You are probably aware that SQL injection (SQLi) attacks are the oldest, most prevalent and lethal kind of web application vulnerabilities and probably know how to prevent attacks that leverage the SQLi vulnerabilities. However, despite these efforts, you may be leaving your web applications/ websites vulnerable to blind SQL injection, a subtype of SQLi vulnerabilities.
In this article, we will explore in-depth about Blind SQLi attacks, Blind SQL Injection types and how to prevent them.
Blind SQL Injection attacks occur when the backend database interprets data inputs by the attacker as an SQL command, not as normal data inputs by users. Typically, attackers leverage web applications that show generic error messages without mitigating SQLi vulnerable code. The attackers ask true or false questions to the backend database of such a vulnerable application and The existence of SQL injection is determined basis the response of the application.
The major point of difference between Blind SQLi and classic SQLi is the way in which the attacker retrieves data from the backend database. In classic SQLi attacks, the attacker can see database errors or outputs of the malicious SQLi commands in the web app. When the database doesn’t show error messages or output to the malicious command, the attackers steal data by asking a series of true or false questions to the backend database and see if the application or page loads correctly, time is taken to process the SQL query or the other such changes. Blind SQL injections are time-consuming and difficult to exploit but not impossible and produce similar results for the attackers.
The below application URL
this will send the below as the request in the database.
SELECT title, description, body FROM items WHERE ID = 2
The attacker then injects the below as the query;
http://www.example.com/item.php?id=2 and 1=2
the resultant SQL query be like;
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
The above query will be a false result and hence the application will not display any data output; whereas on injecting a true statement; the application will show some data.
By comparing the outputs received; one can conclude the existence of a SQL injection attack,
Microsoft SQL Server uses “WAIT FOR DELAY ‘0:0:10’’
PostgreSQL uses pg_sleep()
The impact of Blind SQLi attacks is similar to that of classic SQL Injection attacks. It gives the attacker access and control over the backend database server. They can
It is important to note that the skills and tools required to exploit blind SQLi vulnerabilities may differ widely from classic SQLi vulnerabilities, but the prevention techniques are very similar for kinds of SQL Injections. Very often, the developer’s ill-founded, poorly thought and weak efforts to protect the web application against classic SQLi vulnerabilities cause blind SQLi vulnerabilities. For instance, turning off error reporting.
Regardless of what language you are using, the coding practices you use must be in sync with the OWASP Secure coding guidelines. Most web development platforms offer mechanisms to avoid all SQL Injections. Use parameterized queries instead of dynamic queries (details below). Remember to implement a whitelist of special characters from all user-input fields (comments, contact form, etc.). and to use the input encoding.
Consider using Database Layer Access (DAL) as it enables you to centralize the issue or Object Relational Mapping (ORM) systems as they use only parameterized queries. In either case, convert all legacy codes based on these new libraries.
Avoid dynamic SQL queries at all costs and use parameterized queries instead. Parameterized queries are prepared statements that enable you to effectively and robustly mitigate Blind SQL Injections. So, locate all dynamic SQL queries and convert them to parameterized queries.
Using a comprehensive and intelligent security scanning tool, regularly scan your web application (right from the developmental stages) to identify new bugs and gaps that can cause SQLi attacks.
Scanning can only identify gaps and vulnerabilities. To protect your web application against these attacks, these vulnerabilities need to be secured and patched until they are fixed. Onboarding a robust and managed security solution like AppTrana which offers an intelligent and managed WAF, regular security audits and pen-testing and the services of certified security experts to ensure that your application is secure at all times against vulnerabilities including blind SQLi.
Is part of the client services team at Indusface. He handles the Manual Penetration Testing business of the organization. He is passionate about web and mobile application security testing and has a vast experience in testing web apps, API’s, network and mobile apps.