Blind SQL Injection is a type of SQL Injection that’s harder to detect because the application doesn’t display errors or query results directly. Attackers must use other techniques to determine if the SQL injection was successful.
Types of Blind SQL Injection
- Boolean-based Blind SQL Injection: Attackers use boolean conditions (TRUE/FALSE) to determine if the SQL injection was successful.
- Time-based Blind SQL Injection: Attackers use the application’s response time to determine if the SQL injection was successful.
How Boolean-based Blind SQL Injection Works
- Attackers input malicious SQL code, like
admin' AND 1=1 --, into the application’s input. - The application runs the query and produces a TRUE (if injection is successful) or FALSE (if injection fails) result.
- Attackers analyze the application’s response to determine if the injection was successful.
Example:
SQL
http://example.com/login.php?username=admin' AND 1=1 --If the application displays the same login page, the injection was successful. If not, it failed.
How Time-based Blind SQL Injection Works
- Attackers input malicious SQL code, like
admin' AND SLEEP(5) --, into the application’s input. - The application runs the query and waits 5 seconds if the injection is successful.
- Attackers analyze the application’s response time to determine if the injection was successful.
Example:
SQL
http://example.com/login.php?username=admin' AND SLEEP(5) --If the application waits 5 seconds before responding, the injection was successful.
Preventing Blind SQL Injection
- Use Prepared Statements (PS)
- Escape user input
- Validate user input
- Use an ORM (Object-Relational Mapping)