When an order was submitted via the corporate website, an administrator noted special characters (e.g., “;–” and “or 1=1 –“) were input instead of the expected
letters and numbers.
Which of the following is the MOST likely reason for the unusual results?

A.
The user is attempting to highjack the web server session using an open-source browser.

B.
The user has been compromised by a cross-site scripting attack (XSS) and is part of a botnet performing DDoS attacks.

C.
The user is attempting to fuzz the web server by entering foreign language characters which are incompatible with the website.

D.
The user is sending malicious SQL injection strings in order to extract sensitive company or customer data via the website.

Explanation:
The code in the question is an example of a SQL Injection attack. The code `1=1′ will always provide a value of true. This can be included in statement designed to
return all rows in a SQL table.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution
(e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is
either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL
injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Incorrect Answers:
A: Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by surreptitiously obtaining the session ID and
masquerading as the authorized user. Once the user’s session ID has been accessed (through session prediction), the attacker can masquerade as that user and
do anything the user is authorized to do on the network. The code in the question is not an example of session hijacking. Therefore, this answer is incorrect.
B: A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web
servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is
overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are
that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the
behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense
mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able
to simply add more attack machines. This after all will end up completely crashing a website for periods of time. The code in the question is not an example of the
data that would be sent in a DDoS attack. Therefore, this answer is incorrect.
C: Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by
inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. The code in the question does not contain foreign language
characters; it is code typically used in a SQL injection attack.
Therefore, this answer is incorrect.

http://en.wikipedia.org/wiki/SQL_injection
http://searchsoftwarequality.techtarget.com/definition/session-hijacking http://en.wikipedia.org/wiki/Denial-of-service_attack