Skip to main content

🗂️PortSwigger Lab Writeup: Blind SQL Injection with Time Delays

Screenshot of PortSwigger blind SQL injection lab description

🎯 Objective

The objective of this lab is to exploit a Blind SQL injection vulnerability in a web application where the application executes a SQL query with tracking cookie in an unsafe way to track the users for analytics and our goal is to cause a 10 second delay in the response.

  • Lab URL: https://portswigger.net/web-security/sql-injection/blind/lab-time-delays
  • Category: SQL Injection
  • Difficulty: Practitioner

💉 Payloads Used

1. For causing time delay

  • Payload 1 - ✅
FAIwSa3l4QHjyOmp'||CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END--

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Open the lab URL in your browser and explore its functionality. Homepage of the vulnerable shopping website showing product categories and login option
    Login page of the vulnerable PortSwigger shopping lab
  • At first glance, the website seems to be a shopping website with an option to filter products on different categories and also there is a login page. In the lab description, it is mentioned that the vulnerability is in the tracking cookie which is being used directly in a SQL query.

🧰Step 2: Cause Time Delay

  • Open the BurpSuite and send a request containing the TrackingId cookie to Repeater Tab by Ctrl + R BurpSuite Repeater tab with TrackingId cookie request prepared for SQL injection payload
  • In the Repeater tab, we will try our first payload crafted specifically for a PostgreSQL time-based delay - FAIwSa3l4QHjyOmp'||CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END-- SQL injection payload with pg_sleep function inserted into TrackingId cookie in BurpSuite
  • Hence, after sending this payload we were able to cause a 10 second time delay in the response. Final solved lab confirmation screen
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrates a Blind SQL Injection vulnerability with time delays, where the application directly concatenates the TrackingId cookie into a SQL query without validation.
  • By crafting a PostgreSQL-specific payload using pg_sleep(10), we were able to introduce a 10-second delay in the server’s response, confirming successful injection.
  • This highlights how an attacker can exploit blind SQL injection to infer data without directly seeing query results, instead relying on timing differences.
  • Finally, we confirmed that the application is vulnerable, and the lab was successfully solved.