Description
During the scan, Cytrix managed to find an SQL Injection vulnerability. SQL Injection (SQLI) is a security vulnerability that allows a user to inject SQL commands into the database engine from a vulnerable web application. The attacker can exploit the query passed to the back-end database to pull, delete and change sensitive information on the database from the website itself.
SQL Injection can cause a leak of sensitive information of users for example. In some cases, the attacker can modify or delete the data, causing persistent changes to the application’s content or behavior. SQL injection emerges because the user input fields aren’t being checked correctly at the web application and that allows an SQL quarry to pass through and directly into the database.
By abusing the data input mechanisms of an application, an attacker can abuse the generated SQL query to their advantage, which can lead to destructive events. Although SQL Injection is known as a type of attack mostly used against websites, it can occur in all applications that are based on SQL databases.
SQL Injection attacks can be performed by injecting SQL commands into SQL queries of web applications.
A successful SQL injection attack allows a malicious programmer to access the web application’s database and manage it.
Recommendation
In order to prevent this vulnerability from happening, make sure that the input coming from the user is correct and does not contain any SQL based codes or queries.
References
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html