312-50V13 · Question #171
312-50V13 Question #171: Real Exam Question with Answer & Explanation
The correct answer is B: Blind SQL injection. Elliot is performing blind SQL injection, a technique used when an attacker infers information based on the application's responses, such as timing delays, rather than direct output.
Question
Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He's determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing?
Options
- AError-based SQL injection
- BBlind SQL injection
- CUnion-based SQL injection
- DNoSQL injection
Explanation
Elliot is performing blind SQL injection, a technique used when an attacker infers information based on the application's responses, such as timing delays, rather than direct output.
Common mistakes.
- A. Error-based SQL injection relies on the database returning error messages that reveal information about the database structure or query results, which is not what Elliot is observing.
- C. Union-based SQL injection uses the UNION operator to combine the results of the attacker's query with the legitimate query, displaying the injected data directly in the application's response, which Elliot is not doing.
- D. NoSQL injection targets NoSQL databases, which have different query languages and vulnerabilities than traditional SQL databases, whereas the question specifies a SQL back-end.
Concept tested. Blind SQL injection detection techniques
Reference. https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-overview#sql-injection
Topics
Community Discussion
No community discussion yet for this question.