Description

In a time-based attack, someone could inject a SQL command to the server with code to force a delay in the execution of the queries or with a heavy query that generates this time delay. Depending on the time response, it is possible to deduct some information and determine if a vulnerability is present to exploit it.

Impact

- Allow an attacker to interfere with the queries that an application makes to its database. - Retrieve information from the database an even extract data. - Affect the authentication and authorization aspects of the application. - Steal sensitive information stored in databases.

Recommendation

- Use of prepared statements (with parameterized queries). - Use of stored procedures. - Enforcing the least privilege.

Threat

Anonymous attacker from an intranet.

Expected Remediation Time

⏱️ 60 minutes.

Requirements

Fixes