[Owasp-documentation-projects] change Blind SQL Injection definition

Victor Security dvpem.security at gmail.com
Mon Jul 5 12:54:24 EDT 2010


Hi OWASP list,
while writing an article about Blind SQLi for my blog, I found myself
challenging about the Blind SQLi definition displayed in the OWASP page (
http://www.owasp.org/index.php/Blind_SQL_Injection), and many other articles
and papers. The definition says:

> "Blind SQL injection is identical to normal SQL Injection<http://www.owasp.org/index.php/SQL_Injection>except that when an attacker attempts to exploit an application, rather then
> getting a useful error message, they get a generic page specified by the
> developer instead. This makes exploiting a potential SQL Injection attack
> more difficult but not impossible. An attacker can still steal data by
> asking a series of True and False questions through SQL statements. "

While I think the definition is Ok, it's not complete. Let me show my point.
The part:

> Blind SQL injection is identical to normal SQL Injection<http://www.owasp.org/index.php/SQL_Injection>except that when an attacker attempts to exploit an application, rather then
> getting a useful error message, they get a generic page specified by the
> developer instead.
>
says that if you don't get an error from the page, you are dealing with
Blind SQLi. Ok, I think that's correct, but, if we read the following part:

> An attacker can still steal data by asking a series of True and False
> questions through SQL statements.
>
I think we are missing something. What I'm saying is, if we don't get an
error from the page, we can still steal information without doing true/false
questions. For example, in a page that we get the content from an id
variable, we can use a UNION to print information from other tables. In this
case, we don't need to ask only true/false questions, and we are not getting
errors from the page eider. So, with the original definition, we are missing
this case. Is this Blind SQLi, or not?

If we say that in Blind SQLi we only can ask true/false questions, I think
the definition must be changed. I think it's more acurate the definition
mentioned in Wikipedia (http://en.wikipedia.org/wiki/SQL_injection):

> Blind SQL Injection is used when a web application is vulnerable to an SQL
> injection but the results of the injection are not visible to the attacker.
> The page with the vulnerability may not be one that displays data but will
> display differently depending on the results of a logical statement injected
> into the legitimate SQL statement called for that page.
>
It fits better, don't you think? Blind SQLi is used when we don't get any
result from the injection but only different data depending on the SQL
statement.

Maybe my interpretation of the OWASP definition is wrong. I look forward to
your replies.
Best regards,
    Victor H. Batista


PS: if it's not the right list, point me to the right one
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-documentation-projects/attachments/20100705/edfa6ff1/attachment.html 


More information about the Owasp-documentation-projects mailing list