Error-Based SQL Injection

Critical

Description

Error Based SQL Injection is an in-band SQL injection technique that allows hackers to take advantage of the database’s error output. One of the communication channels of the server is utilized to launch an attack and retrieve information using in-band injections. This is the easiest and most common intrusion technique used by an attacker. You can force data extraction by using a vulnerability in which the code will output a SQL error rather than the required data from the server.

Attack Scenario

An attacker could try to insert a malicious query to receive an error message that provides sensitive information about the database and might try any type of SQL command in an input field parameter such as a single quote, double quote, or SQL operator, allowing him to identify the vulnerability and fully exploit the database.

Mitigation

Main Defenses

  • Use prepared statements (with Parameterized Queries)
  • Whitelist input validation
  • Escape user-supplied input
  • Use Properly Constructed Stored Procedures
  • Don't show SQL errors, and try to handle them internally

Additional Defenses

  • Enforce Least Privilege

ID: 40001