He passed 'false' parameter to setHttpOnly() method that may result in the existence of a certain type of vulnerability. Identify the attack that could exploit the vulnerability in the above case.

Show Suggested Answer Hide Answer
Suggested Answer: B

Contribute your Thoughts:

Leanna
10 months ago
I don't think so, Delbert. SQL Injection usually happens when user input is not properly sanitized.
upvoted 0 times
...
Delbert
10 months ago
But could it also result in a SQL Injection Attack? I'm not entirely sure.
upvoted 0 times
...
Karon
10 months ago
I agree with Leanna. Passing 'false' to setHttpOnly() can expose the application to client-side script attacks.
upvoted 0 times
...
Leanna
10 months ago
I think the vulnerability shown in the screenshot could lead to a Client-Side Scripts Attack.
upvoted 0 times
...
Omega
10 months ago
I don't think so, because the issue is more related to client-side script access rather than directory traversal.
upvoted 0 times
...
Annalee
10 months ago
But couldn't it also potentially result in a Directory Traversal Attack?
upvoted 0 times
...
Rolande
11 months ago
I agree with Passing 'false' to setHttpOnly() can allow client-side scripts to access sensitive information.
upvoted 0 times
...
Omega
11 months ago
I think the vulnerability in the code could lead to a Client-Side Scripts Attack.
upvoted 0 times
...
Bernadine
12 months ago
I dunno, you guys. I'm kind of leaning towards the Directory Traversal Attack option. I mean, think about it – if the HttpOnly flag isn't set, the attacker could potentially access sensitive files on the server. That just seems like the most logical answer to me.
upvoted 0 times
...
Hana
12 months ago
Wow, you all are really going for it, huh? I'm just sitting here wondering how Thomas even got this job in the first place. I mean, secure coding training? What is this, rocket science? *laughs* Anyway, I'm going with Client-Side Scripts Attack. Seems like the safest bet.
upvoted 0 times
...
Lashawnda
12 months ago
Hold up, I don't think any of you have it right. This sounds more like a Directory Traversal Attack to me. If the HttpOnly flag isn't set, the attacker could try to access sensitive files or directories on the server. That's way more likely than a SQL Injection or Denial-of-Service attack in this case.
upvoted 0 times
...
Zena
12 months ago
You guys are overthinking this! It's clearly a Denial-of-Service attack. I mean, if the HttpOnly flag isn't set correctly, that could leave the session cookies vulnerable, and a hacker could just bombard the server with requests until it crashes. Easy peasy.
upvoted 0 times
Beatriz
10 months ago
User 4
upvoted 0 times
...
Jules
10 months ago
User 3
upvoted 0 times
...
Jeannetta
10 months ago
User 2
upvoted 0 times
...
Carman
10 months ago
User 1
upvoted 0 times
...
...
Gearldine
12 months ago
Hmm, I'm not so sure about that. I mean, a Client-Side Scripts Attack makes sense, but what if someone tries to do a SQL Injection Attack instead? The way the code is written, it could leave the application vulnerable to that kind of attack as well. Decisions, decisions...
upvoted 0 times
...
Lynette
12 months ago
Oh man, this question is really tricky. Thomas clearly doesn't have a clue about secure coding, and passing 'false' to setHttpOnly() is just asking for trouble. I'm guessing the right answer has to be a Client-Side Scripts Attack, since that's a common vulnerability when you don't set the HttpOnly flag properly.
upvoted 0 times
...

Save Cancel