Nested Query Attack

A.

An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.

This can trick an application into exposing data that is not intended or authorized to be exposed, or it can potentially allow an attacker to gain insight into configurations or security controls.

Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call.

Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.

Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.

The type of attack described in the question is commonly known as an injection attack or specifically, a SQL injection attack.

SQL injection is a type of injection attack where an attacker leverages input fields in a web application to inject malicious SQL statements that manipulate the database. This is possible because web applications often take user input and concatenate it with a SQL statement to query the database. Attackers can exploit this behavior by submitting specially crafted input that alters the intended SQL statement, potentially allowing them to access or modify sensitive data, such as usernames, passwords, or other sensitive information.

SQL injection attacks can be prevented by using parameterized queries, which allow user input to be passed as parameters to the SQL statement rather than being directly concatenated with the statement. This prevents the attacker from altering the SQL statement and executing arbitrary queries.

In contrast, the other answer choices are different types of web application attacks:

• Missing function-level access control: This type of attack occurs when an attacker can access a specific function or resource that should be restricted based on their role or privileges.
• Cross-site scripting (XSS): This type of attack involves injecting malicious code into a web page viewed by other users, allowing the attacker to steal sensitive information or execute arbitrary actions on behalf of the victim.
• Cross-site request forgery (CSRF): This type of attack involves tricking a user into unknowingly executing a malicious action on a website, by crafting a request that appears legitimate but actually contains malicious instructions.