A web login form uses unsanitized input in the backend query. When an attacker enters `' OR '1'='1'--` into the username field, the application grants access without a valid password. Which attack pattern is being used?

Cross-site scripting, because the attacker is trying to run code in the browser.

Cross-site scripting targets the browser context, but this example is bypassing server-side authentication logic.

Broken session management, because the user is still logged in after leaving the page.

Session abuse can be dangerous, but the initial problem here is query manipulation before authentication succeeds.

Insecure deserialization, because the application accepts user input.

Insecure deserialization involves manipulating serialized objects, not changing the structure of a database query with SQL syntax.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: SQL injection, because the input changes the meaning of the database query. — The attack pattern is SQL injection. The malicious input changes the backend query logic so the authentication check returns a result the attacker should not have. This is a server-side input validation and query construction failure. Parameterized queries, stored procedures with safe bindings, and strict input handling are the standard defenses against this class of attack. Why others are wrong: Cross-site scripting targets the browser, not a backend login query. Broken session management deals with session tokens after login, which is not the problem here. Insecure deserialization requires serialized object manipulation, not SQL syntax inserted into a form field. The query is being altered directly, so SQL injection is the best fit.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.