CISSP PRACTICE QUESTIONS – 20201105

Effective CISSP Questions

Which of the following is the best strategy to prevent SQL injection attacks against a web application? (Source: Wentz QOTD)
A. Implement form-based authentication using the POST HTTP method
B. Employ an application framework that supports parameterized queries
C. Accept TLS/SSL connections only
D. Verify if the injections are automated by a robot


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Employ an application framework that supports parameterized queries.

  • Form-based authentication using the POST HTTP method is a common way to send username and password to the backend server for authentication. It doesn’t help.
  • TLS/SSL encrypts the malicious SQL code as normal data. It doesn’t help.
  • After clicking the “I’m not a robot” icon, the attacker can go on typing in malicious SQL code. It doesn’t help.

Mitigations

  • The best way to prevent SQL injection is to validate user inputs. All invalid characters are not allowed.
  • Parameterized queries don’t really validate user inputs; it just treats data as data so that raw data won’t become SQL queries.

SQL injection

SQL injection occurs when a programmer concatenates strings to assemble SQL instructions. Strings are plain data, while SQL instructions are executable code.

  1. Users can type in snippets or fragments of SQL code as inputs in an HTML form, which will be posted to the back-end server for processing.
  2. If the programmer treats the SQL code posted from the attacker as ordinary data and combines them with the primary SQL instructions, the assembled SQL code could be executed successfully. That’s how SQL injection works.

SQL Query Assembled from Strings

The following is an example that combines strings into a SQL query without the employment of SQL parameters. The user inputs, $email and $password are expanded to raw strings (depicted as the following text in red) and combined into a SQL query.

SELECT * FROM users WHERE email = 'xxx@ xxx.xxx' AND password = md5('xxx') OR 1 = 1-- ]');

Parameterized Query Example

@Age is a parameter used in the SQL query, @SqlInstruction.

DECLARE @SqlInstruction NVARCHAR(500);
SET @SqlInstruction = N'SELECT * FROM Users WHERE Age = @Age;';
EXEC sp_executesql @SqlInstruction , N'@Age INT', 99;

References

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

以下哪項是防止對Web應用程序進行SQL注入攻擊的最佳策略?
A. 使用POST HTTP方法實現基於表單的身份驗證
B. 使用支持參數化查詢的應用程序框架
C. 僅接受TLS/SSL連接
D. 驗證機器人是否自動執行注射

 

2 thoughts on “CISSP PRACTICE QUESTIONS – 20201105

Leave a Reply