438 – Error-based SQL Injection
Description
An error-based attack is based on errors emitted by the database server, which allows understanding the database structure and exfiltrating database content.
Impact
- Allow an attacker to interfere with the queries that an application makes to its database. - Retrieve information from the database an even extract data. - Affect the authentication and authorization aspects of the application. - Steal sensitive information stored in databases.
Recommendation
- Use of prepared statements (with parameterized queries). - Use of stored procedures. - Enforcing the least privilege.
Threat
Anonymous attacker from an intranet.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: N
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: X