DefenseCode

Blind SQL Injection

Risk type:HIGH

Description:

Blind SQL injection is a type of SQL injection in which the results of queries are not visible to the attacker, but he will be given some kind of response (the page will be displayed differently or he will be given custom error page). The attacker has to create a series of TRUE and FALSE queries to get the revealing data.

Example:

The following page gets the article which ID is equal to 1 :

http://www.victim.com/news.php?id=1

Generated query to the database is:

SELECT article, author FROM news WHERE ID=1

The attacker has to be able to see the difference between valid and invalid queries so first he might generate a valid query:

http://www.victim.com/news.php?id=1 AND 1=1

Which translates to always true SQL query:

SELECT article, author FROM news WHERE ID=1 AND 1=1

If the page loads correctly, the next step would be an invalid query:

http://www.victim.com/news.php?id=1 AND 1=2

Generated always false SQL query:

SELECT article, author FROM news WHERE ID=1 AND 1=2

If the page loads incorrectly it is vulnerable to blind SQL injection.

Mitigation:

  • Correct filtering (escaping) of string literal escape characters in SQL statements, like single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
  • Checking parameters for valid representation for the give type (integer, float or boolean).
  • When validating data on the client side, also validate all data on the server side.
  • Correct database permissions on logon, which restricts web application or user access to unnecessary data.

Further reading:

https://www.owasp.org/index.php/Blind_SQL_Injection
http://samhacked.blogspot.com/2010/08/blind-sql-injection-tutorial.html