Test your understanding of Cross-Site Scripting (XSS).
` fail when injected into an HTML
attribute like ``?',
options: [
'Because the browser interprets it as the value of the attribute, not as executable code. The attacker must first
break out of the attribute (e.g., `">`).',
'Because script tags are illegal in HTML5.',
'Because alert() doesn\'t work in inputs.',
'Because attributes are always encrypted.'
],
correctAnswer: 0,
explanation: 'Context matters. Inside an attribute, characters are treated as data. You must close the attribute
(and tag) to start a new execution context.',
difficulty: 'medium'
},
{
question: 'What is the primary purpose of the `HttpOnly` cookie flag in the context of XSS?',
options: [
'It prevents client-side JavaScript (including XSS payloads) from accessing the cookie, mitigating session
hijacking.',
'It prevents the cookie from being sent over HTTP.',
'It makes the cookie valid for HTTP requests only, not images.',
'It encrypts the cookie on the client side.'
],
correctAnswer: 0,
explanation: 'While XSS can still perform actions, `HttpOnly` stops the attacker from simply stealing the session
token via `document.cookie`.',
difficulty: 'easy'
},
{
question: 'Which of the following is considered a dangerous "sink" in JavaScript that can lead to DOM XSS?',
options: [
'innerHTML',
'innerText',
'textContent',
'console.log'
],
correctAnswer: 0,
explanation: '`innerHTML` parses the assigned string as HTML. If that string contains scripts (or event handlers
like `onerror`), they will execute. `innerText` treats handles it as text.',
difficulty: 'medium'
},
{
question: 'What is an "XSS Polyglot"?',
options: [
'A single payload string designed to break out of multiple different contexts (HTML, attribute, script string)
simultaneously.',
'A payload that works in multiple languages (English, French, etc.).',
'A script that translates XSS into SQLi.',
'A tool that automatically finds XSS.'
],
correctAnswer: 0,
explanation: 'Polyglots (e.g., `javascript://%250Aalert(1)//"/*\'/*`) are useful for blind testing to see if any
code execution triggers across unknown contexts.',
difficulty: 'medium'
},
{
question: 'If a filter strips the `