Cross-site scripting vulnerability and mitigation

2025-familiarisation-se-q11 · Multipart · 3 marks

Source: NESA 2025 HSC Software Engineering Familiarisation Q11

Question

Bob is testing a website for vulnerability. The website allows the user to add their name at the end of the URL and prints their name on the webpage.

In addition to his name, Bob has added some code to the URL and an alert box is displayed.

localhost:8080/Bob<script>alert("Is this supposed to happen")</script>

Part (a) 1 mark

What type of vulnerability is being demonstrated?

Invalid redirectingCross site scriptingBroken authenticationCross site request forgery
Vulnerability

Part (b) 2 marks

Explain ONE way to minimise this vulnerability.

Reveal answer

Part (a)

Cross site scripting.

Part (b)

The website should validate input and encode output before displaying it in the page. For example, <script> should be treated as text or rejected rather than being executed by the browser.

Marking rubric

Part (a)

MarksDescription
1Identifies cross-site scripting.

Part (b)

MarksDescription
2Explains a suitable XSS mitigation.
1Identifies a suitable mitigation.

Explanation

The injected script executes because user input is rendered as executable HTML/JavaScript.

Metadata

Submitter
Seed data
Created
2026-05-02
Status
published
Syllabus
y12-secure-safe-code-vulnerabilities y12-secure-defensive-input-handling
Tags
XSS vulnerabilities input validation output encoding