SQL injection attacks countermeasures assessments

Bulletin of National Technical University "KhPI". Series: System Analysis, Control and Information Technologies, 2018

Software security gains importance day by day and developers try to secure web applications as much as possible to protect confidentiality, integrity and availability that are described in the fundamental security model so-called CIA triad. SQL injection vulnerability which can violate the confidentiality and integrity principles of the CIA triad is reviewed, and SQL injection attack execution and protection techniques are explained. The common frameworks’ solutions against SQL injection vulnerability were compared, and this comparison shown the most used techniques in this domain. Error-based and time-based detection algorithms for SQL injection’s identification are developed to create a vulnerability scanner that can detect SQL attacks which cause vulnerability in web applications, and these algorithms are represented in form of UML-activity diagrams. In order to discover all possible links and forms to perform SQL injection vulnerability tests in the entire website, a web crawler...

Ijccer, 2013

2012

Abstract—SQL injection is a type of attack which the attacker adds Structured Query Language code to a web form input box to gain access or make changes to data. SQL injection vulnerability allows an attacker to flow commands directly to a web application's ...

2010 3rd International Conference on Computer Science and Information Technology, 2010

Anti SQL IA Vaccine is a new concept for Detection and Prevention of SQL Injection Attacks on development phase itself‖ which helps and manages the important private customer data in a secured manner by mirroring the important database structures into unique secure mirroring tables which is managed in a differently managed secure data management system which runs on same or different servers. An independently managed verification tool is used to inspect and search the possibility of an SQL injection in the source code of the webpages at the development phase itself. This plays an effective medium in the prevention and detection of SQL Injection, which is one of the major web attack terminology which is effectively utilized by various malwares and hackers to steal valuable data from websites of various organizations which manages their transactions through online and web databases. These are unique type of intrusion that takes advantage of improperly managed/amateur coding in the web applications. SQLIA allows intruders to inject SQL commands into access data’s from the web forms to allow them to gain access to the data held within your database. In this paper we will discuss several types of SQLIAs, existing techniques and their drawbacks. Finally I have proposed a solution for SQLIA detection using data dictionary and prevention using the intrusion search along with SQL vaccine. I have implemented it using ASP.net with VB.net and SQL Server 2008, although this algorithm can be implemented in any language and for any database platform with minimal modifications.

2011

Structured Query Language (SQL) injection is an attack method used by hackers to retrieve, manipulate, fabricate or delete information in organizations’ relational databases through Web applications. Construction of secure software is not easy task, given the complexities that may be faced. SQL injection is increasingly exploiting the weaknesses of software year after year around the world. Security relevant issues in this area had not been properly addressed in relevant literatures during the development cycle of software. This paper conducts an approach called Centralized Dynamic Protection against SQL Injection Attacks in Web Applications (CDPIA) that creates a data type for checking system to prevent data type mismatch in dynamically generated SQL queries. To strengthen the approach, CDPIA utilizes encryption technique using Rivest, Shamir and Adleman (RSA) algorithm. The paper also discusses and presents most common Web application vulnerabilities with possible attack scenarios...

2010

Data security has become a topic of primary discussion for security expert. Vulnerabilities are pervasive resulting in exposure of organizations and firms to a wide array of risks. Code Injection attack, a major concern for web security, occurs when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or when user input is not strongly typed and thereby unexpectedly executed, causing an error due to improper setup or coding such that the system fails to handle or properly respond to exceptional or unexpected data or conditions, which results in a situation wherein user credentials can be captured by injecting exceptional data. In spite of many tools and techniques, attacks on web application especially through SQL Injection Attacks are at a rise. Threat modeling is an important risk assessment and mitigation practice that provides the capability to secure a web application. A comprehensively designed threat model can provide a bet...

Tehnički glasnik

Many intentionally vulnerable web applications are circulating on the Internet that serve as a legal test ground for practicing SQL injection attacks. For demonstration purposes the attacks will target an Acunetix test web application created using PHP programming language and MySQL relational database. In the practical part, the execution of the attack itself largely depends on the database management system, so the displayed syntax is intended only for the MySQL database management system. Example of an automated attack will be executed on SQLmap in a Linux Kali virtualized environment. Security guidelines with a purpose of protecting databases are also discussed.

Symmetry: Culture and Science (Symmetry Festival 2024. July 17-20, 2024, Pisa, Italy “Leaning” Symmetry. Conference Proceedings; Eds. S. Brasili, J. Gielis), Single Volume, 91-94. , 2024