04 Jul 2018

Boolean based Blind SQL Injection (SQLi)

04 Jul 2018

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 OWASP 2019-API8 PCI v3.2-6.5.1 OWASP PC-C3 CAPEC-66 CWE-89 HIPAA-164.306(a) & HIPAA-164.308(a) ISO27001-A.14.2.5 WASC-19 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H WSTG-INPV-05

Boolean-based SQL injection is a technique that relies on sending an SQL query to the database based on which the technique forces the application to return different results.

The result allows an attacker to judge whether the payload used returns true or false. Even though no data from the database are recovered, the results give the attacker valuable information.

Depending on the boolean result (TRUE or FALSE), the content within the HTTP response will change, or remain the same.

Also, it is a slow attack; this will help the attacker to enumerate the database.

Example

        https://example.beaglesecurity.com/items.php?id=2

A vulnerable data access layer of an application can build an SQL query as shown below from the above URL request.

        SELECT title, description, body FROM items WHERE ID = 2 and 1=2

    

If an application is vulnerable to SQL injection, it will not return anything, and the attacker will next inject a query with a true condition (1=1). If the content of the page is different than the page that returned during false condition, then the attacker can infer that SQL injection is working. Now the attacker can verify it he all set to use other SQL Injection methods.