PrepAway - Latest Free Exam Questions & Answers

Which of the following was used to perform this attack?

Sara, a hacker, is completing a website form to request a free coupon. The site has a field that limits the
request to 3 or fewer coupons. While submitting the form, Sara runs an application on her machine to
intercept the HTTP POST command and change the field from 3 coupons to 30.
Which of the following was used to perform this attack?

PrepAway - Latest Free Exam Questions & Answers

A.
SQL injection

B.
XML injection

C.
Packet sniffer

D.
Proxy

Explanation:
When a web user takes advantage of a weakness with SQL by entering values that they should not, it is
known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath)
with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a
similar manner to SQL, except that it does not have the same levels of access control, and taking
advantage of weaknesses within can return entire documents. The best way to prevent XML injection
attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return
more data than it should.
Incorrect Answers:
A: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious
SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the
attacker). SQL injection must exploit a security vulnerability in an application’s software, for example,
when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known
as an attack vector for websites but can be used to attack any type of SQL database. Being a web based
form, it is more likely that XML was used rather than SQL.C: Packet sniffing is the process of intercepting data as it is transmitted over a network.
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to
a local area network that is not filtered or switched, the traffic can be broadcast to all computers
contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore
all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is
shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic.
Packet sniffing is not used for modifying data; it only reads it. Therefore this answer is incorrect.
D: A proxy server is often used to filter web traffic. It is not used to modify the content of HTTP POST
commands. Therefore this answer is incorrect.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 337
http://en.wikipedia.org/wiki/SQL_injection


Leave a Reply