When an order was submitted via the corporate website, an administrator noted special characters (e.g.,
“;–” and “or 1=1 –“) were input instead of the expected letters and numbers.
Which of the following is the MOST likely reason for the unusual results?
A.
The user is attempting to highjack the web server session using an open-source browser.
B.
The user has been compromised by a cross-site scripting attack (XSS) and is part of a botnet performing
DDoS attacks.
C.
The user is attempting to fuzz the web server by entering foreign language characters which are
incompatible with the website.
D.
The user is sending malicious SQL injection strings in order to extract sensitive company or customer
data via the website.
Explanation:
The code in the question is an example of a SQL Injection attack. The code ‘1=1’ will always provide a
value of true. This can be included in statement designed to return all rows in a SQL table.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious
SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the
attacker). SQL injection must exploit a security vulnerability in an application’s software, for example,
when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known
as an attack vector for websites but can be used to attack any type of SQL database.
Incorrect Answers:
A: Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by
surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user’s session
ID has been accessed (through session prediction), the attacker can masquerade as that user and do
anything the user is authorized to do on the network. The code in the question is not an example of
session hijacking.
B: A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or
resources of a targeted system, usually one or more web servers. Such an attack is often the result of
multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a
server is overloaded with connections, new connections can no longer be accepted. The major
advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can
generate more attack traffic than one machine, multiple attack machines are harder to turn off than one
attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track
and shut down. These attacker advantages cause challenges for defense mechanisms. For example,
merely purchasing more incoming bandwidth than the current volume of the attack might not help,
because the attacker might be able to simply add more attack machines. This after all will end up
completely crashing a website for periods of time. The code in the question is not an example of the data
that would be sent in a DDoS attack.
C: Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security
loopholes in software, operating systems or networks by inputting massive amounts of random data,
called fuzz, to the system in an attempt to make it crash. The code in the question does not contain
foreign language characters; it is code typically used in a SQL injection attack.
http://en.wikipedia.org/wiki/SQL_injection
http://searchsoftwarequality.techtarget.com/definition/session-hijacking
http://en.wikipedia.org/wiki/Denial-of-service_attack