Which of the following is an example of a SQL injection attack?
A. an attacker exploits a vulnerability in a webpage to send SQL code to the database instead of a password
B. an attacker installs a database on a corporate network to store user names and passwords
C. an attacker attempts to gain access to a server to assume the DBO role of a database
D. an attacker uses JavaScript to insert data into a webpage
Explanation:
An attacker exploiting a vulnerability in a webpage to send Structured Query Language (SQL) code to a database instead of a password is an example of a SQL injection attack. SQL is a computer language used to view, insert, retrieve, and delete information in a database. On many webpages, when you type characters into entry fields, such as search boxes or user name and password fields, the text you enter is inserted into a SQL command that is then executed.
SQL injection attacks exploit vulnerable SQL code by entering SQL syntax into fields that were not intended to receive such input. Once SQL syntax has been submitted, it is inserted into the underlying database as a variable value which is required to complete a query. Because the variable entered contains SQL syntax, it can change the intent of the query used. If the underlying query syntax does not contain checks to ensure that entered variables are legitimate in nature, a malicious user can exploit the unsecure syntax by inserting additional SQL syntax. This process can allow for unintended database changes. For example, a malicious user might enter SQL code that will delete data from the database instead of entering the anticipated input, such as a user name or password. Exposure to SQL injection attacks can be minimized by using input validation, by checking parameters, and by using parameterized input with stored procedures.
An attacker attempting to gain access to a server to assume the Database Owner (DBO) role of a database is an example of a privilege escalation attack. In a privilege escalation attack, a malicious user attempts to circumvent defined permission levels. Through privilege escalation, a malicious user could gain access to information reserved for employees with higher privileges, such as administrators. Attempting to gain access to a server to assume the DBO role of a database is not an example of a SQL injection attack.
An attacker using JavaScript to insert data into a webpage is an example of cross-site scripting (XSS). XSS can be used to manipulate web content for malicious purposes. For example, XSS could be used to change the destination of a hyperlink. Instead of being directed to the intended page, you could be redirected to a different site that could be used to collect your personal information. An attacker using JavaScript to insert data into a webpage is not an example of a SQL injection attack.
An attacker installing a database on a corporate network to store user names and passwords could be part of another type of attack such as a social engineering attack. In a social engineering attack, the malicious user might trick legitimate users into typing their user name and password into an application that would then store the information in the database. An attacker installing a database on a corporate network to store user names and passwords is not an example of a SQL injection attack.
Reference: https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms161953(v=sql.105)