312-50V9 · Question #280
Attempting an injection attack on a web server based on responses to True/False questions is called which of the following?
The correct answer is A. Blind SQLi. Blind SQL injection infers database information by sending queries that produce observable true/false behavioral differences in the application's response rather than returning data directly.
Question
Attempting an injection attack on a web server based on responses to True/False questions is called which of the following?
Options
- ABlind SQLi
- BDMS-specific SQLi
- CClassic SQLi
- DCompound SQLi
How the community answered
(34 responses)- A91% (31)
- C6% (2)
- D3% (1)
Why each option
Blind SQL injection infers database information by sending queries that produce observable true/false behavioral differences in the application's response rather than returning data directly.
In a Blind SQLi attack, the attacker cannot see query results in the HTTP response and instead crafts Boolean-based or time-based payloads to ask yes/no questions about the database, reconstructing data one bit at a time based on how the application behaves differently for true versus false conditions.
DBMS-specific SQLi exploits syntax or features unique to a particular database engine such as MySQL or MSSQL, not a true/false inference technique.
Classic SQLi returns data directly in the application's response, meaning the attacker can read results without relying on behavioral differences.
Compound SQLi is not a recognized standard SQL injection category and does not describe the true/false inference methodology.
Concept tested: Blind SQL injection true/false inference technique
Source: https://owasp.org/www-community/attacks/Blind_SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.