Which of the following attacks is being attempted?

A penetration tester analyzed a web-application log file and discovered an input that was sent to the company’s web application. The input contains a string that says "WAITFOR."

Which of the following attacks is being attempted?

A. SQL injection

B. HTML injection

C. Remote command injection

D. DLL injection

View Answer

Answer: A

Explanation:

WAITFOR can be used in a type of SQL injection attack known as time delay SQL injection or blind SQL injection34. This attack works on the basis that true or false queries can be answered by the amount of time a request takes to complete. For example, an attacker can inject a WAITFOR command with a delay argument into an input field of a web application that uses SQL Server as its database. If the query returns true, then the web application will pause for the specified period of time before responding; if the query returns false, then the web application will respond immediately. By observing the response time, the attacker can infer information about the database structure and data1.

Based on this information, one possible answer to your question is A. SQL injection, because it is an attack that exploits a vulnerability in a web application that allows an attacker to execute arbitrary SQL commands on the database server.