The following was returned when placing an apostrophe into the
username filed of a login page:
Verbose error message:
An Error Has Occurred.
Error Message:
System.Data.OleDb.OleDbException:
Syntax error
(missing operator) in query expression
username =
and password = g . at
System.Data.OleDb.OleDbCommand.
ExecuteCommandTextErrorHandling (
Int32 hr) at
System.Data.OleDb.OleDbCommand.
ExecuteCommandTextForSingleResult (
tagDBPARAMS dbParams, Object&
executeResult) at
In the first error statement a syntax error is reported. The error
message reveals the query parameters that are used in the SQL
query: username and password. This leaked information is the
missing link for an attacker to begin to construct SQL Injection attacks
against the site.
References
Best practices with custom error pages in .Net , Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en us;834452
Creating Custom ASP Error Pages , Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en us;224070
Apache Custom Error Pages , Code Style
http://www.codestyle.org/sitemanager/apache/errors Custom.shtml
50
Copyright 2004, Web Application Security Consortium. All rights reserved.
Unlimited Web Hosting
|
|
|
|
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved. |