Which statement best describes an injection attack?

Study for the SANS560 GIAC Penetration Tester (GPEN) Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

Which statement best describes an injection attack?

Explanation:
Injection attacks happen when untrusted input is treated as part of a command or query by an application's interpreter, allowing the attacker to cause the system to execute unintended commands. This precisely matches the idea of crafting input that includes commands which the interpreter will execute, such as injecting a shell or database command through improperly handled input. The strength of this description is its breadth: it covers shell injections, SQL injections, and other interpreter-based commands, all by the same underlying flaw—untrusted input being executed as code. Other statements describe different scenarios. A blind SQL data-retrieval technique is a narrow form of injection focused on extracting data via SQL, not the general concept of injecting commands. Trying to bypass input validation with encrypted data is about evading filters rather than causing an interpreter to execute extra commands. Flooding the server with traffic is a denial-of-service attack, unrelated to the concept of injecting commands into an interpreter.

Injection attacks happen when untrusted input is treated as part of a command or query by an application's interpreter, allowing the attacker to cause the system to execute unintended commands. This precisely matches the idea of crafting input that includes commands which the interpreter will execute, such as injecting a shell or database command through improperly handled input. The strength of this description is its breadth: it covers shell injections, SQL injections, and other interpreter-based commands, all by the same underlying flaw—untrusted input being executed as code.

Other statements describe different scenarios. A blind SQL data-retrieval technique is a narrow form of injection focused on extracting data via SQL, not the general concept of injecting commands. Trying to bypass input validation with encrypted data is about evading filters rather than causing an interpreter to execute extra commands. Flooding the server with traffic is a denial-of-service attack, unrelated to the concept of injecting commands into an interpreter.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy