SQL Injection

¡Supera tus tareas y exámenes ahora con Quizwiz!

End of Line Comment

After injecting code into a particular field, legitimate code that follows is nullified through the use of end of line comments

Compromised Data Integrity

An attacker uses this attack to deface a web page, insert malicious content into web pages, or alter the contents of a database.

Piggybacked Query

Attackers inject additional malicious query to the original query. As a result, the DBMS executes multiple SQL queries

Tautology

Attackers inject statements that are always true so that queries always return results upon evaluation of a WHERE condition

Inline Comment

Attackers integrate multiple vulnerable inputs into a single query using inline comments

Error-based SQL Injection

Attackers intentionally insert bad input into an application, causing it to throw database errors

Illegal/Logically Incorrect Query

Attackers send an incorrect query to the database intentionally to generate an error message that may be helpful in carrying out further attacks

Union SQL Injection

Attackers use a UNION clause to add a malicious query to the requested query

Out of band SQL Injection

Attackers use different communication channels to perform the attack and obtain the results.

Fuzzing Testing

It is an adaptive SQL injection testing technique used to discover coding errors by inputting massive amount of random data and observing the changes in the output.

Static Code Analysis

This type of source code analysis is performed to detect the possible vulnerabilities in source code when the code is not executing.

Authentication Bypass

Using this attack, an attacker logs onto an application without providing valid username and password and gains administrative privileges.

Information Disclosure

Using this attack, an attacker obtains sensitive information that is stored in the database.

jSQL Injection

a lightweight application used to find database information from a distant server. It is a Java application for automatic SQL database injection.

SQL injection

a technique used to take advantage of un-sanitized input vulnerabilities to pass SQL commands through a web application for execution by a backend database.

Function testing

a type of software testing technique, where a software or a system is tested against a set of inputs according to the end user's needs. The output obtained from the inputs are then evaluated and compared with the expected results to see if it conforms the functionality or base requirements of a product. It falls within the scope of black box testing.

Burp Suite

a web application security testing utility that allows an attacker to inspect and modify traffic between a browser and a target application. Helps attacker to identify vulnerabilities such as SQL injection, XSS, and so on.

Source code review

aims at locating and analysing areas of the code vulnerable to SQL injection attacks. This can be performed manually or with the help of tools.

SQL Power Injector

an application created in .Net 1.1 that helps attacker to find and exploit SQL injections on a web page.

Double-blind SQL Injection

an attacker inserts time delays in SQL query processing to search the characters in the database, users, database name, column name, row data, and so on.

In-band SQL Injection

an attacker uses the same communication channel to perform the attack and retrieve the results. It is commonly used and easy to exploit.

sqlmap

automates the process of detecting and exploiting SQL injection flaws and taking over of database servers

LOAD_FILE()

function within MySQL is used to read and return the contents of a file located within the MySQL server.

HTTP Post Requsest

one of the methods to carry the requested data to the web server. It carries the data as a port of the message body.

Blind/Inferential SQL Injection

the attacker has no error messages from the system with which to work. The attacker simply sends a malicious SQL query to the database.

Dynamic Code Analysis

the source code of the application is analyzed during execution of the code.

HPP technique

used to override HTTP GET/POST parameters by injecting delimiting characters in query strings.

Compromised Availability of Data

Attackers use this attack to delete the database information, delete log, or audit information that is stored in a database.

OUTFILE()

function within MySQL is often used to run a query and dump the results into a file.


Conjuntos de estudio relacionados

Self-Evaluation: Platelets and Primary Hemostasis

View Set

thigh, hip, groin, and pelvis anatomy

View Set

WGU C706 - Secure Software Design (February 2023)

View Set

TX 30 Hour Principles of Real Estate I Exam Questions

View Set

types of life insurance policies (and term life ins.)

View Set