nerdexam
EC-Council

312-50V13 · Question #171

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He's determined that the application is vulnerable to SQL injection, and has introduced conditional timin

The correct answer is B. Blind SQL injection. Elliot is performing blind SQL injection, a technique used when an attacker infers information based on the application's responses, such as timing delays, rather than direct output.

Submitted by eva_at· Mar 6, 2026SQL Injection

Question

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He's determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing?

Options

  • AError-based SQL injection
  • BBlind SQL injection
  • CUnion-based SQL injection
  • DNoSQL injection

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    94% (30)
  • C
    3% (1)

Why each option

Elliot is performing blind SQL injection, a technique used when an attacker infers information based on the application's responses, such as timing delays, rather than direct output.

AError-based SQL injection

Error-based SQL injection relies on the database returning error messages that reveal information about the database structure or query results, which is not what Elliot is observing.

BBlind SQL injectionCorrect

Blind SQL injection occurs when an attacker cannot see the output of the SQL query directly on the webpage, making it necessary to rely on other methods to confirm success or extract data. Using conditional timing delays, where the response time indicates whether a certain condition in the injected query is true or false, is a classic technique for blind SQL injection, allowing for systematic information extraction.

CUnion-based SQL injection

Union-based SQL injection uses the UNION operator to combine the results of the attacker's query with the legitimate query, displaying the injected data directly in the application's response, which Elliot is not doing.

DNoSQL injection

NoSQL injection targets NoSQL databases, which have different query languages and vulnerabilities than traditional SQL databases, whereas the question specifies a SQL back-end.

Concept tested: Blind SQL injection detection techniques

Source: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-overview#sql-injection

Topics

#SQL injection#Blind SQL injection#Timing attack#Web application hacking

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice