Skip to content

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ('SQL Injection') [VID:25] #2233

Open
Open
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ('SQL Injection') [VID:25]#2233
Labels
CWE-89CWE-89 vulnerabilityVeracodeFlaw: HighA Veracode Flaw, High severityveracode-dast
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 23, 2026

URL: http://192.168.178.80:8000/posts/addBlab

Path: /posts/addBlab

Hostname: 192.168.178.80

Port: 8000

Vulnerable Parameter: blab

CWE: 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

Category: SQL Injection

Plugin: SQL Injection

Severity: 4

Attack Vector: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

By injecting invalid SQL queries or commands such as "=(select(0)from(select(sleep(15)))as0x41)=" into the blab parameter, the application was observed to respond slower to custom attacks meant to cause execution of SQL queries to be delayed for a measurable amount of time. This is a form of time based SQL Injection, where an attacker injects a query that takes a long period of time to complete to infer whether the target inputs are vulnerable. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. CWE OWASP WASC

Don't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode

Metadata

Metadata

Assignees

No one assigned

    Labels

    CWE-89CWE-89 vulnerabilityVeracodeFlaw: HighA Veracode Flaw, High severityveracode-dast

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions