Which of the following threat types involves the sending of commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
An injection attack is where a malicious actor will send commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.
This can trick an application into exposing data that is not intended or authorized to be exposed, or it could potentially allow an attacker to gain insight into configurations or security controls.
Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call.
Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.
Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.
The correct answer to the question is C. Injection.
Injection is a type of attack where an attacker sends malicious code as input to an application with the intent of modifying the behavior of the application or accessing data without proper authorization. This type of attack typically involves the attacker sending commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing.
There are several types of injection attacks, including SQL injection, LDAP injection, and XML injection. SQL injection is a type of injection attack where an attacker sends malicious SQL statements to a database through an input field in an application. The malicious SQL statements can be used to modify the behavior of the database or access data without proper authorization.
Cross-site scripting (XSS) is a type of attack where an attacker injects malicious code into a web page viewed by other users. The malicious code is typically injected through input fields in the application, such as a search box or comment field. When other users view the web page, the malicious code is executed in their browser, allowing the attacker to steal their credentials or perform other malicious actions.
Missing function-level access control is a type of security vulnerability where an application does not properly restrict access to certain functions or features based on user roles or permissions. This can allow an attacker to access sensitive functionality or data without proper authorization.
Cross-site forgery (CSRF) is a type of attack where an attacker tricks a user into performing an action on a web application without their knowledge or consent. This is typically done by sending the user a link to a web page that contains a malicious request, such as changing the user's password or transferring funds from their account.
In summary, injection attacks involve the sending of commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing. SQL injection, LDAP injection, and XML injection are examples of injection attacks. Cross-site scripting, missing function-level access control, and cross-site forgery are other types of security vulnerabilities that can also occur in web applications.