Which SQL clause can be used by an attacker to combine new SQL queries with the prior query results in an SQL injection attack?

The SQL UNION clause accommodates the construction of two SQL statements, appending the results of the second SQL statement to the first. After identifying a server vulnerable to SQL injection, you can craft a secondary query by adding the keyword UNION followed by the new SELECT statement designed to retrieve data from one or more database tables.

Which of the following is a defense against SSRF and IMDS attacks?

As a defender, you have several opportunities to protect against SSRF and IMDS attacks. First, you should develop a better understanding of the inputs to the applications you need to defend, including any inputs controlled by the user that could make server-side requests.

Logging resources should also be leveraged to identify misuse of systems. This can include web server logs that may reveal exploits as part of an SSRF attack, but it can also include cloud providers' logs. Finally, for AWS use, you should require that developers use IMDSv2 to protect against SSRF access to IMDS. While this will not protect against access to IMDS by other means of attack (such as command injection), it will mitigate many SSRF attack opportunities against IMDS.

Which attacker framework requires a hook to be loaded on an XSS-vulnerable website and has modules that allow an attacker to use the victim's browser to scan ports or deliver exploits?

An attacker can use BeEF to launch attacks on victims. In order for the attack to be delivered, the victim must execute the BeEF hook (a JavaScript file that is available on the BeEF server). In a drive-by attack, this is not a restriction for the attacker, since the attacker will already have established access to a target website where any JavaScript code can be delivered to the victim.

Which characteristic distinguishes watering hole attacks from drive-by attacks?

A watering hole attack utilizes the same techniques as a drive-by attack with one exception: it is targeted. Where drive-by attacks are mostly opportunistic (the attacker will gladly compromise any vulnerable host), a watering hole attack involves a targeting element against a specific vertical industry or other organization such as a company, government, or political party.

Drive-by and watering hole attacks use available exploits to take advantage of browser vulnerabilities as well as vulnerabilities in associated software. These exploits may target the browser itself or downloaded files associated with a browser MIME file type.

XSS is an attack against a user, exploiting a vulnerability where?

Cross-site scripting (XSS) is an attack against an end-user, leveraging a vulnerability on a server that is not performing input or output validation. This is different from the command injection attack where the server vulnerability is used to exploit the server. In an XSS attack, the user runs malicious code supplied by the attacker from the vulnerable server.

Which of the following defenses protects against XSS but not SQL injection attacks?

One defense against cross-site scripting (XSS) attacks is using the Content Security Policy (CSP) header on web servers to declare where linked resources can be loaded from in the requested page by the browser. While input validation and filtering dangerous characters are other important defenses, they are useful against both XSS and SQL injection attacks. Using parametrized queries is a defense exclusive to SQL injection attacks, not XSS attacks.