A support portal searches customer records by last name. When a tester enters a single quote into the search field, the application returns a database syntax error. Which attack is most likely possible?
A quote causing a database syntax error is a classic sign that user input may be breaking SQL queries.
Why this answer
The single quote character is a common SQL injection test payload. When it triggers a database syntax error, it confirms that the input is being directly concatenated into a SQL query without proper sanitization or parameterization. This allows an attacker to break out of the intended query structure and execute arbitrary SQL commands, making SQL injection the most likely attack.
Exam trap
The trap here is that candidates may confuse a database syntax error with a client-side script error, leading them to choose cross-site scripting, but the error message originates from the database server, not the browser.
How to eliminate wrong answers
Option B is wrong because cross-site scripting (XSS) requires the application to reflect or store user input as executable JavaScript in the browser, not cause a server-side database syntax error. Option C is wrong because server-side request forgery (SSRF) involves the server making unintended HTTP requests to internal resources, not manipulating database queries. Option D is wrong because cross-site request forgery (CSRF) tricks an authenticated user into submitting a malicious request, but the error here is a direct database syntax error from input, not a forged request from another site.