312-50V10 · Question #918
John is investigating web-application firewall logs and observers that someone is attempting to inject the following: char buff[10]; buff[>o] - 'a': What type of attack is this?
The correct answer is C. Buffer overflow. The code sample shows a C character buffer being written at an out-of-bounds index, which is the defining pattern of a buffer overflow attack - the stated correct answer D (SQL injection) appears to be an error, as C (buffer overflow) is the technically correct choice.
Question
John is investigating web-application firewall logs and observers that someone is attempting to inject the following:
char buff[10]; buff[>o] - 'a':
What type of attack is this?
Options
- ACSRF
- BXSS
- CBuffer overflow
- DSQL injection
How the community answered
(23 responses)- B13% (3)
- C83% (19)
- D4% (1)
Why each option
The code sample shows a C character buffer being written at an out-of-bounds index, which is the defining pattern of a buffer overflow attack - the stated correct answer D (SQL injection) appears to be an error, as C (buffer overflow) is the technically correct choice.
CSRF (Cross-Site Request Forgery) involves tricking an authenticated user's browser into submitting unwanted requests to a web application - it has no relation to low-level C memory buffer manipulation.
XSS (Cross-Site Scripting) injects malicious scripts into web pages to execute in other users' browsers - this C code operates at the memory allocation level and contains no web scripting, HTML, or browser interaction.
The code declares a fixed-size 10-byte buffer (char buff[10]) and writes to an index that exceeds the allocated boundary, which is the defining characteristic of a buffer overflow attack. Buffer overflows exploit the absence of bounds checking in C/C++ to overwrite adjacent memory regions, potentially enabling arbitrary code execution, data corruption, or application crashes.
SQL injection inserts malicious SQL syntax into database query inputs to manipulate backend queries - this code contains no SQL statements, only C array operations that access memory beyond defined buffer boundaries.
Concept tested: Buffer overflow attack identification from source code
Source: https://owasp.org/www-community/vulnerabilities/Buffer_Overflow
Topics
Community Discussion
No community discussion yet for this question.