PT0-002 · Question #486
PT0-002 Question #486: Real Exam Question with Answer & Explanation
The correct answer is B: SQL injection. The penetration tester is attempting a SQL injection exploit, characterized by the manipulation of a URL parameter to inject SQL syntax, specifically using 1 or 1=1 and comment characters -- to bypass authentication or extract data from a backend database.
Question
While a penetration tester conducts a web application assessment, the following URL is accessed: Which of the following exploit types is being attempted?
Options
- AXML injection
- BSQL injection
- CSession hijacking
- DBuffer overflow
Explanation
The penetration tester is attempting a SQL injection exploit, characterized by the manipulation of a URL parameter to inject SQL syntax, specifically using 1 or 1=1 and comment characters -- to bypass authentication or extract data from a backend database.
Common mistakes.
- A. XML injection involves manipulating XML data or schemas and is not typically initiated by injecting SQL-like syntax into a URL parameter.
- C. Session hijacking involves stealing or predicting a user's session ID to impersonate them, which is not indicated by the SQL syntax in the provided URL.
- D. Buffer overflow exploits involve overflowing a program's buffer to overwrite memory, usually leading to crashes or arbitrary code execution, and are not typically initiated via SQL syntax in a URL parameter.
Concept tested. Web application attacks - SQL Injection
Reference. https://owasp.org/www-community/attacks/SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.