Boolean-Based Blind SQL Injection

Boolean-Based Blind SQL Injection is a technique where attackers extract data by asking the database true/false questions and observing differences in the application's response. Unlike time-based attacks, this method relies on visible changes in content or behavior.

How It Works

The attacker injects conditions that evaluate to true or false. Based on the result, the application behaves differently—perhaps showing content when true and an error or empty response when false.

Example

Extracting a password character by character:

// Original request showing user profile
GET /user?id=1

// Test if password starts with 'a'
GET /user?id=1 AND SUBSTRING(password,1,1)='a'

// Response differs:
// TRUE: Profile displayed normally
// FALSE: Empty page or error

// Binary search for efficiency:
GET /user?id=1 AND ASCII(SUBSTRING(password,1,1))>109  -- is first char > 'm'?

Observable Differences

• HTTP response code (200 vs 500)
• Response body length or content
• Specific text present or absent
• Redirect behavior

Optimization with Binary Search

Instead of testing each character (26+ attempts), use binary search on ASCII values to find each character in ~7 attempts.

Prevention

• Use parameterized queries
• Consistent error handling across all code paths
• Don't expose different responses based on query results

See Also

• Blind SQL Injection
• Time-Based Blind SQL Injection
• sqlmap