A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?
Trap 1: Reflected XSS
Reflected XSS involves injecting client-side scripts that are reflected immediately, not timing differences.
Trap 2: Blind boolean-based SQL injection
Boolean-based blind SQL injection relies on differences in response content, not timing.
Trap 3: CSRF
CSRF tricks a user into performing unwanted actions, not revealing information through timing.
- A
Time-based SQL injection
Time-based SQL injection uses database delay functions (e.g., SLEEP()) to infer information based on response times.
- B
Reflected XSS
Why wrong: Reflected XSS involves injecting client-side scripts that are reflected immediately, not timing differences.
- C
Blind boolean-based SQL injection
Why wrong: Boolean-based blind SQL injection relies on differences in response content, not timing.
- D
CSRF
Why wrong: CSRF tricks a user into performing unwanted actions, not revealing information through timing.