nerdexam
GIAC

GPEN · Question #146

GPEN Question #146: Real Exam Question with Answer & Explanation

The correct answer is A. Single quote ('). The single quote character is the standard first test for SQL injection because it breaks the syntax of a SQL string literal, causing a database error that reveals vulnerability.

Question

Which of the following characters will you use to check whether an application is vulnerable to an SQL injection attack?

Options

  • ASingle quote (')
  • BSemi colon (;)
  • CDouble quote (")
  • DDash (-)

Explanation

The single quote character is the standard first test for SQL injection because it breaks the syntax of a SQL string literal, causing a database error that reveals vulnerability.

Common mistakes.

  • B. A semicolon is used to terminate SQL statements and can be leveraged in stacked queries, but it is not the standard initial probe to confirm basic SQL injection vulnerability.
  • C. Double quotes are string delimiters in some databases such as Microsoft SQL Server in certain modes, but the single quote is the more universally applicable and widely used injection test character.
  • D. A dash (-) begins a single-line comment in SQL and can be used to comment out the remainder of a query, but it does not by itself trigger a syntax error that reveals injection vulnerability.

Concept tested. SQL injection initial vulnerability detection

Reference. https://owasp.org/www-community/attacks/SQL_Injection

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GPEN Practice