[This lab](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays) demonstrates a **blind SQL injection** scenario where no output, errors, or content changes are observable. However, by injecting a **time delay function** (`pg_sleep` in PostgreSQL), we can prove successful injection through a **noticeable delay** in server response. ##### Step 1: Identify the Injection Point 1. Open the lab in Burp’s browser 2. Go to **Proxy → HTTP history** 3. Find a `GET /` request with a cookie like: ``` TrackingId=xyz; session=... ``` 4. Send it to **Repeater** --- ##### Step 2: Test Injection with a Time Delay Replace the `TrackingId` value with: ```http TrackingId=x'||pg_sleep(10)-- ``` - `||` concatenates strings in PostgreSQL - `pg_sleep(10)` introduces a 10-second delay - `--` comments out the rest of the SQL --- ##### Step 3: Observe the Response 1. Click **Send** 2. Measure the response time (you can watch the timer at the bottom of Repeater) ![[CleanShot 2025-04-17 at 22.31.57.png]] ✅ If the response takes **10 seconds**, the injection succeeded ❌ If response is immediate, adjust syntax depending on DBMS (this lab uses PostgreSQL) --- ### 🔍 Why This Works The original SQL query is using the `TrackingId` cookie in a string context. By injecting: ```sql '||pg_sleep(10)-- ``` You are effectively altering the query to: ```sql ... WHERE tracking_id = 'x' || pg_sleep(10)-- ``` This causes the database to **pause execution**, confirming your input reached the SQL engine and was executed.