SQL Injection - Oracle (Time Based)

This detector identifies Oracle databases vulnerable to time-based blind SQL injection attacks. It injects database-specific delay functions into input parameters and measures response times to detect SQL injection vulnerabilities when direct error messages are not available.

Time-based blind SQL injection allows attackers to extract sensitive data from Oracle databases by injecting payloads that cause measurable delays in responses. Attackers use functions like DBMS_LOCK.SLEEP() or heavy computational queries to infer database structure and content based on response timing differences. Successful exploitation can lead to complete database compromise, including unauthorized data access, privilege escalation to DBA roles, and potential server takeover through PL/SQL injection or Java stored procedures.

Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?' If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input. Apply the principle of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application.