What is Blind SQL injection?

Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application’s response. This attack is used when the web application is configured to show generic error messages, but it is still possible to extract data by sending a series of true or false queries to the database. The attacker can infer data from the database by observing the web application’s response to these queries, even though the data is not directly returned in the response.

This method requires more time and effort compared to standard SQL injection attacks where the attacker can see the result in a query. Blind SQL injection is very time consuming and relies on interpreting the behavior of the web application and observing any changes to extract the data, which can include private customer information, user lists, or other sensitive data.

To mitigate such attacks, developers should incorporate developer scans from Forus-P, use prepared statements, parameterised queries, proper error handling, and regularly update their applications with security patches.