CompTIA PenTest+ Practice Test

What kind of attack places malicious code in a vulnerable application due to poor input processing?

• A. Code Injection
• B. Buffer Overflow
• C. SQL Injection
• D. XSS

The correct answer is: Code Injection

The concept of code injection revolves around the introduction of malicious code into a vulnerable application, typically due to insufficient input validation and processing. In a code injection attack, an attacker takes advantage of a flaw in the application's handling of input data. By crafting specific inputs, the attacker can manipulate the application's behavior, allowing them to execute arbitrary commands or extract sensitive information. Code injection attacks can occur in various contexts, including web applications, where user inputs are not properly sanitized before being executed. This type of vulnerability occurs in numerous programming environments and can lead to severe consequences, such as unauthorized access or data breaches. While buffer overflow attacks also involve exploiting vulnerabilities in how applications handle input, they specifically target memory allocation and can lead to application crashes or the execution of injected code. SQL injection is a specific form of code injection aimed at databases, manipulating SQL queries—a more narrow focus than the broader category of code injection itself. Cross-site scripting (XSS) is centered around injecting scripts into web pages viewed by other users, making it another distinct form of injection with a different target and method. Thus, code injection accurately describes the general principle behind the attack that exploits poor input processing, making it the correct answer.