Exam 312-50v11 topic 1 question 266 discussion

Blind/Inferential SQL Injection Blind SQL Injection is used when a web application is vulnerable to an SQL injection, but the results of the injection are not visible to the attacker. Boolean-based blind SQL injection (sometimes called inferential SQL Injection) is performed by asking the right questions to the application database.Multiple valid statements evaluated as true or false are supplied in the affected parameter in the HTTP request. (P.2044/2028)

Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established. https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection

Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions.

correct