Which of the following is least likely to suffer from injection attacks? (Wentz QOTD)
A. A logger that supports Java Naming and Directory Interface (JNDI)
B. A database server that accepts parameterized SQL queries
C. A directory service that accepts LDAP queries
D. A web server that accepts HTTP requests
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. A database server that accepts parameterized SQL queries.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Software is just a collection of code and data. Data are the input and code is a set of instructions and logic processing them. Vulnerable code may accept data that contain malicious code, which is then merged into the legitimate code and executed. The injected malicious code is typically a text-based script, the resource locator, query expression, or syntax.
SQL injection is an attack where the attacker puts SQL expressions in the data field as the input so that the vulnerable code could merge the malicious SQL expressions into the main SQL statement. In other words, SQL injections happen when SQL queries are assembled or constructed by fragments of SQL expressions as strings and merge with user data inputs.
Parameterized SQL queries are an effective countermeasure to prevent SQL injections, which uses parameters to accept inputs so that each data field is strictly treated as data. Malicious code injected in data fields will be treated as normal data instead of code.
Java Naming and Directory Interface (JNDI)
HTTP Response Splitting
- What is LDAP injection?
- Exploiting JNDI Injections in Java
- HTTP Response Splitting
- Injection Theory
- Lesson: Overview of JNDI
- Java Naming and Directory Interface
- HTTP response splitting exploitations and mitigations
A. 支持 Java 命名和目錄接口 (JNDI) 的記錄器(logger)
C. 接受 LDAP 查詢的目錄服務
D. 接受 HTTP 請求的 Web 服務器