312-50V10 · Question #22
Code injection is a form of attack in which a malicious user:
The correct answer is A. Inserts text into a data field that gets interpreted as code. Code injection occurs when user-supplied input is not properly sanitized and the application interprets that input as executable code, with SQL injection being the most common example.
Question
Code injection is a form of attack in which a malicious user:
Options
- AInserts text into a data field that gets interpreted as code
- BGets the server to execute arbitrary code using a buffer overflow
- CInserts additional code into the JavaScript running in the browser
- DGains access to the codebase on the server and inserts new code
How the community answered
(20 responses)- A95% (19)
- B5% (1)
Why each option
Code injection occurs when user-supplied input is not properly sanitized and the application interprets that input as executable code, with SQL injection being the most common example.
Code injection attacks occur when an attacker inserts malicious text into a data field - such as a form input or URL parameter - that the application then passes to an interpreter and executes as code. Classic examples include SQL injection, where a query string is injected into a database input field, and OS command injection. The root cause is insufficient input validation and failure to separate code from data.
Exploiting a buffer overflow to run arbitrary code is a memory corruption exploit, which is a separate attack class from code injection.
Inserting malicious code into JavaScript running in the browser describes cross-site scripting (XSS), not generic code injection.
Gaining access to a server codebase to insert code describes a supply chain or unauthorized access attack, not code injection.
Concept tested: Code injection attack definition and mechanism
Source: https://owasp.org/www-community/attacks/Code_Injection
Topics
Community Discussion
No community discussion yet for this question.