Light Dark
January 19, 2016 By Dave McMillen 2 min read
Software Vulnerabilities
Advanced Threats

For as long as SQL injection has been around, it is still not old news — at least for attackers. Attackers will take whatever path they can to reach an exploit The simpler the path, the better. However, sometimes they need to use a little more elbow grease.

That’s where blind SQL injection comes in. If an attacker were a magician, this attack would be the last handkerchief out of his SQL injection sleeve.

What Is Blind SQL Injection?

The Open Web Application Security Project (OWASP) gave the following definition of blind SQL injection:

“Blind SQL (Structured Query Language) injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application’s response. This attack is often used when the Web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.”

This is called a blind attack because the actor can’t easily see the intended target without asking the important questions. An attacker typically uses blind SQL injection if traditional methods continually fail to glean information. Blind injection is a last resort.

Blind SQL Injection Attack Metrics

IBM Managed Security Services continuously monitors billions of events reported every year by client devices in over 100 countries. Analysis of the blind SQL injection data accumulated between Jan. 1, 2015, and Nov. 30, 2015, revealed some interesting findings.

Clearly, traditional SQL injection attempts win out over blind SQL injection attempts, but there are some months when attackers make a concerted effort against their targets to use blind SQL injection.

Mitigating Blind SQL Injection

Without investing time into testing, it’s virtually impossible to tell if your database deployment and its front-end infrastructure are vulnerable to blind SQL injections. SQL injection testing tools can help organizations identify SQL weaknesses in applications — but attackers can use those same tools to find entry points into the same applications.

Interested in the evolving cyber threat landscape? Read the latest IBM X-Force Research

 |  | 
Dave McMillen
Senior Threat Researcher, IBM X-Force

More from Software Vulnerabilities
August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 2, 2023

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

March 30, 2023

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature