312-50V10 · Question #18
What is attempting an injection attack on a web server based on responses to True/False questions called?
The correct answer is C. Blind SQLi. Blind SQL injection infers database content through boolean (true/false) application responses without directly seeing query output.
Question
What is attempting an injection attack on a web server based on responses to True/False questions called?
Options
- ADMS-specific SQLi
- BCompound SQLi
- CBlind SQLi
- DClassic SQLi
How the community answered
(55 responses)- A7% (4)
- B2% (1)
- C89% (49)
- D2% (1)
Why each option
Blind SQL injection infers database content through boolean (true/false) application responses without directly seeing query output.
DBMS-specific SQLi exploits features or syntax unique to a particular database engine such as stored procedures in MS SQL Server, and is not defined by a boolean inference method.
Compound SQLi combines multiple injection techniques or attack vectors simultaneously, which is unrelated to the true/false questioning approach described.
Blind SQL injection occurs when a web application does not return query results or error messages directly, forcing the attacker to ask a series of true/false questions and infer data based on the application's differing responses. This technique is used when classic SQLi is not possible because database output is not reflected in the HTTP response.
Classic SQLi (in-band) retrieves data directly within the same communication channel used for injection, where results are visible in the application's response - the opposite of blind.
Concept tested: Blind SQL injection boolean-based inference
Source: https://owasp.org/www-community/attacks/Blind_SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.