You work as the Enterprise application developer at Domain.com. The Domain.com network consists of a single Active Directory domain named Domain.com. All servers in the domain run Windows Server 2003. Your responsibilities at Domain.com include the support and deployment of applications. Domain.com operates as a company specializing in providing environmental and social impact assessments for civil engineering companies. Domain.com currently offers an Extensible Markup Language (XML) Web service which allows civil engineering companies the ability to submit environmental impact results and the liability and indemnity coverage of projects to a government agency that deals with infrastructure and engineering. A Web method named AddEnvironmentalimpactTestResult is design to accept a String parameter that represents a specific geographical area (GEO); usually identified by means of its coordinates; and a Boolean parameter that indicates that the test was passed. The AddEnvironmentalimpactTestResult method then executes the following query:
INSERT INTO EnvironmentalimpactResult (GEO, Passed) VALUES ((‘{0}’, {1})
The {0} and {1} format placeholders are replaced with the values for the String and Boolean parameters, respectively. The results are stored in a SQL database. An operations engineer named Clive Wilson is responsible for the monitoring of the database. In carrying out his duties, Clive Wilson compares several liability and indemnity coverage records in the database with the paper results. However, Clive Wilson found that there are some inconsistencies in the results. It thus appears that there were some unauthorized changes to data objects in the database. The suspicion is that an attack must have occurred.
What type of attack would result in these inconsistencies?
A.
Cross-site scripting
B.
Buffer overrun
C.
SQL injection
D.
Denial-of-service
Explanation:
A SQL injection attack occurs when a malicious user injects SQL Statements into clauses that build SQL queries. In this case the queries are constructed dynamically. Thus it is possible that an attacker could modify the liability and indemnity coverage by calling the AddEnvironmentalimpactTestResult Web method. It is further possible that the attacker can be a developer for one of the civil engineering companies who are authorized to call the AddEnvironmentalimpactTestResult Web method.
Incorrect answers:
A: A cross-site scripting attack occurs when a Web application writes input data to the browser without encoding it. In this case a Web service and not a Web application is being attacked.
B: A buffer overrun attack usually occurs in unmanaged code when an attacker can overflow the buffer in an attempt to execute malicious code. This is not what is happening in this scenario.
D: A denial-of-service attack occurs when an attacker attempts to overload a server with an excessive amount of requests, akin to flooding the server. This is not the case here.