CompTIA Exam Questions

Which of the following types of attacks was attempted?

An attacker attempted to compromise a web form by inserting the following input into the username
field: admin)(|(password=*))
Which of the following types of attacks was attempted?

A.
SQL injection

B.
Cross-site scripting

C.
Command injection

D.
LDAP injection

Explanation:
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based
on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP
statements using a local proxy. This could result in the execution of arbitrary commands such as granting
permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced
exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
In a page with a user search form, the following code is responsible to catch input value and generate a
LDAP query that will be used in LDAP database.
<input type=”text” size=20 name=”userName”>Insert the username</input>
The LDAP query is narrowed down for performance and the underlying code for this function might be
the following:
String ldapSearchQuery = “(cn=” + $userName + “)”;
System.out.println(ldapSearchQuery);
If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:If a user puts “*” on box search, the system may return all the usernames on the LDAP base
If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn
= jonys ) ( | (password = * ) )
Incorrect Answers:
A: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious
SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the
attacker). SQL injection must exploit a security vulnerability in an application’s software, for example,
when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known
as an attack vector for websites but can be used to attack any type of SQL database. The code in this
question is not SQL code. Therefore this answer is incorrect.
B: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web
applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems
on which they rely. Exploiting one of these, attackers fold malicious content into the content being
delivered from the compromised site. When the resulting combined content arrives at the client-side web
browser, it has all been delivered from the trusted source, and thus operates under the permissions
granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain
elevated access-privileges to sensitive page content, session cookies, and a variety of other information
maintained by the browser on behalf of the user.
The code in this question is not an example of cross-site scripting code.
C: Command injection is an attack method in which a hacker alters dynamically generated content on a
Web page by entering HTML code into an input mechanism, such as a form field that lacks effective
validation constraints. The code in this question is not HTML code. Therefore this answer is incorrect.

https://www.owasp.org/index.php/LDAP_injection
http://en.wikipedia.org/wiki/SQL_injection
http://en.wikipedia.org/wiki/Cross-site_scriptinghttp://searchsoftwarequality.techtarget.com/definition/command-injection