SWE210 Software Security Week 4

A set of 25 vocabulary flashcards covering key concepts related to SQL injection, security vulnerabilities, and preventative measures.

Command Injection Attack

A type of security vulnerability that occurs when an attacker executes arbitrary commands on a target system.

SQL Injection (SQLi)

A web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

Prepared Statements

A method to prevent SQL injection by separating SQL logic from user input.

UNION Attack

A type of SQL injection that retrieves data from multiple database tables by appending results to the original query.

Tautology Attack

A type of SQL injection where an attacker injects a payload that always evaluates to true.

LDAP Injection

A vulnerability that allows an attacker to manipulate an LDAP query to gain unauthorized access or information.

FTP Injection

A security vulnerability that occurs when unauthorized FTP commands are sent by an attacker.

Comment Attack

An attack that utilizes SQL comments to manipulate the logic of an SQL query.

SQL

Structured Query Language, a domain-specific programming language for managing and manipulating relational databases.

Command-Line

A user interface where users type commands to an interpreter which executes them.

SQL Query

A statement used to perform operations on data within a database, such as retrieving or modifying data.

Vulnerable Input

Input from users that has not been properly sanitized or validated, posing a risk of SQL injection.

Relational Database

A type of database that stores data in tables and allows relationships between the data.

Injection Point

The location in code where an attacker can insert malicious input to affect the execution of a query.

Stacked Queries

Another term for additional statement injection; allows multiple SQL statements in a single input.

LDAP Protocol

Lightweight Directory Access Protocol, used for querying user information in directories.

Malicious SQL Query

An SQL command crafted by an attacker to manipulate or disrupt normal database operations.

User Input Handling

The process of managing user input to ensure it is handled securely and does not introduce vulnerabilities.

Data Exfiltration

The unauthorized transfer of data from a computer or network.

Parameterization

A practice in SQL that helps protect against SQL injection by using parameters in queries.

Sanitization

The process of cleaning and validating user input to prevent malicious data from being processed.

Server-side Validation

Validation of input performed on the server before processing to enhance security.

Database Permissions

Grants that control access levels and privileges a user has in regards to the database.

Command-Line Interpreter

A tool that executes commands entered by a user in a command-line interface.

SQL Filter

Conditions applied in SQL queries to limit the records returned based on specified criteria.

Arbitrary Commands

Commands that are not restricted by the application's logic, allowing attackers to execute anything.

Input Validation & Whitelisting

A mitigation strategy that ensures only acceptable inputs are processed.