🛡️ Free practice test question from: Cross-Site Scripting (XSS) (Security+)

This is a stored XSS attack, meaning the malicious script is permanently stored on the website's server (in the blog's comment section).

The injected script utilizes the fetch API to send an HTTP POST request to the attacker's server (https://attacker.com/cookies). The body of the request contains document.cookie, which includes the user's session cookies. By executing this script in the context of the user's browser, the attacker can steal these cookies and potentially use them to hijack the user's session, gaining unauthorized access to their account.

A) Is incorrect because the script does not perform a redirection; it sends data to a server.

B) Is incorrect as the script does not initiate multiple requests to cause a denial-of-service.

D) Is incorrect because the script does not modify the page's appearance but instead targets the extraction of cookies.

This vulnerability demonstrates why input validation and output encoding are crucial in web application security. Developers must carefully sanitize and validate all user-supplied input to prevent such scripts from being stored and executed.