Scribd
Upload
36 views

SQour Websl Injection

Vega has detected a possible SQL injection vulnerability on the http://www.datapro.in website. SQL injection vulnerabilities occur when external input is not sanitized before being used in a SQL query, allowing attackers to modify queries or access the database. The vulnerability detected has a high risk level and could allow remote attackers to gain unauthorized access to the database or modify the application's logic. Proper input validation and use of prepared statements are recommended to prevent SQL injection.

Uploaded by

muna cliff
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
36 views

SQour Websl Injection

Vega has detected a possible SQL injection vulnerability on the http://www.datapro.in website. SQL injection vulnerabilities occur when external input is not sanitized before being used in a SQL query, allowing attackers to modify queries or access the database. The vulnerability detected has a high risk level and could allow remote attackers to gain unauthorized access to the database or modify the application's logic. Proper input validation and use of prepared statements are recommended to prevent SQL injection.

Uploaded by

muna cliff
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

SQour websL Injection

AT A GLANCE

Classification Input Validation Error

Resource http://www.datapro.in/terms_conditions/courses_view_all

Parameter search

Method GET

Detection Type Blind Text Injection Differential

Risk High

REQUEST

GET /terms_conditions/courses_view_all?search='"

RESOURCE CONTENT

<!DOCTYPE html>
<html lang="eng">
<head>
<meta charset="utf-8" />
<title>Datapro | </title>
<meta name="description" content="">
<meta name="keywords" content="">
<!-- SOCIAL MEDIA META -->
<meta property="og:description" content="Datapro">
<meta name="image" property="og:image"
content="http://www.datapro.in/uploads/ab2f8d804647765930aae...

DISCUSSION

Vega has detected a possible SQL injection vulnerability. These vulnerabilities are present when externally-
supplied input is used to construct a SQL query. If precautions are not taken, the externally-supplied input
(usually a GET or POST parameter) can modify the query string such that it performs unintented actions. These
actions include gaining unauthorized read or write access to the data stored in the database, as well as
modifying the logic of the application.

IMPACT

Vega has detected a possible SQL injection vulnerability.


These vulnerabilities can be exploited by remote attackers to gain unauthorized read or write
access to the underlying database.
Exploitation of SQL injection vulnerabilities can also allow for attacks against the logic of the
application.
Attackers may be able to obtain unauthorized access to the server hosting the database.

REMEDIATION
The developer should review the request and response against the code to manually verify
whether or not a vulnerability is present.
The best defense against SQL injection vulnerabilities is to use parameterized statements.
Sanitizing input can prevent these vulnerabilities. Variables of string types should be filtered for
escape characters, and numeric types should be checked to ensure that they are valid.
Use of stored procedures can simplify complex queries and allow for tighter access control
settings.
Configuring database access controls can limit the impact of exploited vulnerabilities. This is a
mitigating strategy that can be employed in environments where the code is not modifiable.
Object-relational mapping eliminates the need for SQL.

Session Cookie Without Secure Flag

AT A GLANCE

Classification Information

Resource /

Risk High

REQUEST

GET /

RESOURCE CONTENT

ci_session=6f5fc830fb2d10bc846a8f0c76df59ecbbc902e3; expires=Sun,
02-Apr-2023 10:36:03 GMT; Max-Age=7200; path=/; HttpOnly

DISCUSSION

Vega has detected that a known session cookie may have been set without the secure flag.

IMPACT

Cookies can be exposed to network eavesdroppers.


Session cookies are authentication credentials; attackers who obtain them can get unauthorized
access to affected web applications.

REMEDIATION

When creating the cookie in the code, set the secure flag to true.

REFERENCES

Some additional links with relevant information published by third-parties:

Secure Flag

HttpOnly OWASP Reference

You might also like