Blind SQL Injections (Blind SQLi) is the more time consuming and difficult to exploit (not impossible) sub-type of SQL Injections (SQLi). In this article, the anatomy of Blind SQLi, how to prevent SQL Injection/ Blind SQLi attacks and ways to fortify your security against it will be discussed in depth.
Blind SQL Injection is used by attackers to exploit vulnerable applications and exfiltrate databases.
If error pages/messages are displayed for malformed SQL queries, the error messages can be used by attackers to craft further attacks, termed as Error based SQLi attacks. Whereas, if a generic page/message is displayed in place of the error, the results are used by attackers to craft further attacks termed as Blind SQLi.
Using Content-based and/ or Time-Based SQLi, the difference in responses to different queries and input strings are analyzed by attackers to check if the syntax and structure of SQL Injection are successful. The responses are continuously analyzed to inject conditional queries to gain access to the database.
Given that the time and effort to orchestrate Blind SQLi are much more, sophisticated tools that leverage automation have been developed by attackers to reduce the time needed for research and identification of the SQL Injection vulnerabilities.
1. The exploitation of Blind SQL Injection by triggering conditional responses
A series of Boolean-based (TRUE or FALSE) queries are asked by the attacker to the vulnerable application and the responses analyzed to gather information about the database. In essence, different responses are attempted to be triggered by different injected conditions.
2. The exploitation of Blind SQLi by triggering time delay
If the database errors are effectively detected and handled by the database, different responses to the injected SQL query are not received. Here, time delays are conditionally triggered by the attackers and analyzed.
Though the very different methods and tools are used for the orchestration of SQLi and Blind SQLi, the techniques for the prevention of both are very similar.
A comprehensive and intelligent scanning tool must be used for regular and on-demand scanning of the web application, right from the SDLC stage, to identify vulnerabilities and security misconfigurations continuously and effectively.
To fortify web application security, scanning must be part of a robust, holistic, managed security solution like AppTrana that includes an always-on WAF, pen-testing, regular security audits, and the expert services of certified security professionals.
Does simply hiding the error messages stop Blind SQLi attacks from happening?
It may become tougher and more time-consuming for the attacker but does not prevent SQL injections from occurring. With newer and more sophisticated ways to orchestrate Blind SQL Injection attacks being continuously developed, are you equipped to secure your application against them?