Question

A developer has executed code for a website that allows users to search for employees' phone numbers by last name. The query string sent by the browser is as follows: ?q=SMITHThe developer has implemented a well-known JavaScript sanitization library and stored procedures, but a penetration test shows the website is vulnerable to XSS.

Which of the following should the developer implement NEXT to prevent XSS? (Choose two.)

A. Sanitization library
B. Secure cookies
C. TLS encryption
D. Input serialization
E. Output encoding
F. PUT form submission

Answer 1

To prevent XSS vulnerabilities, the developer should implement input serialization and output encoding as the next steps. Option D and E are correct.

Step-by-step explanation:

To prevent XSS (Cross-site Scripting) vulnerabilities, the developer should implement input serialization and output encoding as the next steps. Input serialization involves validating and sanitizing the user input before it is processed or stored in the database to prevent any malicious scripts from being executed. Output encoding, on the other hand, ensures that any user-generated or dynamic content that is displayed on the website is properly encoded to prevent script injection.

TLS encryption and secure cookies can provide security against other types of attacks such as eavesdropping or session hijacking, but they do not address XSS directly. Form submission methods (e.g., GET, PUT) also do not directly mitigate XSS threats.