PrepAway - Latest Free Exam Questions & Answers

Which of the following types of application attacks would be used to specifically gain unauthorized informatio

Which of the following types of application attacks would be used to specifically gain unauthorized
information from databases that did not have any input validation implemented?

PrepAway - Latest Free Exam Questions & Answers

A.
SQL injection

B.
Session hijacking and XML injection

C.
Cookies and attachments

D.
Buffer overflow and XSS

Explanation:
To access information in databases, you use SQL. To gain unauthorized information from databases, a SQL
Injection attack is used.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious
SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the
attacker). SQL injection must exploit a security vulnerability in an application’s software, for example,
when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known
as an attack vector for websites but can be used to attack any type of SQL database.
Incorrect Answers:
B: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is
known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath)
with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a
similar manner to SQL, except that it does not have the same levels of access control, and taking
advantage of weaknesses within can return entire documents. The best way to prevent XML injection
attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return
more data than it should.XML Injection is not used to gain unauthorized information from databases. This answer is therefore
incorrect.
C: Cookies are used to store information about web browsing sessions. Cookies and attachments are not
used to gain unauthorized information from databases. This answer is therefore incorrect.
D: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web
applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data
storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data,
the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or
overwriting the valid data held in them. Although it may occur accidentally through programming error,
buffer overflow is an increasingly common type of security attack on data integrity.
Buffer overflow and XSS are not used to gain unauthorized information from databases. This answer is
therefore incorrect.

http://en.wikipedia.org/wiki/SQL_injection
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, 337


Leave a Reply