CISSP PRACTICE QUESTIONS – 20211222

Effective CISSP Questions

Which of the following is least likely to suffer from injection attacks? (Wentz QOTD)
A. A logger that supports Java Naming and Directory Interface (JNDI) 
B. A database server that accepts parameterized SQL queries
C. A directory service that accepts LDAP queries
D. A web server that accepts HTTP requests

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. A database server that accepts parameterized SQL queries.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

SQL Injection-Example-Parameterized-Queries-Hindi

Software is just a collection of code and data. Data are the input and code is a set of instructions and logic processing them. Vulnerable code may accept data that contain malicious code, which is then merged into the legitimate code and executed. The injected malicious code is typically a text-based script, the resource locator, query expression, or syntax.

SQL Injection

SQL injection is an attack where the attacker puts SQL expressions in the data field as the input so that the vulnerable code could merge the malicious SQL expressions into the main SQL statement. In other words, SQL injections happen when SQL queries are assembled or constructed by fragments of SQL expressions as strings and merge with user data inputs.

Parameterized SQL queries are an effective countermeasure to prevent SQL injections, which uses parameters to accept inputs so that each data field is strictly treated as data. Malicious code injected in data fields will be treated as normal data instead of code.

Java Naming and Directory Interface (JNDI) 

The log4j JNDI Attack
The log4j JNDI Attack (source: GovCERT.ch)

LDAP Injection

HTTP Response Splitting

Reference


以下哪一項最不可能遭受注入攻擊?(Wentz QOTD)
A. 支持 Java 命名和目錄接口 (JNDI) 的記錄器(logger)
B. 一個接受參數化SQL查詢的數據庫服務器
C. 接受 LDAP 查詢的目錄服務
D. 接受 HTTP 請求的 Web 服務器



Leave a Reply