What is Blind SQL Injection?
Blind SQL Injection
This is a hacking method that allows an unauthorized attacker to access a database server. It is facilitated by a common coding blunder: the program accepts data from a client and executes SQL queries without first validating the client’s input. The attacker is then free to extract, modify, add, or delete content from the database. In some circumstances, he may even penetrate past the database server and into the underlying operating system.
Hackers typically test for SQL injection vulnerabilities by sending the application input that would cause the server to generate an invalid SQL query. If the server then returns an error message to the client, the attacker will attempt to reverse-engineer portions of the original SQL query using information gained from these error messages. The typical administrative safeguard is simply to prohibit the display of database server error messages. Regrettably, that’s not sufficient.
If your application does not return error messages, it may still be susceptible to “blind” SQL injection attacks.
Detecting Blind SQL Injection Vulnerability
Web applications commonly use SQL queries with client-supplied input in the WHERE clause to retrieve data from a database. By adding additional conditions to the SQL statement and evaluating the web application’s output, you can determine whether or not the application is vulnerable to SQL injection.
For instance, many companies allow Internet access to archives of their press releases. A URL for accessing the company’s fifth press release might look like this:
http://www.example.com/pressRelease.jsp?pressReleaseID=5
The SQL statement the web application would use to retrieve the press release might look like this (client-supplied input is underlined):
SELECT title, description, releaseDate, body FROM pressReleases WHERE pressReleaseID = 5
The database server responds by returning the data for the fifth press release. The web application will then format the press release data into an HTML page and send the response to the client.
To determine if the application is vulnerable to SQL injection, try injecting an extra true condition into the WHERE clause. For example, if you request this URL . . .
http://www.example.com/pressRelease.jsp?pressReleaseID=5 AND 1=1
and if the database server executes the following query . . .
SELECT title, description, releaseDate, body FROM pressReleases WHERE pressReleaseID = 5 AND 1=1
and if this query also returns the same press release, then the application is susceptible to SQL injection. Part of the user’s input is interpreted as SQL code.
A secure application would reject this request because it would treat the user’s input as a value, and the value “5 AND 1=1” would cause a type mismatch error. The server would not display a press release.
Comments
Post a Comment