A
A
AntWallker2022-01-27 15:07:57
SQL
AntWallker, 2022-01-27 15:07:57

SQL database error In a windows application, how serious is it in terms of security?

Hi all! I'll try to describe the situation more clearly.
Recently I noticed that during certain manipulations with the self-service checkout in the supermarket, a window with SQL code appears on the screen.
Something in this format -

SELECT message_id AS Error, severity AS Severity,  
[Event Logged] = CASE 
FROM sys.messages

I would like to know how bad everything is in that regard if someone wants to use it?
Thank you!

Answer the question

In order to leave comments, you need to log in

2 answer(s)
N
nApoBo3, 2022-01-27
@nApoBo3

Throwing internal errors outward is considered bad practice from all points of view.

U
Uncle Seryozha, 2022-01-27
@Protos

I don’t see where to insert the injection here, there is no place for user input, probably if you find it (it affects this function earlier), then the attacker understands which injection to pick up.

Error handling reveals stack traces or other overly informative error messages to users.

See OWASP TOP 5
For example, if the checkout interface has a field for searching log events by message_id and it is assumed that the message_id is known to the user, and the field itself does not have injection protection, then an attacker can enter an injection instead of a number

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question