Boolean based Blind SQL Injection (SQLi)

OWASP 2013-A1 OWASP 2017-A1 OWASP PC-C3 PCI v3.2- CAPEC-66 CWE-89 HIPAA-89 ISO27001-A.14.2.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N WSTG-INPV-05 WASC-19

Boolean-based SQL injection is a technique which relies on sending an SQL query to the database. This injection technique forces the application to return a different result, depending on the query. Depending on the boolean result (TRUE or FALSE), the content within the HTTP response will change, or remain the same. The result allows an attacker to judge whether the payload used returns true or false, even though no data from the database are recovered. Also, it is a slow attack; this will help the attacker to enumerate the database.



A vulnerable data access layer of an application can build an SQL query as shown below from the above URL request.

        SELECT title, description, body FROM items WHERE ID = 2 and 1=2


If an application is vulnerable to SQL injection, it will not return anything, and the attacker will next inject a query with a true condition (1=1). If the content of the page is different than the page that returned during false condition, then the attacker can infer that SQL injection is working. Now the attacker can verify it he all set to use other SQL Injection methods.

Impact and Fixes

Related Articles