How Blind SQL Injection attacks sneak past your security

Coming in at #3 on the OWASP Top Ten 2021, SQL Injection attacks are among the oldest and most dangerous web application vulnerabilities. Yet, there's a more insidious variant of this risk that's often overlooked – the Blind SQL Injection attack. This cyber mischief silently infiltrates your databases, leaving you blindsided with its stealthy approach.

Unmasking the blind SQL injection attack

What is SQL Injection?

Before diving into the specifics of Blind SQL Injection, it's essential to understand the broader concept of SQL Injection attacks. SQL Injection is a code injection technique that attackers use to exploit vulnerabilities in a web application's database layer.

The attacker manipulates a standard data query within the application by inputting malicious SQL statements in user-input areas. If these inputs are poorly sanitized or not checked for anomalies, the attacker's malicious query can get executed in the database. 

Successful SQL Injection attacks pose a significant threat to your data: 

• Data breaches: They can lead to major data breaches, exposing sensitive user information, including passwords, credit card numbers, and personal user information.
• Manipulation and deletion: They can modify or even delete database content, leading to data loss.
• Access control: They may provide an attacker with unauthorized administrative access.

What is Blind SQL Injection?

Blind SQL Injection is a subset of the SQL Injection attack. The technique is used when an attacker attempts to exploit a vulnerable application without receiving meaningful error messages or data output being returned. This occurs because a target application may be structured in such a way that these direct responses are not displayed, leaving the attacker "blind". Instead, attackers rely on true or false responses from the application, or differences in response time, to infer information about the database structure or data.

Why Blind SQL Injection attacks are dangerous

While classic SQL Injection is being used the most frequently, if classic SQL Injection attacks do not work, attackers usually turn to attack applications with Blind SQL Injection.

There are several reasons why Blind SQL Injection attacks can be a nightmare for businesses:

• Stealth: Unlike other SQL Injection attacks, Blind SQL Injections are not immediately noticeable. They can go unnoticed, making them incredibly difficult to detect.
• Speed: Compared to conventional SQL Injection, the blind variant is much slower for attackers to succeed due to its reliance on a trial-and-error process. However, given their slower pace, blind SQL injections may persist undetected for a longer period, giving attackers more time to extract more sensitive information.

The guise of Blind SQL Injection: Types and examples

In the example below, we show how Blind SQL Injection attacks can be used to extract passwords from a database by asking the server a series of true/false questions or analyzing server response times. Attackers will often use automated tools to speed up their attacks, however, the methodology remains the same.

Boolean-Based Blind SQL Injection

A Boolean-based blind SQL Injection involves sending SQL queries that result in a different output depending on whether the query returns true or false. This type of attack allows an attacker to infer the content of the database one bit at a time.

For example, consider the following URL:

http://example.com/profile?id=1

This would send the following SQL to the application:

SELECT * FROM users WHERE id = 1

An attacker could test for a Boolean-based Blind SQL Injection vulnerability by altering the URL like so:

http://example.com/profile?id=1 AND SUBSTRING((SELECT password FROM users WHERE id = 1), 1, 1) = 'a'

This will cause the SQL query to become:

SELECT * FROM users WHERE id = 1 AND SUBSTRING((SELECT password FROM users WHERE id = 1), 1, 1) = 'a'

If the profile page loads as normal, the attacker can infer that the first character of the password is a. If the page behaves differently (e.g., an error message, a blank page), they can infer it is not. The attacker can repeat this for every character and for every position in the password to retrieve the whole password.

Time-Based Blind SQL Injection

A Time-based blind SQL Injection involves sending SQL queries that cause the SQL server to wait for a specified amount of time before responding. The delay in response indicates to the attacker that the query has executed, hence the application might be vulnerable to SQL Injection.

Using the same URL as the example above:

http://example.com/profile?id=1

The SQL query is as follows:

SELECT * FROM users WHERE id = 1

To test for a Time-based Blind SQL Injection, the attacker might alter the URL like so:

http://example.com/profile?id=1 AND IF(SUBSTRING((SELECT password FROM users WHERE id = 1), 1, 1) = 'a', sleep(10), 'false')

This results in the SQL query:

SELECT * FROM users WHERE id = 1 AND IF(SUBSTRING((SELECT password FROM users WHERE id = 1), 1, 1) = 'a', sleep(10), 'false')

If the first character of the password is a, the SQL server will delay its response by 10 seconds. If not, it will respond immediately. Like the Boolean-based example, the attacker would need to repeat this for each character and each position in the password.

Blind SQL injection prevention cheatsheet

Mitigating Blind SQL Injection attacks involves a proactive approach. Here are some key steps to take:

• Input validation: Implement stringent input validation. Ensure data is in the correct format and reject any suspicious entries.
• Prepared statements and secure coding practices: Use prepared statements with parameterized queries. This approach separates the data from the command, reducing the chance of successful injection.
• Regular updates: Keep your software, especially your database management system, updated to benefit from the latest security patches.

Hadrian: Your shield against Blind SQL Injection attacks

Just as the ancient Hadrian's Wall was built to protect Roman Britain, Hadrian technology safeguards your databases against SQL Injection attacks, including the elusive blind variants.

Complete visibility

Hadrian scans the internet and processes 1.1Tb of data daily to continuously discover new and changing digital assets in your external attack surface. To achieve this, our Orchestrator AI identifies blind spots and assets that are vulnerable to SQL Injection and its variants. 

Continuous Monitoring

Hadrian's CTEM platform provides 24/7 monitoring of your applications, ensuring that any potential injection attempt is immediately flagged and addressed. This drastically reduces the window of opportunity for an attacker to exploit a vulnerability.

Intelligent Risk Prioritization

Hadrian’s 200+ hacker modules can form chains of potential attacks, effectively predicting and highlighting how an attacker might escalate their access or impact. This means your resources can be strategically deployed, focusing first on severe vulnerabilities such as potential Blind SQL Injections.

It’s a priority for your security team to identify where in your system that might be vulnerable to Blind SQL Injection attacks. Hadrian recommends you map your external attack surface to uncover applications that are vulnerable to SQL, Blind SQL Injection, and many other forms of attack.