SQL Injection Attacks Countermeasures

2012 ◽  
pp. 194-213
Author(s):  
Kasra Amirtahmasebi ◽  
Seyed Reza Jalalinia
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Confidential Information ◽  
Sql Injection ◽  
Unauthorized Access ◽  
Injection Attacks ◽  
Prevention Techniques ◽  
Sql Injection Attack ◽  
Sql Injection Attacks ◽  
The Web

Due to the huge growth in the need for using Web applications worldwide, there have been huge efforts from programmers to develop and implement new Web applications to be used by companies. Since a number of these applications lack proper security considerations, malicious users will be able to gain unauthorized access to confidential information of organizations. A concept called SQL Injection Attack (SQLIA) is a prevalent method used by attackers to extract the confidential information from organizations’ databases. They work by injecting malicious SQL codes through the web application, and they cause unexpected behavior from the database. There are a number of SQL Injection detection/prevention techniques that must be used in order to prevent unauthorized access to databases.

SQL Injection Attack on Web Application

2018 ◽  
Vol 7 (S1) ◽  
pp. 11-15
Author(s):  
S. Parameswari ◽  
K. Kavitha
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Sql Injection ◽  
Injection Attacks ◽  
Sql Injection Attack ◽  
Simplified Algorithm ◽  
Basic Features ◽  
Sql Injection Attacks ◽  
Almost All ◽  
The Web

SQL injection attacks are one of the highest dangers for applications composed for the Web. These attacks are dispatched through uncommonly made client information on web applications that utilizes low level string operations to build SQL queries. An SQL injection weakness permits an assailant to stream summons straightforwardly to a web application’s hidden database and annihilate usefulness or privacy. In this paper we proposed a simplified algorithm which works on the basic features of the SQL Injection attacks and will successfully detect almost all types of SQL Injection attacks. In the paper we have also presented the experiment results in order to acknowledge the proficiency of our algorithm.

Method to Detect SQL Injection Attacks for Complex Network Environment

2013 ◽  
Vol 651 ◽  
pp. 841-845
Author(s):  
Wu Min Pan
Keyword(s):  
Operating Systems ◽  
Web Application ◽  
Security Risk ◽  
Defense System ◽  
Sql Injection ◽  
Injection Attacks ◽  
Test Application ◽  
Sql Injection Attack ◽  
Sql Injection Attacks ◽  
The Web

SQL injection has become a serious security risk among all the attacks against Web application. The SQL injection attack allows an attacker to access the underlying database unrestrictedly, and furthermore, retrieves the confidential information of the corporation and the network user. We found that most of the existing researches are able to detect most of the attacks, but they do not consider the complexity involved in using the defense system and the eventual cost of modification of the original program. For this reason, we conducts an in-depth research on SQL injection and defense: requires no modification of the web application code,and can be adapted to different usage scenarios,involving also different operating systems and server applications,and can be able to detect all the known injection points for the test application

scholarly journals Neutralizing SQL Injection Attack on Web Application Using Server Side Code Modification

2019 ◽  
pp. 158-173
Author(s):  
Sarjiyus O. ◽  
El-Yakub M. B.
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Web Security ◽  
Security Threat ◽  
Sql Injection ◽  
Server Side ◽  
Injection Attacks ◽  
Sql Injection Attack ◽  
Sql Injection Attacks ◽  
Code Modification

SQL Injection attacks pose a very serious security threat to Web applications and web servers. They allow attackers to obtain unrestricted access to the databases underlying the applications and to the potentially sensitive and important information these databases contain. This research, “Neutralizing SQL Injection attack on web application using server side code modification” proposes a method for boosting web security by detecting SQL Injection attacks on web applications by modification on the server code so as to minimize vulnerability and mitigate fraudulent and malicious activities. This method has been implemented on a simple website with a database to register users with an admin that has control privileges. The server used is a local server and the server code was written with PHP as the back end. The front end was designed using MySQL. PHP server side scripting language was used to modify codes. ‘PDO prepare’ a tool to prepare parameters to be executed. The proposed method proved to be efficient in the context of its ability to prevent all types of SQL injection attacks. Acunetix was used to test the vulnerability of the code, and the code was implemented on a simple website with a simple database. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. Unlike most approaches, the proposed method is quite simple to implement yet highly effective. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

scholarly journals Neutralizing SQL Injection Attack Using Server Side Code Modification in Web Applications

2017 ◽  
Vol 2017 ◽  
pp. 1-12 ◽  
Author(s):  
Asish Kumar Dalai ◽  
Sanjay Kumar Jena
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Large Set ◽  
Sql Injection ◽  
Web Application Security ◽  
Application Security ◽  
Server Side ◽  
Injection Attacks ◽  
Sql Injection Attack ◽  
Sql Injection Attacks

Reports on web application security risks show that SQL injection is the top most vulnerability. The journey of static to dynamic web pages leads to the use of database in web applications. Due to the lack of secure coding techniques, SQL injection vulnerability prevails in a large set of web applications. A successful SQL injection attack imposes a serious threat to the database, web application, and the entire web server. In this article, the authors have proposed a novel method for prevention of SQL injection attack. The classification of SQL injection attacks has been done based on the methods used to exploit this vulnerability. The proposed method proves to be efficient in the context of its ability to prevent all types of SQL injection attacks. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

scholarly journals Secure Online Election System

2019 ◽  
Vol 8 (11S) ◽  
pp. 1166-1171
Keyword(s):  
Web Application ◽  
Control Unit ◽  
Sql Injection ◽  
Stored Procedure ◽  
Injection Attacks ◽  
Election System ◽  
Sql Injection Attack ◽  
Online Voting ◽  
One Way Function ◽  
Sql Injection Attacks

India, the biggest democratic ruling system in terms of population utilises the Electronic Voting Machine or EVM for their general elections. Any EVM comprises of two units: The Control unit and the Ballot unit. O n g o i n g re s e a rc h h a s i n d i c a t e d m a n y disadvantages in the system. One of the main disadvantages we encounter is that many researchers have claimed that the EVM can easily be tampered with. EVMs also encounter many physical threats. To prevent these drawbacks, we have proposed an online voting s y s t e m w h i c h c o u n t e r m a n y p h y s i c a l difficulties faced by the EVM. One main difficulty in the online system is the SQL Injection attack. SQL injection is messing with the database and controlling it with the help of SQL Queries. Our project focuses on the Tautology based SQL Injection attack. In this attack, a statement whose value will always be true or 1 is passed instead of username and password by the hacker. This allows access to t h e d a t a b a s e w h i c h a l l o w s h i m / h e r t o manipulate it. Manipulation can be of several kinds. Web based Voting is another innovation that is rising which has the possibility of countering numerous downsides looked by the EVMs. The online voting application works as any other web application. Each voter who wants to vote needs to fill all the required details and create an account on the website first. On the day of voting, when voters cast their vote, they need to sign in with their respective credentials. When the credentials match with the data from database, the voter can get to the voting page and make his choice. An affirmation mail is the sent to the client after effectively making the choice. The votes cast by the voters are sent to a separate database which is viewed in the administration s i d e . We u s e s t o r e d p r o c e d u r e s a n d parameterized queries to prevent the Tautology based SQL attack. If a malicious user enters any query which has a value, it will simply be passed as a parameter to the SQL statement and wont be a component of the SQL statement itself, thus rendering the stored procedure invulnerable to SQL injection attacks. We also use the Secure Hash Algorithm 256 (SHA-256). It is a type of cryptographic hash function which generates a unique 256 bit long hash key for each vote. It is a one way function and so it cannot be decrypted. This ensures that the votes are not manipulated.

scholarly journals Models and scenarios of implementation of threats for internet resources

2020 ◽  
Vol 8 (6) ◽  
pp. 9-33
Author(s):  
S. A. Lesko
Keyword(s):  
Web Application ◽  
Query Language ◽  
Sql Injection ◽  
Web Resource ◽  
Injection Attacks ◽  
Sql Injections ◽  
Sql Injection Attacks ◽  
Client Side ◽  
Cross Site ◽  
The Web

To facilitate the detection of various vulnerabilities, there are many different tools (scanners) that can help analyze the security of web applications and facilitate the development of their protection. But these tools for the most part can only identify problems, and they are not capable of fixing them. Therefore, the knowledge of the security developer is a key factor in building a secure Web resource. To resolve application security problems, developers must know all the ways and vectors of various attacks in order to be able to develop various protection mechanisms. This review discusses two of the most dangerous vulnerabilities in the field of Web technologies: SQL injections and XSS attacks (cross-site scripting – XSS), as well as specific cases and examples of their application, as well as various approaches to identifying vulnerabilities in applications and threat prevention. Cross-site scripting as well as SQL-injection attacks are related to validating input data. The mechanisms of these attacks are very similar, but in the XSS attacks the user is the victim, and in the SQL injection attacks, the database server of the Web application. In XSS attacks, malicious content is delivered to users by means of a client-side programming language such as JavaScript, while using SQL injection, the SQL database query language is used. At the same time, XSS attacks, unlike SQL injections, harm only the client side leaving the application server operational. Developers should develop security for both server components and the client part of the web application.

Bind but Dynamic Technique

2009 ◽  
pp. 880-890
Author(s):  
Ahmad Hammoud ◽  
Ramzi A. Haraty
Keyword(s):  
Web Application ◽  
Efficient Solution ◽  
Web Applications ◽  
Query Language ◽  
Sql Injection ◽  
Injection Attacks ◽  
Dynamic Technique ◽  
Structured Query Language ◽  
Sql Injection Attacks ◽  
Web Developers

Most Web developers underestimate the risk and the level of damage that might be caused when Web applications are vulnerable to SQL (structured query language) injections. Unfortunately, Web applications with such vulnerability constitute a large part of today’s Web application landscape. This article aims at highlighting the risk of SQL injection attacks and provides an efficient solution.

A Research of the Essence of SQL Injection Attacks Vulnerability

2015 ◽  
Vol 719-720 ◽  
pp. 935-940
Author(s):  
Min Wan ◽  
Kun Liu
Keyword(s):  
Static Analysis ◽  
Web Application ◽  
Web Applications ◽  
Semantic Information ◽  
Semantic Gap ◽  
Sql Injection ◽  
Injection Attacks ◽  
Web System ◽  
Sql Injection Attacks ◽  
Filtering Techniques

Semantic Gap problem is the essence of the SQL Injection Attacks vulnerability in Web applications. Web application loses the semantic information while the SQL statement is constructed dynamically. This paper analyzes the cause of the SQLIA vulnerability. And then it analyzes several suggested techniques, such as the filtering techniques and the static analysis, and points out their drawbacks in the SOLIA prevention, which leads to the conclusion that the key problem for the eradication of SQLIA is to solve the semantic gap problem causing by the unstructured SQL statement in the process of constructing a Web system dynamically.

REVIEW ON SQL INJECTION PROTECTION METHODS AND TOOLS

2015 ◽  
Vol 77 (13) ◽  
Author(s):  
Muhammad Saidu Aliero ◽  
Imran Ghani ◽  
Syeed Zainudden ◽  
Muhammad Murad Khan ◽  
Munir Bello
Keyword(s):  
Second Order ◽  
Sql Injection ◽  
Common Trends ◽  
Web Based ◽  
Unauthorized Access ◽  
Injection Attacks ◽  
Sql Injection Attack ◽  
Sql Injection Attacks ◽  
Store Procedure ◽  
Tools And Methods

SQL injection vulnerability is one of the most common web-based application vulnerabilities that can be exploited by SQL injection attack. Successful SQL Injection Attacks (SQLIA) result in unauthorized access and unauthorized data modification. Researchers have proposed many methods to tackle SQL injection attack, however these methods fail to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. In this paper we provide a detailed background of SQLIA together with vulnerable PHP code to demonstrate how attacks are being carried out, and discuss most commonly used method by programmers to defend against SQLIA and the disadvantages of such an approach. Lastly we reviewed most commonly use tools and methods that act a firewall for preventing SQLIA, finally wean alytically evaluated reviewed tools and methods based on our experience with respect to five different perspectives. Our evaluation results point out common trends on current SQLI prevention tools and methods. Most of these methods and tools have problems addressing store-procedure attacks, as well as problems addressing attacks that take advantage of second order SQLI vulnerability. Our evaluation also shows that only a few of these methods and tools considered can be deployed in all web-based application platforms.

scholarly journals Hybrid method integrating SQL-IF and Naïve Bayes for SQL injection attack avoidance

2021 ◽  
Vol 1 (2) ◽  
Author(s):  
Faisal Yudo Hernawan ◽  
Indra Hidayatulloh ◽  
Ipam Fuaddina Adam
Keyword(s):  
Hybrid Method ◽  
Web Applications ◽  
Naive Bayes ◽  
Naïve Bayes ◽  
Sql Injection ◽  
Bayes Methods ◽  
Injection Attacks ◽  
Attack Patterns ◽  
Sql Injection Attack ◽  
Sql Injection Attacks

Web applications are the objects most targeted by attackers. The technique most often used to attack web applications is SQL injection. This attack is categorized as dangerous because it can be used to illegally retrieve, modify, delete data, and even take over databases and web applications. To prevent SQL injection attacks from being executed by the database, a system that can identify attack patterns and can learn to detect new patterns from various attack patterns that have occurred is required. This study aims to build a system that acts as a proxy to prevent SQL injection attacks using the Hybrid Method which is a combination of SQL Injection Free Secure (SQL-IF) and Naïve Bayes methods. Tests were carried out to determine the level of accuracy, the effect of constants (K) on SQL-IF, and the number of datasets on Naïve Bayes on the accuracy and efficiency (average load time) of web pages. The test results showed that the Hybrid Method can improve the accuracy of SQL injection attack prevention. Smaller K values and larger dataset will produce better accuracy. The Hybrid Method produces a longer average web page load time than using only the SQL-IF or Naïve Bayes methods.

Sign in / Sign up

Export Citation Format

Share Document