Error-Based SQL Injection

Critical

Description

Error Based SQL Injection is an in-band SQL injection technique that allows hackers to take advantage of the database’s error output. One of the communication channels of the server is utilized to launch an attack and retrieve information using in-band injections. This is the easiest and most common intrusion technique used by an attacker. You can force data extraction by using a vulnerability in which the code will output a SQL error rather than the required data from the server.

Attack Scenario

An attacker could try to insert a malicious query to receive an error message that provides sensitive information about the database and might try any type of SQL command in an input field parameter such as a single quote, double quote, or SQL operator, allowing him to identify the vulnerability and fully exploit the database.

Mitigation

Main Defenses

Use prepared statements (with Parameterized Queries)
Whitelist input validation
Escape user-supplied input
Use Properly Constructed Stored Procedures
Don't show SQL errors, and try to handle them internally

Additional Defenses

Enforce Least Privilege

ID: 40001

HQ Address

20 Al Mathaf Al Zerai, Agouza, Giza - Egypt
Phone: +2 02 333 638 86
Fax: +2 02 353 656 84
Email: sales@security-meter.com

Asia-Pacific Office Address

Unit 11-3A, 3RD Mile Square No.151
JLN KLANG LAMA, BATU 3 1/2
Kuala Lumpur Malaysia
Email: asia-pacific@security-meter.com

US Office

1-29A 14 Elmwood Park
New Jersey
07407 United States
Email: us@security-meter.com