Inferential SQL Injection Attacks
Although SQLIA (SQL Injection Attack) made its first public appearance back in, it still stays one of most serious and prevalent threat types. When used properly, attackers can influence what is passed to the database by exploiting weak input validation and/or dynamic construction of SQL statements having no proper usage of type-safe parameter values. This paper describes a class of SQL Injection Attacks (SQLIAs) where attackers can deduce information from the back-end DataBase Management System (DBMS) without transferring actual data. Instead, by using predetermined differentiation mechanism, information is being inferred piece by piece.