SQL Command Disclosure

Description

SQL commands reveal information about the structure of the underlying database. This information does not create any direct impact on the target, though it provides valuable information attackers can use in their attack. Exposure of SQL commands can aid attackers in crafting more targeted and effective SQL injection attacks, potentially leading to unauthorized access to sensitive data.

Recommendation

If it’s not displayed intentionally, fix the reason causing the disclosure and make sure the SQL command is not revealed due to errors and misconfigurations. Implement proper input validation and parameterized queries to mitigate the risk of SQL injection.

References

• CWE-200
• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
• Microsoft: SQL Injection
• OWASP 2021-A5
• OWASP: SQL Injection