nerdexam
EC-Council

312-50V10 · Question #22

Code injection is a form of attack in which a malicious user:

The correct answer is A. Inserts text into a data field that gets interpreted as code. Code injection occurs when user-supplied input is not properly sanitized and the application interprets that input as executable code, with SQL injection being the most common example.

Hacking Web Applications

Question

Code injection is a form of attack in which a malicious user:

Options

  • AInserts text into a data field that gets interpreted as code
  • BGets the server to execute arbitrary code using a buffer overflow
  • CInserts additional code into the JavaScript running in the browser
  • DGains access to the codebase on the server and inserts new code

How the community answered

(20 responses)
  • A
    95% (19)
  • B
    5% (1)

Why each option

Code injection occurs when user-supplied input is not properly sanitized and the application interprets that input as executable code, with SQL injection being the most common example.

AInserts text into a data field that gets interpreted as codeCorrect

Code injection attacks occur when an attacker inserts malicious text into a data field - such as a form input or URL parameter - that the application then passes to an interpreter and executes as code. Classic examples include SQL injection, where a query string is injected into a database input field, and OS command injection. The root cause is insufficient input validation and failure to separate code from data.

BGets the server to execute arbitrary code using a buffer overflow

Exploiting a buffer overflow to run arbitrary code is a memory corruption exploit, which is a separate attack class from code injection.

CInserts additional code into the JavaScript running in the browser

Inserting malicious code into JavaScript running in the browser describes cross-site scripting (XSS), not generic code injection.

DGains access to the codebase on the server and inserts new code

Gaining access to a server codebase to insert code describes a supply chain or unauthorized access attack, not code injection.

Concept tested: Code injection attack definition and mechanism

Source: https://owasp.org/www-community/attacks/Code_Injection

Topics

#code injection#web attacks#input validation#injection

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice