Hello, friends! How are you all doing? So, this is our 12th article on SQL Injection. In this article, we will cover the PortSwigger Web Security lab on “Blind SQL injection with time delays,” from basic to advanced, in a step-by-step and easy-to-understand manner.
This lab focuses on a Blind SQL Injection vulnerability. The application uses a tracking cookie for analytics, and it performs an SQL query that holds the submitted cookie value. The query does not return any visible results, and you won’t see any changes in the application when your query is executed. Since the query is executed synchronously, it is possible to trigger blind SQL injection by using time delay conditionals.
To solve the lab, you need to introduce a 10-second time delay in the application using a blind SQL payload.
First, access the lab. After accessing the lab, enable the Burp Suite proxy and refresh the main page of the lab to intercept the request.
Once intercepted, send the request to the Repeater tab. We will perform testing on this tab to check if there is a blind SQL injection vulnerability.
Modify the TrackingId parameter with the time delay payload:
Now, insert the time delay payload in the TrackingId parameter. Check the response to see if the application is taking more than 10 seconds to respond.
As you can see, when we inserted the payload, our PortSwigger lab on “Blind SQL injection with time delays” was automatically solved.
You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
To continue studying check out the next lab i.e. Blind SQL Injection With Out-Of-Band Interaction, cover the current lab before visiting the next lab. Good Luck!
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.