Free Isaca Cybersecurity Audit Certificate Actual Exam Questions - Question 13 Discussion

Maybe B, since it’s the only one that clearly involves script injection into websites.

I’d drop A outright because it’s too vague—“malicious code” could mean anything, not necessarily scripts on a trusted site. D is definitely about databases, not injecting scripts into the website itself. C is just about flooding a site, so no script injection there. B fits best since cross-site scripting is literally about injecting malicious scripts into trusted websites to mess with users. But does this question assume the attack affects the site’s code or just the users visiting? Because that might change how we think about it.

Yeah, B fits best since it specifically involves injecting scripts into websites to attack users. The others don’t really deal with script injection like that. Does the question wording exclude any XSS types?

Actually, option D, SQL injection, is about injecting malicious code but specifically into databases, not scripts into a website’s front end. So that rules it out for script injection. Denial-of-service (C) is about overwhelming a system, no script involved. Malicious code (A) is too vague here. Cross-site scripting (B) is definitely the attack that injects scripts into trusted sites to affect users, so B fits best for the specific scenario described.

B imo, because the question is about injecting scripts into a trusted website, which is exactly what cross-site scripting does. The other options don’t involve script injection: DoS is about overwhelming servers, SQL attacks target databases, and "malicious code" is too general. So B fits perfectly here.

Option B makes the most sense because cross-site scripting specifically involves injecting harmful scripts into trusted websites, unlike DoS or SQL attacks which target availability or databases.

Not A, it's definitely B. Cross-site scripting is all about injecting malicious scripts into trustworthy sites. The others don't fit this attack method.