For SQL Injection vulnerabilities display injection type and technology

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

When triaging SQL Injection vulnerabilities, understanding the injection type (blind vs. normal) and technology target (MySQL, Oracle, etc.) helps the reviewer determine if the vulnerability is a false positive.

To provide this information the Type and Technology fields will be displayed in the description.

• Type is displayed as Injection type: XYZ with valid values of Normal or Blind.
  • Question: Should we replace Blind with Timing based?
• Technology is displayed as Technology: YZX with valid values of Generic, MySql, ...

Example of proposed description:

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.

SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.

The value of variables.name was mutated as follows:

    Technology: MySQL
Injection Type: Blind
     Parameter: variables.name  
Original Value: Joe Smith  
 Mutated Value: =sleep(15) --