SQL Injection - MsSQL (Time Based)

The application appears vulnerable to time-based blind SQL injection in Microsoft SQL Server contexts. This detector identifies vulnerabilities by injecting MSSQL-specific time delay functions such as WAITFOR DELAY and measuring response times to confirm SQL injection without relying on visible error messages or data output.

Time-based blind SQL injection enables attackers to extract complete database contents by encoding information in response delays, bypassing applications that suppress error messages and query results. Attackers can retrieve sensitive data including credentials, customer information, and financial records by systematically querying the database. In MSSQL environments, attackers can leverage extended stored procedures like xp_cmdshell to execute operating system commands, potentially compromising the entire database server and connected network infrastructure.

Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?' If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input. Apply the principle of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application.