Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Passively Detecting SQL Injection

SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches. This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother's maiden name and more.

The Tenable Passive Vulnerability Scanner (PVS) contains a check for detecting SQL injection attacks. It is a very simple check that first looks for an HTTP request:

pregex=^(GET|POST) /.* HTTP/1\.

Next, it looks for a response that is not formatted as HTML:



At first glance you might be inclined to think this would lead to false positives. In fact, it turns out to be quite an accurate check. At one of the Tenable research sites we saw this alert:


When I went to the above URL manually, I was presented with an error page:


It appears that the error page was not rendering correctly (an error on the error page, how ‘bout that?). Viewing the source of the page revealed information about the problem:


The result of "View source" above contains valuable information that can be used in SQL injection attacks. This includes a table name and a column name visible in the SELECT statement. In addition, the page reveals the file system path in use on the web server. Finally, the error message tells us that the remote server is using a MySQL database. This is extremely valuable information for an attacker looking to exploit this potential vulnerability.


The parameter should be more thoroughly tested to see if SQL injection is indeed possible. However, the information gathered from the error message is certainly a good start for an attacker. It is important to configure the web application to not display this error message to the end user. Passive monitoring is an excellent method to monitor your web applications without any impact to the environment. Activity from normal users, potential hackers and even web spiders can all provide input that may result in displaying an unexpected SQL error.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.