Username Disclosure (Microsoft SQL Server)

Summary #

Invicti identified a username disclosure (Microsoft SQL Server) in the error message.

Impact #

An attacker can perform brute-force or dictionary-based password guessing on the disclosed username. It may also help the attacker identify other vulnerabilities or further their exploitation of other identified vulnerabilities.

Remediation #

Error messages should be disabled.
Remove this kind of sensitive data from the output.

Classifications #

PCI v3.1-6.5.5; PCI v3.2-6.5.5; CAPEC-118; CWE-201; HIPAA-164.306(a); ISO27001-A.18.1.4; WASC-13; OWASP 2013-A5; OWASP 2017-A3

Netsparker Security Insights #

What is NoSQL Injection and How Can You Prevent It?
Real-Life Vulnerabilities Reported by Invicti
How Blind SQL Injection Works
Fragmented SQL Injection Attacks – The Solution
Exploiting a Microsoft Edge Vulnerability to Steal Files

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Critical
High
Medium
Low
Best Practice
Information

Search Vulnerability

Tags

sql microsoft OWASP 2013-A5 OWASP 2017-A3

Related Vulnerabilities

Blind SQL Injection
SQL Injection
Stack Trace Disclosure (ASP.NET)
Version Disclosure (Apache)
Version Disclosure (Perl)

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo