nerdexam
ExamsGCIHQuestions#421
GIAC

GCIH · Question #421

GCIH Question #421: Real Exam Question with Answer & Explanation

The correct answer is A: Quotes (', ", etc.). SQL injection testing typically begins with quote characters because they are used to break out of string context in SQL queries and reveal parsing errors.

Web Application Attacks & Post-Exploitation

Question

When launching a SQL Injection attack, what characters might an attacker start experimenting with first?

Options

  • AQuotes (', ", etc.)
  • BAlphabetic characters
  • CNumeric characters
  • DPercents (%)

Explanation

SQL injection testing typically begins with quote characters because they are used to break out of string context in SQL queries and reveal parsing errors.

Common mistakes.

  • B. Alphabetic characters are treated as ordinary string data by SQL parsers and do not disrupt query syntax or reveal injection vulnerabilities.
  • C. Numeric characters are valid SQL literals and do not break query syntax unless used in specific arithmetic-based blind injection contexts, making them a secondary technique, not the first step.
  • D. Percent signs are wildcard characters in SQL LIKE clauses but do not break string delimiters or cause syntax errors used to identify injection points.

Concept tested. SQL injection initial probing with quote characters

Reference. https://owasp.org/www-community/attacks/SQL_Injection

Topics

#SQL injection#special characters#input manipulation#web attacks

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice