Web Application Security Testing Methodologies Web Application Hacker’s Handbook Chapter 20 Methodology.Web Application Hacker’s Handbook Testing Checklist.
Web Application Security Testing Methodologies.Take a demo and find out more about running Blind SQLi scans against your website or web application. Acunetix also includes a Blind SQL Injector tool, which allows the penetration tester to verify that the Blind SQL vulnerability exists and demonstrate the consequences of the vulnerability. This is done using brute force techniques and requires many requests but may be automated by attackers using SQL Injection tools.Īcunetix can detect Blind SQL Injection vulnerabilities. Consequences of Blind SQL Injectionsīlind SQL Injections are often used to build the database schema and get all the data in the database. The web application is vulnerable if the response is delayed by 10 seconds. They would then issue the following request: and if(1=1, sleep(10), false) A popular time-intensive operation is the sleep operation.īased on the previous example, the attacker would first benchmark the web server response time for a regular query. If the web site does not return a response immediately, the web application is vulnerable to Blind SQL Injection. In the case of time-based attacks, the attacker makes the database perform a time-intensive operation. This is a clear indication that the page is vulnerable. This returns TRUE, and the details of item with ID 34 are shown. The attacker then proceeds to change the request to: and 1=1Īnd the SQL statement changes to: SELECT column_name, column_name_2 FROM table_name WHERE ID = 34 and 1=1SELECT name, description, price FROM Store_table WHERE ID = 34 and 1=1 This will cause the query to return FALSE and no items are displayed in the list. The SQL statement changes to: SELECT column_name_2 FROM table_name WHERE ID = 34 and 1=2SELECT name, description, price FROM Store_table WHERE ID = 34 and 1=2 The attacker may manipulate the request to: and 1=2 The SQL statement used for this request is: SELECT column_name, column_name_2 FROM table_name WHERE id = 34
The following link will display details about item 34, which are retrieved from a database. This is an example of a web page of an online shop, which displays items that are for sale. Then they analyze differences in responses between TRUE and FALSE statements. In the case of a Content-based Blind SQL Injection attack, the attacker makes different SQL queries that ask the database TRUE or FALSE questions. There are two variants of this technique that are commonly used: Content-based Blind SQL Injection and Time-based Blind SQL Injection. This is how the Blind SQL Injection technique was born (sometimes called Inferential SQL Injection). The SQL interpreter can still parse user input as part of an SQL query.Īttackers came up with methods to go around the lack of error messages and still know if the input is being interpreted as an SQL statement. This is a flawed solution because it does not address the underlying problem. Web server administrators quickly realized that showing errors to the general public is not a wise thing to do, so they started suppressing detailed error messages. and which version), build the database schema, retrieve data from any table in the database, and escalate the attack. They can use it to fingerprint the database (find out if it’s MySQL, PostgreSQL, Oracle, MSSQL, etc. Unclosed quotation mark after the character string ''.Īfter the attacker verifies the presence of an SQL Injection vulnerability, they can try different requests (often involving UNION SELECT statements) to receive information about the database in error responses. The error could look similar to the following one (from Microsoft SQL Server): Microsoft SQL Native Client error '80040e14' This way an attacker is certain that the field is vulnerable to SQL Injection attacks. If the database server is configured to show SQL errors, the web server will display the error in the web application. If you use a single quote in a field or parameter that is passed directly to an SQL statement, the database server will report an error. The most common method used to check for a normal SQL Injection vulnerability is adding a single quote ( ' – ASCII value 39). The latest OWASP Top 10 list still features this type of attack at the number one spot as the biggest web application security risk. SQL Injection (SQLi) vulnerabilities are one of the oldest and most common web security issues.