Tag: SQL Injection

Information Leakage Attacks: How Applications Unintentionally Reveal Sensitive Data

May 14, 2026

Information Leakage occurs when a web application unintentionally exposes sensitive data — through developer comments, verbose error messages, or plaintext content — that aids an attacker in planning SQL Injection, XSS, or other targeted attacks.

Three Categories of Information Leakage

CategoryExample
Comments in CodeHTML comment exposing server name: <!--If missing, restart VADER-->
Verbose Error MessagesSQL error revealing query structure and parameter names
Confidential Data in Plain SightCredentials or connection strings in source HTML

SQL Error Message Attack Example

Placing an apostrophe in a login field may trigger a verbose error such as:

System.Data.OleDb.OleDbException: Syntax error (missing operator)
in query expression 'username = ''' and password = 'g''

This reveals the username and password parameter names — exactly what an attacker needs to craft a SQL Injection payload.

Prevention Guidance

  • Filter all outbound data from web applications before sending to the client.
  • Intercept verbose database error messages and substitute a generic HTTP 500 response.
  • Strip all developer comments from HTML before deployment.
  • Redirect errors to a user-facing page that discloses no internal detail.
  • Transmit server-to-client data in encrypted form.
  • Remove or suppress server banners and version information.

SQL Injection: The Attack That Can Empty Your Entire Database

May 13, 2026

SQL Injection is one of the most prevalent web vulnerabilities. It involves passing crafted SQL commands through unsanitised input fields to interact directly with the backend database — potentially exposing, modifying, or deleting all data. Once exploited, it is equivalent to handing the attacker direct database access.

The Classic Bypass: ‘ or 1=1–

-- Normal authentication query:
SELECT * FROM users WHERE username='John' AND password='secret'
-- After injection of: ' or 1=1--
SELECT * FROM users WHERE username='John' AND password='' or 1=1--'
-- WHERE clause always TRUE → login bypassed

UNION Injection

SELECT header, txt FROM news
UNION ALL SELECT name, pass FROM members
-- Exposes all member credentials

Four Categories of SQL Injection

CategoryMechanism
SQL ManipulationModify WHERE clauses or use UNION to change query results
Code InjectionAppend EXECUTE commands to run arbitrary stored procedures
Function Call InjectionInject calls to database functions (mainly Oracle PL/SQL)
Buffer OverflowsExploit extended stored procedures to overflow memory

Prevention Guidance

  • Use parameterised queries / prepared statements in all database interactions — this is the primary defence.
  • Filter all input: strip single quotes, double quotes, slashes, backslashes, semicolons, NULL, and carriage returns.
  • Convert numeric values to integers before using in SQL; validate with ISNUMERIC.
  • Run the database server with a low-privilege account.
  • Delete unused stored procedures (xp_startmail, xp_sendmail, sp_makewebtask).
  • Never return detailed database error messages to users.