Description
Time Based SQL Injection is a type of SQL injection attack where the attacker manipulates the timing of SQL query execution to infer information about the database. By causing delays in the response from the database, attackers can deduce the structure and content of the database, leading to data theft, modification of database records, unauthorized access, and potential control over the entire database management system (DBMS).
Recommendation
To prevent Time Based SQL Injection attacks, developers should prioritize the use of prepared statements or parameterized queries instead of concatenating user input into SQL queries directly. If prepared statements are not feasible, ensure proper input validation and sanitization. Additionally, implement measures to detect and mitigate time-based attacks, such as imposing query execution time limits or using database-specific security features to minimize the impact of delays caused by injected queries.
References
- OWASP: SQL Injection
- OWASP: ESAPI project
- Wikipedia: Prepared statement
- CWE-89
- CAPEC-66
- OWASP 2021-A3