SQL And XML Injections

Question 1

Objective of SQL and XML attack is similar and aims to achieve what?

Answer 1

Sending some kind of code into a system to enable attackers to perform malicious actions

Question 2

Insertion of additional information or code through a data input from a client to an application

Answer 2

Code injection

Question 3

Injection of an SQL query through an input form that a client uses to send data over to a web application

Answer 3

SQL injection attack

-attacker tries to insert parameters or code in the SQL statement used to query a database

Question 4

SQL Injection Attack Mitigation

Answer 4

-Input validation
-Sanitize data received from users
-Filter out apostrophes
-use a Web Application Firewall between client and database (will perform validation/sanitization for you

Question 5

XML data submitted without encryption or input validation is susceptible to the following:

Answer 5

-Snooping
-Spoofing
-Request Forgery
-Injection of arbitrary code

Question 6

XML Exploits

Answer 6

XML Bomb (Billion Laughs Attack)
-Acts as a DoS attack
-XML encodes entities that expand to exponential sizes, consuming memory in the host and potentially crashing it

Question 7

XML External Entity

Answer 7

An attack that embeds a request for a local resource
- doc is usually included

Question 8

How to differentiate between XML and HTML tags

Answer 8

HTML and JavaScript use predefined tags like Font, Image, HREF

XML uses things like question ID, type, element, entity