Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-7:Blind SQL Injection
Attack Pattern ID:7
Version:v3.9
Attack Pattern Name:Blind SQL Injection
Abstraction:Detailed
Status:Draft
Likelihood of Attack:High
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
6Weaknesses found
CWE-20
Improper Input Validation
ShareView Details
Improper Input Validation
Likelihood of Exploit-High
Mapping-Discouraged
Abstraction-Class
Found in11448CVEs

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Impacts-
DoS: Crash, Exit, or RestartDoS: Resource Consumption (Memory)Execute Unauthorized Code or CommandsModify MemoryDoS: Resource Consumption (CPU)Read MemoryRead Files or Directories
Tags-
High exploitLibraries or FrameworksInput ValidationAttack Surface ReductionExecute Unauthorized Code or Commands (impact)DoS: Resource Consumption (CPU) (impact)Read Files or Directories (impact)Read Memory (impact)DoS: Crash, Exit, or Restart (impact)DoS: Resource Consumption (Memory) (impact)Modify Memory (impact)
As Seen In-
2019 CWE Top 25 Most Dangerous Software Errors2021 CWE Top 25 Most Dangerous Software2020 CWE Top 25 Most Dangerous Software2022 CWE Top 25 Most Dangerous Software2023 CWE Top 25 Most Dangerous Software2024 CWE Top 25 Most Dangerous SoftwareOriginally Used by NVD from 2008 to 2016Simplified Mapping of Published Vulnerabilities
CWE-209
Generation of Error Message Containing Sensitive Information
ShareView Details
Generation of Error Message Containing Sensitive Information
Likelihood of Exploit-High
Mapping-Allowed
Abstraction-Base
Found in463CVEs

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Impacts-
Read Application Data
Tags-
High exploitEnvironment HardeningCompilation or Build HardeningAttack Surface ReductionRead Application Data (impact)
As Seen In-
CWE Cross-section
CWE-697
Incorrect Comparison
ShareView Details
Incorrect Comparison
Likelihood of Exploit-Not Available
Mapping-Discouraged
Abstraction-Pillar
Found in135CVEs

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Impacts-
Varies by Context
Tags-
Varies by Context (impact)
As Seen In-
Research ConceptsSimplified Mapping of Published Vulnerabilities
CWE-707
Improper Neutralization
ShareView Details
Improper Neutralization
Likelihood of Exploit-Not Available
Mapping-Discouraged
Abstraction-Pillar
Found in225CVEs

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Impacts-
Other
Tags-
Other (impact)
As Seen In-
Research Concepts
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ShareView Details
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Likelihood of Exploit-High
Mapping-Discouraged
Abstraction-Class
Found in2952CVEs

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Impacts-
Read Application DataOtherAlter Execution LogicBypass Protection MechanismHide Activities
Tags-
High exploitOther (impact)Bypass Protection Mechanism (impact)Hide Activities (impact)Read Application Data (impact)Alter Execution Logic (impact)
As Seen In-
Simplified Mapping of Published Vulnerabilities
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ShareView Details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Likelihood of Exploit-High
Mapping-Allowed
Abstraction-Base
Found in16254CVEs

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Impacts-
Read Application DataExecute Unauthorized Code or CommandsGain Privileges or Assume IdentityBypass Protection MechanismModify Application Data
Tags-
SQLDatabase ServerHigh exploitEnvironment HardeningLibraries or FrameworksInput ValidationParameterizationOutput EncodingFirewallEnforcement by ConversionExecute Unauthorized Code or Commands (impact)Bypass Protection Mechanism (impact)Modify Application Data (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
2019 CWE Top 25 Most Dangerous Software Errors2021 CWE Top 25 Most Dangerous SoftwareCISQ Data Protection Measures2020 CWE Top 25 Most Dangerous Software2022 CWE Top 25 Most Dangerous Software2023 CWE Top 25 Most Dangerous Software2024 CWE Top 25 Most Dangerous SoftwareOriginally Used by NVD from 2008 to 2016CWE Cross-section