Which SQL injection example illustrates an end-of-line comment technique?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam. Study with comprehensive questions and explanations. Equip yourself with the skills needed for success!

Multiple Choice

Which SQL injection example illustrates an end-of-line comment technique?

Explanation:
The technique tested is using an end-of-line comment in SQL injection, where the attacker injects a comment marker to terminate the rest of the SQL statement. By appending a comment after injecting a condition, the remainder of the original query is ignored, which can bypass authentication or other checks. Example: a login query might be built as SELECT id FROM users WHERE username = 'user' AND password = 'pass'; If the input for the username is ' OR 1=1 --, the final query becomes SELECT id FROM users WHERE username = '' OR 1=1 -- AND password = 'pass'; The -- starts a comment, so everything after it is ignored, and the condition OR 1=1 is always true, potentially granting access. This is distinct from fuzzing (randomly testing inputs to discover vulnerabilities), threat modeling (identifying potential threats in a system design), or risk (evaluating the impact and likelihood of threats). The end-of-line comment technique specifically demonstrates how SQL comment syntax can alter a query’s logic.

The technique tested is using an end-of-line comment in SQL injection, where the attacker injects a comment marker to terminate the rest of the SQL statement. By appending a comment after injecting a condition, the remainder of the original query is ignored, which can bypass authentication or other checks.

Example: a login query might be built as SELECT id FROM users WHERE username = 'user' AND password = 'pass'; If the input for the username is ' OR 1=1 --, the final query becomes SELECT id FROM users WHERE username = '' OR 1=1 -- AND password = 'pass'; The -- starts a comment, so everything after it is ignored, and the condition OR 1=1 is always true, potentially granting access.

This is distinct from fuzzing (randomly testing inputs to discover vulnerabilities), threat modeling (identifying potential threats in a system design), or risk (evaluating the impact and likelihood of threats). The end-of-line comment technique specifically demonstrates how SQL comment syntax can alter a query’s logic.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy