Blind SQL Injection
Description
Web applications usually store information in a SQL server in order to, for example, show them to other users. When the application developer uses unvalidated user controlled variables as part of a SQL query; a SQL injection or Blind SQL injection vulnerability is being introduced into the application.
When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injections except that when an attacker attempts to exploit an application, rather then getting a potentially useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential Blind SQL Injection attack more difficult but not impossible. An attacker can still retrieve valuable information and potentially execute operating system commands by asking a series of True and False questions through SQL statements.
Solution(s)
- http-generic-scritp-blind-sql-injection
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center