Time-based SQL Injection
Description
In a time-based attack, someone could inject a SQL command to the server with code to force a delay in the execution of the queries or with a heavy query that generates this time delay. Depending on the time response, it is possible to deduct some information and determine if a vulnerability is present to exploit it.
Impact
- Allow an attacker to interfere with the queries that an application makes to its database.
- Retrieve information from the database an even extract data.
- Affect the authentication and authorization aspects of the application.
- Steal sensitive information stored in databases.
Recommendation
- Use of prepared statements (with parameterized queries).
- Use of stored procedures.
- Enforcing the least privilege.
Threat
Anonymous attacker from an intranet.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: N
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: L
Temporal
- Exploit code maturity: X
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
- Score:
- Base: 7.3
- Temporal: 7.3
- Severity:
- Base: High
- Temporal: High
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: N
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: X
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
- Score:
- CVSS-BT: 6.9
- Severity:
- CVSS-BT: Medium
Requirements
Fixes
