Under 6.5.1, which types of injection flaws are considered?

• A. Cross-site scripting only
• B. Injection flaws, particularly SQL injection; also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws
• C. Buffer overflow only
• D. Authentication only

Answer: (B)

The main idea here is that 6.5.1 addresses injection flaws in code and applications. Injection flaws happen when untrusted input is fed into an interpreter as part of a command or query, allowing attackers to alter performance or behavior. SQL injection is the most well-known example, but the scope also includes other types like OS Command Injection, LDAP injection, XPath injection, and similar injection methods. So the best answer recognizes injection flaws in general and lists SQL injection while also calling out other injection types, matching the standard’s broad focus. The other options miss this breadth: cross-site scripting is a different vulnerability class, buffer overflow isn’t about injecting into interpreters, and authentication isn’t related to injection flaws.