All system administrators know about SQL injection and should also know how to protect their system against such an attack. However, what they might be less informed about is Blind SQL injection; albeit a much lengthier process for the hacker, if someone is determined to get at your data then this is a way they can do it.
Blind SQL injection is akin to switching off the lights, but still leaving your data open for someone to fumble around with a small torch and get at the bits they’re interested in. It involves a lot of guess work on the part of the attacker and takes time for them to gain an understanding of the structure of the data they’re trying to get at, but with skill and perseverance all the data is still at their fingertips. To make things worse, the guess work can be easily automated, reducing the time it takes to steal your data.
Read our detailed article about a Blind SQL injection attack and the two techniques that are commonly used to do this – Content-based Blind SQL Injection and Time-based Blind SQL Injection.
So what can you do to protect yourself against Blind SQL injection attacks? The following are some preventative measures to consider.
- Make sure your policy enforces the need to code securely and check regularly for vulnerabilities during the development and deployment stages of building a web application.
- Identify where data enters or exits the application to make sure validation takes place for every part of the HTTP request.
- Isolate your web applications from SQL using stored procedures, which the application must execute using a safe interface. The use of Prepared SQL Statements (aka Parameterized Queries) is also recommended. This eliminates the possibility of user data being interpreted as SQL statements.
- Use a vulnerability scanner that can detect both SQL Injection and Blind SQL injection vulnerabilities, then run regular scans to identify any new bugs which may not have been identified or prevented as per the above, or that may be introduced moving forward.