A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application’s search form and introduces the following code in the search input field:
IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable");>"
When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable". Which web applications vulnerability did the analyst discover?
A. Cross-site request forgery
B. Command injection
C. Cross-site scripting
D. SQL injection
EC-Council Certified Ethical Hacker v11Free dumps for 312-50v11 in Printable PDF format.High quality PDF and software. VALID exam to help you pass. |
 |
|
Download Printable PDF. VALID exam to help you PASS. |
|
This is what i found in the OWASP website:
Code Injection – allows attacker to add his own code that is then executed by the application.
Command Injection – attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.
XSS – malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
But i’m confused as to which is the correct answer. They are so close to me.
B. Command injection makes sense to me also
Why cant the answer be B?
B. Command injection