PrepAway - Latest Free Exam Questions & Answers

Which of the following types of attacks was attempted?

An attacker attempted to compromise a web form by inserting the following input into the username field: admin)(|(password=*))
Which of the following types of attacks was attempted?

PrepAway - Latest Free Exam Questions & Answers

A.
SQL injection

B.
Cross-site scripting

C.
Command injection

D.
LDAP injection

Explanation:
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly
sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting
permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be
similarly applied in LDAP Injection.
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database. <input
type=”text” size=20 name=”userName”>Insert the username</input> The LDAP query is narrowed down for performance and the underlying code for this function
might be the following:
String ldapSearchQuery = “(cn=” + $userName + “)”;
System.out.println(ldapSearchQuery);
If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
If a user puts “*” on box search, the system may return all the usernames on the LDAP base If a user puts “jonys) (| (password = * ) )”, it will generate the code
bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) )
Incorrect Answers:
A: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for
execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when
user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. The code in this question is not SQL
code.
Therefore this answer is incorrect.
B: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into
Web pages viewed by other users.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug- in systems on which they rely. Exploiting one of these, attackers
fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it
has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into
web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the
browser on behalf of the user. The code in this question is not an example of cross-site scripting code. Therefore, this answer is incorrect.
C: Command injection is an attack method in which a hacker alters dynamically generated content on a Web page by entering HTML code into an input
mechanism, such as a form field that lacks effective validation constraints. The code in this question is not HTML code.
Therefore this answer is incorrect.

https://www.owasp.org/index.php/LDAP_injection
http://en.wikipedia.org/wiki/SQL_injection
http://en.wikipedia.org/wiki/Cross-site_scripting
http://searchsoftwarequality.techtarget.com/definition/command-injection


Leave a Reply