Pete, the security administrator, has been notified by the IDS that the company website is under attack.
Analysis of the web logs show the following string, indicating a user is trying to post a comment on the
public bulletin board.
INSERT INTO message `<script>source=http://evilsite</script>This is an example of which of the following?

A.
XSS attack

B.
XML injection attack

C.
Buffer overflow attack

D.
SQL injection attack

Explanation:
The <script> </script> tags indicate that script is being inserted.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.
XSS enables attackers to inject client-side script into Web pages viewed by other users.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems
on which they rely. Exploiting one of these, attackers fold malicious content into the content being
delivered from the compromised site. When the resulting combined content arrives at the client-side web
browser, it has all been delivered from the trusted source, and thus operates under the permissions
granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain
elevated access-privileges to sensitive page content, session cookies, and a variety of other information
maintained by the browser on behalf of the user.
Incorrect Answers:
B: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is
known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath)
with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a
similar manner to SQL, except that it does not have the same levels of access control, and taking
advantage of weaknesses within can return entire documents. The best way to prevent XML injection
attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return
more data than it should. The code in this question is not XML code.C: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary
data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of
data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting
or overwriting the valid data held in them. Although it may occur accidentally through programming
error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer
overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending
new instructions to the attacked computer that could, for example, damage the user’s files, change data,
or disclose confidential information. Buffer overflow attacks are said to have arisen because the C
programming language supplied the framework, and poor programming practices supplied the
vulnerability. This is not what is described in the question.
D: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious
SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the
attacker). SQL injection must exploit a security vulnerability in an application’s software, for example,
when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known
as an attack vector for websites but can be used to attack any type of SQL database. SQL Injection is not
used to attempt to post a comment on the public bulletin board. Therefore this answer is incorrect.

http://en.wikipedia.org/wiki/Cross-site_scripting
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 337
http://searchsecurity.techtarget.com/definition/buffer-overflow
http://en.wikipedia.org/wiki/SQL_injection