Blind SQL Injection: The Last Handkerchief Up the Attacker’s Sleeve

For as long as SQL injection has been around, it is still not old news — at least for attackers. Attackers will take whatever path they can to reach an exploit The simpler the path, the better. However, sometimes they need to use a little more elbow grease.

That’s where blind SQL injection comes in. If an attacker were a magician, this attack would be the last handkerchief out of his SQL injection sleeve.

What Is Blind SQL Injection?

The Open Web Application Security Project (OWASP) gave the following definition of blind SQL injection:

“Blind SQL (Structured Query Language) injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application’s response. This attack is often used when the Web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.”

This is called a blind attack because the actor can’t easily see the intended target without asking the important questions. An attacker typically uses blind SQL injection if traditional methods continually fail to glean information. Blind injection is a last resort.

Blind SQL Injection Attack Metrics

IBM Managed Security Services continuously monitors billions of events reported every year by client devices in over 100 countries. Analysis of the blind SQL injection data accumulated between Jan. 1, 2015, and Nov. 30, 2015, revealed some interesting findings.

A bar graph showing blind SQL injection attack attempts versus all other SQL injection attack attempts.

Clearly, traditional SQL injection attempts win out over blind SQL injection attempts, but there are some months when attackers make a concerted effort against their targets to use blind SQL injection.

Mitigating Blind SQL Injection

Without investing time into testing, it’s virtually impossible to tell if your database deployment and its front-end infrastructure are vulnerable to blind SQL injections. SQL injection testing tools can help organizations identify SQL weaknesses in applications — but attackers can use those same tools to find entry points into the same applications.

Interested in the evolving cyber threat landscape? Read the latest IBM X-Force Research

Share this Article:
Dave McMillen

Senior Threat Researcher, IBM Managed Security Services

Dave brings over 25 years of network security knowledge to IBM. Dave began his career in IBM over 15 years ago where he was part of a core team of six IBMers that created the IBM Emergency Response Service which eventually grew and evolved into Internet Security Systems. As an industry-recognized security expert and thought leader, Dave's background in security is full featured. Dave thrives on identifying threats and developing methods to solve complex problems. His specialties are intrusion detection/prevention, ethical hacking, forensics and analysis of malware and advanced threats. As a member of the IBM MSS Threat Research Team, Dave takes the intelligence he has gathered and turns out immediate tangible remedies that can be implemented within a customer’s network or on IBM MSS's own proprietary detection engines. Dave became interested in security back in the late 1980's and owned and operated a company that provided penetration and vulnerability testing service, one of the first of its kind. As the internet's footprint began to grow, it became clear to him there was a new problem on the horizon; protecting data. Dave worked with WheelGroup (later acquired by Cisco) where he helped develop NetRanger IDS and NetSonar. Dave also assisted with development of the very first IBM intrusion detection system, BillyGoat. Dave also has developed several other security based methods and systems which were patented for IBM.