Identifying Different SQL Injection Types

In-band SQL injection provides direct feedback through normal application responses. Error-based injection triggers database errors revealing information. Union-based injection combines results from injected queries with normal output. These visible techniques are easiest to identify and exploit but are becoming rarer as applications improve error handling.

Blind SQL injection requires inference from indirect indicators. Boolean-based blind injection causes different application behavior based on true/false conditions. Inject payloads like "AND 1=1" versus "AND 1=2" and compare responses. Consistent differences indicate blind SQL injection. Time-based blind injection uses database sleep functions—if "OR SLEEP(5)" delays response by 5 seconds, injection is confirmed.

Out-of-band SQL injection uses alternative channels for data extraction. DNS requests, HTTP requests to external servers, or email functionality might provide data exfiltration paths. While ZAP doesn't directly detect out-of-band injection, manual testing can identify possibilities. Look for functions that might trigger external communications when combined with SQL injection.