Security Basics mailing list archives
Slow down blind SQL injection
From: Tiago Batista <tsbatista () ua pt>
Date: Tue, 2 Oct 2007 13:12:34 +0100
Hello all Today I was barainstorming and came up with an idea that my help slow down blind sql injection on a web application. I remembered that usually a user will read a page before subbmiting a new query, and that takes time, so why not keep a timestamp on the user session and enforce some time between queries? I did not search to find out if some applications out there are using this, but I would like your input on the folowig: 1. depending on the timestamp, do you think the users will be very anoyed at some error asking them to try again in a few seconds? 2. given that most automated SQL injectors deped on a boolean result form the query, and this ends up serving a thrid page, how much will this confuse those tools? 3. Assuming that the pogrammer will log several attempts, will this help to find and correct blind injection points? Thank you all Tiago P.S. Please do not cc this mail as I am subscribed with a different address <tiagosbatista (AT) gmail (DOT) com>
Current thread:
- Slow down blind SQL injection Tiago Batista (Oct 02)
- <Possible follow-ups>
- Slow down blind SQL injection Tiago Batista (Oct 03)
- RE: Slow down blind SQL injection iOla Shulman (Oct 09)
- Re: Slow down blind SQL injection Francois Larouche (Oct 09)
- Re: Slow down blind SQL injection Simon (Oct 09)
- Re: Slow down blind SQL injection Tiago Batista (Oct 09)
- RE: Slow down blind SQL injection iOla Shulman (Oct 09)