What is Blind SQL Injection?
The word “Blind” here refers to “No error message when suffered by an injection attack”. Thus, it is more difficult to exploit. It returns information, when the application is exploited with SQL payloads that return a ‘true or false’ response from the server. By observing the response, an attacker can extract sensitive information.
There are two types of blind SQL injection:
- Boolean – based Blind SQL injection.
- Time – based Blind SQL injection.
Time – based Blind SQL injection
Time based SQL injection works on time based query/payload and returns the result after some stipulated time.
Using this method, an attacker enumerates the underlying DB. In the case of Time-based Blind SQLi, the attacker injects an SQL command in different parameters that causes a delay (for example, Sleep(10)) and observes whether the response is displayed after the delay of 10 seconds.
Practical Approach
- Traverse to site https://portswigger.net to access the lab.
- Capture the request in any intercepting proxy like burp suite.
In the image below we gave the extra quote (‘) to break the SQL query for the product id field to trigger the error & to enumerate the underlying DB but as the response didn’t throwed any error we will have to test for blind SQLi.
- Ensure Secure Coding Practices.
- Use Parameterized Queries wherever possible.
- Using Stored procedures
- Enforcing the least privilege principle to limit the data leak.