Quiz Entry - updated: 2026.06.20
What is an out-of-band SQL injection attack?
The data leaves through a separate channel (DNS, email, an HTTP callback) rather than the response the attacker sent.
Out-of-band injection exfiltrates data through a different channel than the original request.
Example flow:
- Attacker sends:
transactionID= '1' UNION ALL SELECT USERNAME, PASSWORD, 0 FROM USERS-- - Server responds with
200 OK(no visible data) - Later, during batch processing, an email is sent containing the exfiltrated data
This is useful when the application doesn't display query results directly.