You are conducting penetration testing against a website supported by a relational database by creating an identity equation as a login input to manipulate and bypass the authentication procedure. Which of the following tactics, techniques, and procedures (TTP) you most likely used?
B. Reflected cross-site scripting
C. Data manipulation language
D. Noise and perturbation data
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Data manipulation language.
This question describes the common SQL injection scenario that employs the so-called “identity equation” like 1=1. The attacking can input SQL expression to exploit the vulnerability of a poorly developed back-end program. SELECT, a keyword of the data manipulation language (DML), is one of the most commonly used in the authentication procedure.
Identity Equation as a SQL Expression
Poorly Developed Back-end Program
Types of SQL Commands
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. 多實例 (Polyinstantiation)
B. 反射式跨站腳本 (Reflected cross-site scripting)
C. 資料操作語言 (Data manipulation language)
D. 噪音和擾動數據 (Noise and perturbation data)