Scribd
Upload
124 views2 pages

Sql-Injection-Scan-Sample-Report (SFILE

This SQL injection vulnerability scan found 1 high risk vulnerability on the target website. The scan tested for SQL injection on 5 different pages, finding vulnerabilities in parameters that could be exploited through GET and POST requests. The report recommends following best practices like validating and sanitizing all input, using prepared statements, and granting only necessary database privileges to applications.

Uploaded by

Yahya Muhammad Yanuar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
124 views2 pages

Sql-Injection-Scan-Sample-Report (SFILE

This SQL injection vulnerability scan found 1 high risk vulnerability on the target website. The scan tested for SQL injection on 5 different pages, finding vulnerabilities in parameters that could be exploited through GET and POST requests. The report recommends following best practices like validating and sanitizing all input, using prepared statements, and granting only necessary database privileges to applications.

Uploaded by

Yahya Muhammad Yanuar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

SQL Injection Scanner Report

 http://vulnapp.example.com

Summary

Ov erall risk lev el:


H igh

Risk rat ings:


High: 1

Medium: 0

Low: 0

Info: 1

Scan informat ion:


Start time: 2018-12-03 16:47:15
Finish time: 2018-12-03 16:47:56
Scan duration: 41 sec
Tests performed: 2/2

Scan status: Finished

Findings

 SQL Injection

Vulne ra ble Pa g e Vulne ra ble Pa ra me te r M e thod A tta c k Ve c tor

/travel.php id GET http://vulnapp.example.com/travel.php?id=5-2 


/bookings.php cat GET http://vulnapp.example.com/bookings.php?cat=4+AND+1%3D1+--+ 
http://vulnapp.example.com/user_profile.php
/user_profile.php uname POST
POS T D a ta : uname=ZAP' OR '1'='1' --

http://vulnapp.example.com/user_profile.php
/user_profile.php pass POST
POS T D a ta : pass=ZAP' OR '1'='1' --

 Details

Ris k de s c ription:
SQL injection may be possible.

Re c omme nda tion:


Do not trust client side input, even if there is client side validation in place.
In general, type check all data on the server side.
If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
If database Stored Procedures can be used, use them.
Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
Do not create dynamic SQL queries using simple string concatenation.
Escape all data received from the client.
Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.
Apply the principle of least privilege by using the least privileged database user possible.
In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.
Grant the minimum database access that is necessary for the application.

 Light spider results: 11 dynamic URLs of total 25 URLs crawled

M E T H OD U RL PA RA M S
GET /bookings.php cat=2

GET /bookings.php cat=3

GET /bookings.php cat=4

POST /user_profile.php uname=ZAP&pass=ZAP

POST /search.php?test=query searchFor=ZAP&goButton=go

GET /for_rent.php file='%20+%20pict.item(0).firstChild.nodeValue%20+%20'

POST /guestbook.php name=anonymous+user&text=&submit=add+message

GET /travel.php artist=3

GET /travel.php artist=2

GET /bookings.php cat=1

GET /travel.php artist=1

Scan coverage information

List of tests performed (2/ 2)


 Spidering target
 Scanning for SQL Injection...

Scan parameters
Website URL: http://vulnapp.example.com
Scan type: Light
Authentication: False

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy