While performing online banking using a Web browser, a user receives an email that contains a link to an
interesting Web site. When the user clicks on the link, another Web browser session starts and displays a
video of cats playing a piano. The next business day, the user receives what looks like an email from his bank,
indicating that his bank account has been accessed from a foreign country. The email asks the user to call his
bank and verify the authorization of a funds transfer that took place.
What Web browser-based security vulnerability was exploited to compromise the user?
A.
Cross-Site Request Forgery
B.
Cross-Site Scripting
C.
Clickjacking
D.
Web form input validation
Explanation:
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF,
is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the
website trusts.
Example and characteristics
If an attacker is able to find a reproducible link that executes a specific action on the target page while the
victim is being logged in there, he is able to embed such link on a page he controls and trick the victim into
opening it. The attack carrier link may be placed in a location that the victim is likely to visit while logged into thetarget site (e.g. a discussion forum), sent in a HTML email body or attachment.
Incorrect Answers:
C: Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of
tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus
potentially revealing confidential information or taking control of their computer while clicking on seemingly
innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and
platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s
knowledge, such as clicking on a button that appears to perform another function.
https://en.wikipedia.org/wiki/Cross-site_request_forgery