In an intricate web application architecture using an Oracle database, you, as a security analyst,...

The total data extracted by the attacker is E=xyz’u’, where x is the number of tables, y is the number of columns, z is the number of records, and u is the number of SQL payloads. To maximize E, the attacker would want to choose the highest values of z and u, while keeping x and y constant. Therefore, the situation where z=600 and u=2 would result in the highest extracted data volume, as E=42600*2=9600. The other situations would result in lower values of E, as shown below:

A: E=42400*4=12800

B: E=42550*2=8800

D: E=42500*3=12000

The attacker uses UNION SELECT statements to combine the results from different tables and columns, and DBMS_XSLPPOCESSOR.READ2CLOB to read sensitive files from the database server12. These techniques can bypass input validation and pattern matching measures that are based on the application’s responses3.