SQL Statement Disclosure

medium Web App Scanning Plugin ID 113555

Synopsis

SQL Statement Disclosure

Description

Web applications usually rely on backend database servers to store persistent information like users, sessions or for example products of an e-commerce website. In some cases, these web applications may fail to properly handle potential errors raised when querying the database, displaying raw errors or stack traces.

Exposed information may leak sensitive information (for example session tokens used in a statement) or help an attacker conducting further attacks like SQL injections.

Solution

Ensure that the potential SQL errors and exceptions are caught and handled by the web applications to avoid displaying raw error messages. The SQL statement disclosed should also be verified to ensure that SQL injections cannot occur from unsanitized user inputs.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html

https://owasp.org/www-community/Improper_Error_Handling

Plugin Details

Severity: Medium

ID: 113555

Type: remote

Published: 2/8/2023

Updated: 3/8/2023

Scan Template: api, basic, full, overview, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information