A code injection attack exists whenever a scripting or programming language is used in a Web page. All that the attacker needs is an error or opening. That opening usually comes in the form of an input field that is not validated correctly. It is not necessary for the code injection attack to be on the Web page. It can be located in the back end as part of a database query of the Web site. If any part of the server uses Java, JavaScript, C, SQL, or any other code between the Internet and the data, it is vulnerable to the code injection attack.
Answer: C is incorrect. A cross site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user's system. Cross site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc. Answer: A is incorrect. A command injection attack is used to inject and execute commands specified by the attacker in the vulnerable application. The application, which executes unwanted system commands, is like a virtual system shell. The attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. The command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker. Answer: D is incorrect. Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated.
