Which SQL injection example illustrates an end-of-line comment technique?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

Which SQL injection example illustrates an end-of-line comment technique?

Explanation:
The technique tested is using an end-of-line comment in SQL injection, where the attacker injects a comment marker to terminate the rest of the SQL statement. By appending a comment after injecting a condition, the remainder of the original query is ignored, which can bypass authentication or other checks. Example: a login query might be built as SELECT id FROM users WHERE username = 'user' AND password = 'pass'; If the input for the username is ' OR 1=1 --, the final query becomes SELECT id FROM users WHERE username = '' OR 1=1 -- AND password = 'pass'; The -- starts a comment, so everything after it is ignored, and the condition OR 1=1 is always true, potentially granting access. This is distinct from fuzzing (randomly testing inputs to discover vulnerabilities), threat modeling (identifying potential threats in a system design), or risk (evaluating the impact and likelihood of threats). The end-of-line comment technique specifically demonstrates how SQL comment syntax can alter a query’s logic.

The technique tested is using an end-of-line comment in SQL injection, where the attacker injects a comment marker to terminate the rest of the SQL statement. By appending a comment after injecting a condition, the remainder of the original query is ignored, which can bypass authentication or other checks.

Example: a login query might be built as SELECT id FROM users WHERE username = 'user' AND password = 'pass'; If the input for the username is ' OR 1=1 --, the final query becomes SELECT id FROM users WHERE username = '' OR 1=1 -- AND password = 'pass'; The -- starts a comment, so everything after it is ignored, and the condition OR 1=1 is always true, potentially granting access.

This is distinct from fuzzing (randomly testing inputs to discover vulnerabilities), threat modeling (identifying potential threats in a system design), or risk (evaluating the impact and likelihood of threats). The end-of-line comment technique specifically demonstrates how SQL comment syntax can alter a query’s logic.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy