| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 21.6 - Exploiting Web Application Vulnerabilities
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series rounds out the web attacks within Domain 8 by looking at how attackers abuse trust. It covers cross-site scripting and its reflected and stored forms, request forgery against both users and servers, and session hijacking, along with the input validation, tokens, and session hygiene that counter them.
What this episode covers
- Cross-site scripting — injecting attacker code into a page so it runs in the victim’s browser as if from the site.
- Reflected XSS — the script rides in a crafted link and bounces straight back into the page.
- Stored XSS — the script is planted on the server and fires for every future visitor.
- DOM-based variant — manipulates the page structure in the browser without changing server code.
- Request forgery — cross-site forgery fires commands at another logged-in site; server-side tricks the server into fetching a URL.
- Session hijacking — seizing a live, authenticated session by replay, man-in-the-middle, or stolen cookie.
- The defenses — input validation, output encoding, secret tokens, origin checks, anti-replay controls, and expiring cookies.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is cross-site scripting?
Cross-site scripting happens when an application lets an attacker inject their own web code into a page that others will view. The application trusts input and renders it, so the attacker’s script runs inside the victim’s browser as if the site itself put it there. A harmless demo just pops up an alert box, but a real attack can capture passwords or hijack accounts. The whole class exploits the trust a user places in a legitimate website.
How do reflected and stored cross-site scripting differ?
The difference is where the malicious script lives. In reflected cross-site scripting, the script rides along in the request itself, often hidden in a crafted link, and the site bounces it straight back into the page and runs it. Stored, or persistent, cross-site scripting is nastier because the attacker plants the script on the server, so it fires for every future visitor automatically. The universal cure is input validation and output encoding.
How does request forgery hijack a user’s or a server’s trust?
Request forgery tricks someone or something into sending a command it did not intend. Cross-site request forgery exploits the fact that a user is often logged into many sites at once, so an attacker embeds a hidden command that fires against a second site where the victim is authenticated. Server-side request forgery instead tricks the server into fetching a URL of the attacker’s choosing. Defenses include secret tokens the attacker cannot guess and checking that requests truly originated from your own site.
How does session hijacking steal an active identity?
Session hijacking is when an attacker seizes an already-authenticated session and impersonates the legitimate user. Common routes include capturing and replaying the authentication details exchanged between client and server, tricking the client into treating the attacker as the server, or stealing the cookie of someone who never properly logged out. You defend with administrative controls like anti-replay techniques and application controls like cookies that expire promptly.
What is the common theme across these web attacks?
Cross-site scripting injects attacker code into pages by abusing a user’s trust in a site, countered by input validation and output encoding. Request forgery abuses trust in the other direction, tricking a user’s browser or your own server into issuing unwanted commands, countered by secret tokens and origin checks. Session hijacking steals a live, authenticated identity, countered by anti-replay controls and expiring cookies. Across all of them, the theme is the same: never let trust go unverified.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 21.6 - Exploiting Web Application Vulnerabilities.