1_3_3 Section 1 – Attacks, Threats, and Vulnerabilities - 1.3 – Application Attacks - Injection Attacks

Questions and Answers

What is the purpose of adding 'OR 1 equals 1' at the end of the authentication number in the text?

• To prevent database dumping
• To bypass authentication and retrieve all database contents (correct)
• To enhance database security
• To validate the authentication number

Which type of injection attack involves sending malformed XML to a separate device?

• DLL injection
• LDAP injection
• XML injection (correct)
• SQL injection

What is LDAP commonly used for?

• Authentication information storage (correct)
• Storing XML data
• DLL injections
• Database validation

What does DLL injection involve according to the text?

Injecting code into an application to execute it (D)

In the context of the text, what happens when a user clicks 'Get Department' without adding 'OR 1 equals 1' to the authentication number?

Access is granted to the department information (B)

How is SQL code used in the context of the text?

To dump entire database contents (C)

What is a code injection attack?

When an attacker puts their own code into an existing data stream (C)

Which type of code injection allows an attacker to manipulate or gather information from a machine?

LDAP injection (B)

What does SQL stand for in the context of code injection?

Structured Query Language (C)

In the context of code injection, what happens if the input is not validated by the application?

The attacker gains access to the data in the database (D)

Why should an application not allow users to insert their own code into a data stream?

To prevent data corruption (C)

How can an attacker gain access to data in a database through a web front end?

By bypassing input validation mechanisms (C)

What is a common relational database mentioned in the text that is often targeted in a SQL injection attack?

MySQL (C)

Why is it mentioned in the text that an application shouldn't allow users to insert their own code into a data stream?

To prevent exploitation of vulnerabilities (A)

What type of code injection allows attackers to potentially access and manipulate data from a machine?

XML injection (C)

In the context of code injection, what does LDAP commonly refer to?

Lightweight Directory Access Protocol (B)

What could happen if the input is not validated by an application in the context of code injection?

Attackers can exploit vulnerabilities (A)

Which of the following is a reason why circumventing the web front end can lead to access to database data in a SQL injection attack?

The database queries might bypass proper validation (C)

What kind of code injection attack involves injecting SQL code to manipulate a database?

SQL injection (C)

In the context of the text, what happens when an attacker performs a DLL injection?

Process A executes the injected DLL as a new thread (A)

What can happen if an application does not validate XML data being input into the system?

An XML injection attack can occur (C)

Which type of code injection attack allows an attacker to gather information from an LDAP server?

LDAP injection (A)

When modifying the authentication number on the web front end in the text, what does adding 'OR 1 equals 1' achieve?

Bypasses authentication checks (C)

What potential risk is posed by not validating user input in the authentication number field of the web front end?

Possibility of unauthorized database access (B)