Cross-site scripting vulnerability and mitigation
2025-familiarisation-se-q11 · Multipart · 3 marks
Source: NESA 2025 HSC Software Engineering Familiarisation Q11
Question
Bob is testing a website for vulnerability. The website allows the user to add their name at the end of the URL and prints their name on the webpage.
In addition to his name, Bob has added some code to the URL and an alert box is displayed.
localhost:8080/Bob<script>alert("Is this supposed to happen")</script>
Part (a) 1 mark
What type of vulnerability is being demonstrated?
| Invalid redirecting | Cross site scripting | Broken authentication | Cross site request forgery | |
|---|---|---|---|---|
| Vulnerability |
Part (b) 2 marks
Explain ONE way to minimise this vulnerability.
Reveal answer
Part (a)
Cross site scripting.
Part (b)
The website should validate input and encode output before displaying it in the page.
For example, <script> should be treated as text or rejected rather than being executed
by the browser.
Marking rubric
Part (a)
| Marks | Description |
|---|---|
| 1 | Identifies cross-site scripting. |
Part (b)
| Marks | Description |
|---|---|
| 2 | Explains a suitable XSS mitigation. |
| 1 | Identifies a suitable mitigation. |
Explanation
The injected script executes because user input is rendered as executable HTML/JavaScript.
Metadata
- Submitter
- Seed data
- Created
- 2026-05-02
- Status
- published
- Syllabus
- y12-secure-safe-code-vulnerabilities y12-secure-defensive-input-handling
- Tags
- XSS vulnerabilities input validation output encoding