• No replies
81 Posts

Pinned topic Blind SQL Injection - suggestions?

‏2013-02-05T18:44:01Z |

I am trying to get any suggestions you may have, to address this finding. It reports a Blind SQL Injection issue - we already have input validation in place and not sure what needs to be done in the page to handle this. any suggestions will be appreciated.


Blind SQL Injection

Severity: High

Entity: ctl00$ContentPlaceHolder1$txtInput (Parameter)

Risk: It is possible to view, modify or delete database entries and tables

Causes: Sanitation of hazardous characters was not performed correctly on user input

Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because it shows that values can be appended to parameter values, indicating that they were embedded in an SQL query.HEX(0D)HEX(0A)In this test, three (or sometimes four) requests are sent. The last is logically equal to the original, and the nexttolast is different. Any others are for control purposes. A comparison of the last two responses with the first (the last is similar to it, and the nexttolast is different) indicates that the application is vulnerable.