[This lab](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays) demonstrates a **blind SQL injection** scenario where no output, errors, or content changes are observable. However, by injecting a **time delay function** (`pg_sleep` in PostgreSQL), we can prove successful injection through a **noticeable delay** in server response.
##### Step 1: Identify the Injection Point
1. Open the lab in Burp’s browser
2. Go to **Proxy → HTTP history**
3. Find a `GET /` request with a cookie like:
```
TrackingId=xyz; session=...
```
4. Send it to **Repeater**
---
##### Step 2: Test Injection with a Time Delay
Replace the `TrackingId` value with:
```http
TrackingId=x'||pg_sleep(10)--
```
- `||` concatenates strings in PostgreSQL
- `pg_sleep(10)` introduces a 10-second delay
- `--` comments out the rest of the SQL
---
##### Step 3: Observe the Response
1. Click **Send**
2. Measure the response time (you can watch the timer at the bottom of Repeater)
![[CleanShot 2025-04-17 at 22.31.57.png]]
✅ If the response takes **10 seconds**, the injection succeeded
❌ If response is immediate, adjust syntax depending on DBMS (this lab uses PostgreSQL)
---
### 🔍 Why This Works
The original SQL query is using the `TrackingId` cookie in a string context. By injecting:
```sql
'||pg_sleep(10)--
```
You are effectively altering the query to:
```sql
... WHERE tracking_id = 'x' || pg_sleep(10)--
```
This causes the database to **pause execution**, confirming your input reached the SQL engine and was executed.