-2

I have my site build from a company. I read about website vulnerabilities on the internet and i did some test on my site. It throws these errors.

QueryString key:TutorialId was expected to be of type System.Int64 but was not.

and

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server).

I think my site is vulnerable to sql injection attack. What do you say?

LateralFractal
  • 5,143
  • 18
  • 41
v0ld3m0rt
  • 159
  • 1
  • 2
  • 8
  • 1
    Such an error message should not be displayed on a productive website, but why do you think it has something to do with SQL-injection? – martinstoeckli Oct 25 '13 at 07:18
  • i read somewhere that altering the address bar values could result in sql errors which can tell you a lot about the site's database. – v0ld3m0rt Oct 25 '13 at 07:19
  • 1
    Sure, error messages can give hints about the system in use, that's why they should never reach the page viewed by the user, instead a general message should be displayed. But this doesn't mean your page is vulnerable to SQL-injection. – martinstoeckli Oct 25 '13 at 07:29
  • 1
    Asking if your code was written securely without posting any code really doesn't make sense. We cannot tell you if you are vulnerable to an XSS attack based off an error stating the script cannot establish a database connection. – David Houde Oct 25 '13 at 08:09
  • On a side note, you have your question tagged as MySQL, but your error message refers to SQL Server. Would it be safe to retag this as SQL Server? – Abe Miessler Oct 25 '13 at 15:47

2 Answers2

1

Those error messages do not imply SQL injection.

I suggest you use the scanner in ZAP to test the site; it is one of the better tests that a beginner can run for free. If you have budget, it would be better to hire a professional pen testing company.

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

paj28
  • 32,736
  • 8
  • 92
  • 130
1

This does not jump out at me as a SQL Injection vulnerability. Yes it is true that SQL Errors can be a symptom of a SQL Injection vulnerability, but that is not the only thing that causes SQL errors (not by a long shot).

As mentioned by other users you should not be displaying descriptive error messages to the browser. These types of messages are worth their weight in gold to malicious users as it allows them to understand what is happening behind the scenes.

I would suggest setting up a home lab that will allow you to do some security testing on your own without going to prison. Then find a few SQL Injection tutorial and try them out yourself.

This will not take an enormous amount of time and I guarantee you will learn volumes by actually executing a SQL Injection attack on a system that you have complete control over.

You can use a vulnerability scanner like ZAP but keep in mind that automated scanners often return false positives, and more importantly, they prevent you from actually understanding how the attack works which will be key to preventing vulnerabilities in your future code.

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72