Eccouncil Exam ECSAv10 Topic 4 Question 67 Discussion

Actual exam question for Eccouncil's ECSAv10 exam

Question #: 67
Topic #: 4

Black-box testing is a method of software testing that examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings. Black-box testing is used to detect issues in SQL statements and to detect SQL injection vulnerabilities.

Most commonly, SQL injection vulnerabilities are a result of coding vulnerabilities during the Implementation/Development phase and will likely require code changes. Pen testers need to perform this testing during the development phase to find and fix the SQL injection vulnerability.

What can a pen tester do to detect input sanitization issues?

ASend single quotes as the input data to catch instances where the user input is not sanitized

BSend double quotes as the input data to catch instances where the user input is not sanitized

CSend long strings of junk data, just as you would send strings to detect buffer overruns

DUse a right square bracket (the '']'' character) as the input data to catch instances where the user input is used as part of a SQL identifier without any input sanitization

Show Suggested Answer

Suggested Answer: D

by Aracelis at Apr 21, 2024, 04:06 AM

Limited Time Offer

25%

Off

Get Premium ECSAv10 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Catarina

2 months ago

What, no option for ' or 1=1 '? That's the classic, folks. If that doesn't work, I'm just gonna start randomly mashing the keyboard until something breaks. Gotta keep 'em on their toes, right?

upvoted 0 times

...

Annelle

3 months ago

Junk data, huh? Sounds like a job for my special keyboard macro that spits out 10,000 characters in half a second. Bet that'll make the developers' heads spin!

upvoted 0 times

Cory

1 months ago

C) Send long strings of junk data, just as you would send strings to detect buffer overruns

upvoted 0 times

...

Louisa

2 months ago

B) Send double quotes as the input data to catch instances where the user input is not sanitized

upvoted 0 times

...

Lura

2 months ago

A) Send single quotes as the input data to catch instances where the user input is not sanitized

upvoted 0 times

...

Felicidad

3 months ago

Double quotes? Really? That's so 2000s. Everyone knows the right square bracket is where it's at these days. Gotta stay on top of the latest techniques, my friend.

upvoted 0 times

Lenna

2 months ago

D) Use a right square bracket (the '']'' character) as the input data to catch instances where the user input is used as part of a SQL identifier without any input sanitization

upvoted 0 times

...

Jesusita

2 months ago

B) Send double quotes as the input data to catch instances where the user input is not sanitized

upvoted 0 times

...

Mitsue

2 months ago

A) Send single quotes as the input data to catch instances where the user input is not sanitized

upvoted 0 times

...

Edna

3 months ago

Hmm, that makes sense too. It's important to test different types of input data to catch sanitization issues.

upvoted 0 times

...

Berry

3 months ago

I disagree, I believe the correct answer is D) Use a right square bracket as the input data.

upvoted 0 times

...

Aracelis

3 months ago

Ah, the classic SQL injection testing! I'm all over this. Single quotes are the way to go - that's the standard approach to uncover unsanitized input.

upvoted 0 times

Glory

2 months ago

User 2

upvoted 0 times

...

Lamonica

2 months ago

User 1

upvoted 0 times

...

Edna

3 months ago

I think the answer is A) Send single quotes as the input data.

upvoted 0 times

...