For those of you who managed to make it to the webcast on the 20th with Matt Johansen and I, you heard quite a bit about the perspective of a blackhat when it comes to SQL injection and blind SQL injection. But I thought it would be worthwhile to write it down here as well, for those who missed it or don’t have the time to listen to the whole thing.
Internally at WhiteHat we’ve had the long-standing belief that blind SQL injection is rarely if ever actually used in attacks. We hear a lot about blind SQL injection at conferences, in papers and while talking with researchers, but we just don’t hear about it being used. Sure, there may be one piece of anecdotal evidence somewhere, but as a general class of attack it doesn’t seem to be a favorite of attackers. The reason being? It’s hard to use.
With our theory in hand we asked our former blackhat friend “Adam” to comment on his perspective. While he believed it was indeed a vulnerability and should be fixed, he wasn’t aware of any regular use of it. He felt that it was a useful exploit but took way too long and was too difficult to use compared to just about any other exploit. So while it may be useful for some things, it’s just impractical compared to the vast number of other ways to attack a web application.
Even though SQL injection and Blind SQL injection have nearly the same damage potential, almost no one other than state-sponsored attackers would bother with it outside of a penetration test or vulnerability scan. There are just too many other ways to break into a site to bother in most cases (trust me). Some tools try to make that process easier, but it can still be a huge pain depending on what we’re talking about. Plus it’s many orders of magnitude more requests to dump a database with blind SQL injection. Having to make many requests means more time and more risk of getting caught – you stick out like a sore thumb. Alternatively, SQL injection is still one of the most wildly used vulnerabilities for exactly the same line of thinking – it’s easy to use.
So what is blind SQL injection actually good for? Is there any circumstance where it’s really worthwhile to bother? Yes – let’s say just a few rows needed to be extracted (admin passwords for instance). Gaining access to a handful of rows might only represent a few hundred requests – well below the radar. Something like an admin password could be used in another attack which makes the process of exploitation much easier. So I would never claim that it’s not worth fixing – and neither would Adam. Update: and as @bonsaiviking pointed out command injection is another valid use case if you can achieve it.
Getting our theories affirmed is useful for helping us tune Sentinel to be a smarter scanner and prioritize attacks over time.