c# - How to handle the SQL injection response for best practice -
we using web security scanner found out 1 of web page has bind sqli. scanner modified parameter "news.aspx?id=123" "news.aspx?i=123' or 1=1--", , web server responses news information id=1 information currently.
after investigation development team, said there's no injection cannot access database has blocked .net built-in api sql parameter, , back-end program auto return data of id=1 information client side.
may know can identified false positive, or better redirect generic error pages? or enough , acceptable current stage?
the back-end program auto return data of id=1 information client side.
imo, lame behavior backend. i'd page should detect error , redirect user error page. nevertheless, based on description not valid injection, if business can accept behavior, false positive.
p.s. while isn't sql injection, potentially information disclosure bug if it's possible page display data id=1 , user of page shouldn't have access particular record.
Comments
Post a Comment