SQL, which have been around for a long time. Today, they continue to be widely used by cybercriminals. The purpose of these attacks is to compromise the servers targeted by cybercriminals and dispose of them for other purposes. And it is that there are a great variety of attacks and new ones appear regularly and the protagonism of today is taken by Blind SQL Injection which we will talk about.
Blind SQL Injection is used when there are no error messages before a possible injection or they have been altered by the developer. In addition, it is not possible to view the data of the inquiries on the website. In this way, the attacker tries to inject queries that return a true value and thus be able to infer what type of information the query returns. Therefore, when the query is correct, it will display the same content and not the custom error message.
SQL Blind injection is an SQL injection attack technique that relies on the web page’s error responses to certain inputs. In general, code injection attacks on a website are based on the lack of checking of the input parameters. An input parameter is any value sent from the client to the web server. The usual input parameters to the web server are:
▸GET call fields passed by URL
▸Form fields submitted by POST method
▸Variables stored in cookies
▸Http header values
▸Javascripts function call parameters
It is important to clarify that there are various techniques to protect against this type of injection. Some of them are more complex than others. However, in the first instance, it is important to carry out the necessary controls on the parameters that are taken as input data. You always have to think about what the access points can be for an attacker and thus be able to anticipate possible injections.
Related reads:
SQL Injection – How these attacks can affect us
CRLF Injection – A Vulnerability that attacks servers
PHP Vulnerabilities and risks
