The process of Blind SQL injection was first witnessed in 1998. Blind SQL injection is one of the most popular old bugs which are actively used till date. We know that the hacker use error messages from the database to check whether it is vulnerable or not. The error message thrown by the database will look similar to the error message given below.
Microsoft SQL Native Client error ‘80040e14’
Unclosed quotation mark after the character string ‘ ’.
/target.asp, line 9
The different types of request used by the attacker might reveal the information about the database itself. The information about the database will be revealed through the error messages. The attacker will use the acquired information to scan the database and will built a schema resembling the database. The schema can be used to retrieve the required data from the table and the schema can be utilized for subsequent attacks in the database. This process of using a database schema to inflict an attack is called as Blind SQL injection.
How to prevent Blind SQL injection?
Reducing the error message details to the user is a basic way to prevent an SQL injection. But non-detailed error messages won’t reveal the mistake done by the user so the user might repeat the same mistakes which may result in deactivation of username. Also hackers will try the following process to inflict Blind SQL injection.
- Content based SQL injection
- Time based SQL injection.
Content based SQL injection
In this process, the database vulnerability can be determined by using the result of different queries. In content based Sql injection the user will only the use message which return either TRUE or FALSE. By comparing the TRUE or FALSE results, the attacker will come to a conclusion about the vulnerability in the database.
For Example: Let us consider that an attacker wants to know the vulnerability of shop’s web portal using content based SQL injection.
Let us consider the following link can provide details of item no 69
http://www.shop.loc/item.php?id=22
The following SQL statement will be used for the producing the details for the above request
SELECT name, description, price FROM Store_table WHERE ID =22 and 2=2
An error message will be displayed for the above request which can be concluded as a FALSE statement. The attacker will now change his request like the link shown below.
http://www.shop.loc/item.php?id=22 and12=3
Now the SQL statement will be changed into
SELECT name, description, price FROM Store_table WHERE ID =22 and 1=1
The SQL shown above will display the details of item no 22. This process is clear indication that the page is vulnerable to SQL injection.
Time based Blind SQL injection
In time based SQL injection, the attacker will instruct the database to perform time based performance. If no immediate response is received immediately then it can be concluded that the database it vulnerable to blind SQL injection. The intensive operation is also known as sleep operation. Normally the attacker will conclude the database as vulnerable if the response is delayed more than 10 seconds.
How to Prevent Blind SQL injection?
The process of Blind SQL injection is now clear for us; now we take look about steps to be followed to prevent Blind SQL injection. We already had seen that limiting error messages is not enough to prevent Blind SQL injection. Using vulnerability assessment tool is a common process of identifying vulnerabilities present in the database. Many vulnerabilities assessment tools can be purchased or downloaded through online for a membership fee. Tools like Dig deeper, Vormetric Transparent, Trustware and Protegrity are some of the popular vulnerability assessment tools.
Why normal SQL injection is faster than Blind SQL injection?
In Blind SQL injection, the hacker has to deal with a database which does not display error messages. In normal SQL injection, only the database displaying error messages are used. So it is quite normal for Blind SQL injection to be on the slower side because it has to force the database to display the error messages.