Security Testing — quiz

A search page reflects user input directly back into the HTML response without encoding. An attacker can inject <script>alert('xss')</script> into the URL and have it execute in another user's browser. Which OWASP Top 10 category does this fall under?

• A01 Broken Access Control
• A03 Injection — Cross-Site Scripting is classified as a form of injection in OWASP Top 10 2021
• A07 Identification and Authentication Failures
• A09 Security Logging and Monitoring Failures