Detections
Analytics
SQL Statement Disclosure
low Web App Scanning Plugin ID 113555
Language:
Synopsis
SQL Statement DisclosureDescription
Web applications usually rely on backend database servers to store persistent information like users, sessions or for example products of an e-commerce website. In some cases, these web applications may fail to properly handle potential errors raised when querying the database, displaying raw errors or stack traces.Exposed information may leak sensitive information (for example session tokens used in a statement) or help an attacker conducting further attacks like SQL injections.
Solution
Ensure that the potential SQL errors and exceptions are caught and handled by the web applications to avoid displaying raw error messages. The SQL statement disclosed should also be verified to ensure that SQL injections cannot occur from unsanitized user inputs.See Also
https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
Plugin Details
Severity: Low
ID: 113555
Type: remote
Family: Data Exposure
Published: 2/8/2023
Updated: 3/8/2023
Scan Template: api, basic, full, overview, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 2.2
CVSS v2
Risk Factor: Low
Base Score: 2.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Low
Base Score: 3.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
Reference Information
CWE: 200
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1
WASC: Information Leakage
CAPEC: 116, 13, 169, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 472, 497, 508, 573, 574, 575, 576, 577, 59, 60, 616, 643, 646, 651, 79
DISA STIG: APSC-DV-000460
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SI-15
OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8
OWASP ASVS: 4.0.2-8.3.4
PCI-DSS: 3.2-6.5.8