When an order was submitted via the corporate website, an administrator noted special characters

(e.g., “;–” and “or 1=1 –“) were input instead of the expected letters and numbers.
Which of the following is the MOST likely reason for the unusual results?

A.
The user is attempting to highjack the web server session using an open-source browser.

B.
The user has been compromised by a cross-site scripting attack (XSS) and is part of a botnet
performing DDoS attacks.

C.
The user is attempting to fuzz the web server by entering foreign language characters which
are incompatible with the website.

D.
The user is sending malicious SQL injection strings in order to extract sensitive company or
customer data via the website.

Explanation:
The code in the question is an example of a SQL Injection attack. The code ‘1=1’ will always
provide a value of true. This can be included in statement designed to return all rows in a SQL
table.
SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database
contents to the attacker). SQL injection must exploit a security vulnerability in an application’s
software, for example, when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but can be used to
attack any type of SQL database.