CompTIA PenTest+ Practice Test

What kind of XSS attack takes advantage of a web app's client-side implementation?

• A. Cross-site scripting (XSS) attack
• B. Persistent XSS attack
• C. Reflected XSS attack
• D. DOM-based XSS attack

The correct answer is: DOM-based XSS attack

The selected answer, DOM-based XSS attack, is correct because this type of attack specifically targets the Document Object Model (DOM) of a web application, exploiting the client-side scripts that manipulate the content displayed in the user's browser. In a DOM-based XSS attack, the vulnerability arises from the way in which the web application processes data received from the user on the client side, rather than through server-side processing. Attackers can inject malicious scripts that will execute within the context of the user’s session. This type of attack does not require the payload to be sent to the server first, making it particularly stealthy and challenging to detect. The manipulations occur purely within the browser and can be triggered by user interactions or URL parameters. Other options, while related to XSS, do not focus specifically on the client-side interaction in this way. For instance, persistent XSS involves storing the malicious script on the server, which means it relies on server-side storage vulnerabilities rather than client-side processing. Reflected XSS occurs when the injected script is reflected off a web server, typically in an immediate session response, which also means there is a server interaction involved. These attack types differ fundamentally from DOM-based XSS as they depend more on server-s