Why SQL Injection Attacks Are Still Plaguing Databases

This article describes how SQL injection has been a long-standing problem in database security. It is understandable why injection is considered number one because of the sheer number of web applications that exist currently. An injection attack can allow an attacker to gain complete access of a database which oftentimes contains sensitive information. This results in a loss of confidential information which places consumers at a huge risk.

Download Full-text

SQL Injection Attacks Countermeasures

Threats, Countermeasures, and Advances in Applied Information Security - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-0978-5.ch010 ◽

2012 ◽

pp. 194-213

Author(s):

Kasra Amirtahmasebi ◽

Seyed Reza Jalalinia

Keyword(s):

Web Application ◽

Web Applications ◽

Confidential Information ◽

Sql Injection ◽

Unauthorized Access ◽

Injection Attacks ◽

Prevention Techniques ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

The Web

Due to the huge growth in the need for using Web applications worldwide, there have been huge efforts from programmers to develop and implement new Web applications to be used by companies. Since a number of these applications lack proper security considerations, malicious users will be able to gain unauthorized access to confidential information of organizations. A concept called SQL Injection Attack (SQLIA) is a prevalent method used by attackers to extract the confidential information from organizations’ databases. They work by injecting malicious SQL codes through the web application, and they cause unexpected behavior from the database. There are a number of SQL Injection detection/prevention techniques that must be used in order to prevent unauthorized access to databases.

Download Full-text

Analysis of SQL Injection Attack

International Journal of Computer Science and Informatics ◽

10.47893/ijcsi.2013.1102 ◽

2013 ◽

pp. 260-264

Author(s):

Jayeeta Majumder ◽

Gargi Saha

Keyword(s):

Web Applications ◽

Sensitive Information ◽

Security Model ◽

Security Threat ◽

Sql Injection ◽

Stored Procedure ◽

Injection Attacks ◽

Unrestricted Access ◽

Sql Injection Attacks ◽

Input Validation

SQL injection attacks are a serious security threat to Web applications. They allow attackers to obtain unrestricted access to the databases underlying the applications and to the potentially sensitive information these database contain. Various researchers and practitioners have proposed various methods to address the SQL injection problem. To address this problem, we present an extensive review of the various types of SQL injection attacks known to date. For each type of attack, we provide descriptions and examples of how attacks of that type could be performed. We also present a methodology to prevent SQL injection attacks. It concentrates on the SQL queries and SQL stored procedure where input parameters are injected by the attacker. After a rigorous input validation with our proposed SQL security model will ensure input validation.

Download Full-text

Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks

International Journal of Secure Software Engineering ◽

10.4018/jsse.2010102002 ◽

2010 ◽

Vol 1 (1) ◽

pp. 20-40 ◽

Cited By ~ 1

Author(s):

San-Tsai Sun ◽

Konstantin Beznosov

Keyword(s):

Web Applications ◽

False Positives ◽

Sql Injection ◽

Injection Attacks ◽

Track Parameter ◽

Effective Dynamic ◽

Protection Mechanisms ◽

Sql Injection Attacks ◽

Application Developers ◽

Parameter Values

This article presents an approach for retrofitting existing Web applications with run-time protection against known, as well as unseen, SQL injection attacks (SQLIAs) without the involvement of application developers. The precision of the approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers’ intention for individual SQL statements made by Web applications. The proposed approach is implemented in the form of protection mechanisms for J2EE, ASP.NET, and ASP applications. Named SQLPrevent, these mechanisms intercept HTTP requests and SQL statements, mark and track parameter values originating from HTTP requests, and perform SQLIA detection and prevention on the intercepted SQL statements. The AMNESIA testbed is extended to contain false-positive testing traces, and is used to evaluate SQLPrevent. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed a maximum 3.6% performance overhead with 30 milliseconds response time for the tested applications.

Download Full-text

Bind but Dynamic Technique

Handbook of Research on Innovations in Database Technologies and Applications ◽

10.4018/978-1-60566-242-8.ch093 ◽

2009 ◽

pp. 880-890

Author(s):

Ahmad Hammoud ◽

Ramzi A. Haraty

Keyword(s):

Web Application ◽

Efficient Solution ◽

Web Applications ◽

Query Language ◽

Sql Injection ◽

Injection Attacks ◽

Dynamic Technique ◽

Structured Query Language ◽

Sql Injection Attacks ◽

Web Developers

Most Web developers underestimate the risk and the level of damage that might be caused when Web applications are vulnerable to SQL (structured query language) injections. Unfortunately, Web applications with such vulnerability constitute a large part of today’s Web application landscape. This article aims at highlighting the risk of SQL injection attacks and provides an efficient solution.

Download Full-text

A Research of the Essence of SQL Injection Attacks Vulnerability

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.719-720.935 ◽

2015 ◽

Vol 719-720 ◽

pp. 935-940

Author(s):

Min Wan ◽

Kun Liu

Keyword(s):

Static Analysis ◽

Web Application ◽

Web Applications ◽

Semantic Information ◽

Semantic Gap ◽

Sql Injection ◽

Injection Attacks ◽

Web System ◽

Sql Injection Attacks ◽

Filtering Techniques

Semantic Gap problem is the essence of the SQL Injection Attacks vulnerability in Web applications. Web application loses the semantic information while the SQL statement is constructed dynamically. This paper analyzes the cause of the SQLIA vulnerability. And then it analyzes several suggested techniques, such as the filtering techniques and the static analysis, and points out their drawbacks in the SOLIA prevention, which leads to the conclusion that the key problem for the eradication of SQLIA is to solve the semantic gap problem causing by the unstructured SQL statement in the process of constructing a Web system dynamically.

Download Full-text

Protecting web applications from SQL injection attacks by using framework and database firewall

Proceedings of the International Conference on Advances in Computing, Communications and Informatics - ICACCI '12 ◽

10.1145/2345396.2345495 ◽

2012 ◽

Cited By ~ 1

Author(s):

Yakkala V. Naga Manikanta ◽

Anjali Sardana

Keyword(s):

Web Applications ◽

Sql Injection ◽

Injection Attacks ◽

Sql Injection Attacks

Download Full-text

SQL Injection Attacks Prevention System Technology: Review

Asian Journal of Research in Computer Science ◽

10.9734/ajrcos/2021/v10i330242 ◽

2021 ◽

pp. 13-32

Author(s):

Fairoz Q. Kareem ◽

Siddeeq Y. Ameen ◽

Azar Abid Salih ◽

Dindar Mikaeel Ahmed ◽

Shakir Fattah Kak ◽

...

Keyword(s):

Private Information ◽

Web Applications ◽

Sql Injection ◽

Injection Attacks ◽

Prevention System ◽

Injection Methods ◽

Sql Injection Attacks ◽

Technology Review ◽

Gain Access

The vulnerabilities in most web applications enable hackers to gain access to confidential and private information. Structured query injection poses a significant threat to web applications and is one of the most common and widely used information theft mechanisms. Where hackers benefit from errors in the design of systems or existing gaps by not filtering the user's input for some special characters and symbols contained within the structural query sentences or the quality of the information is not checked, whether it is text or numerical, which causes unpredictability of the outcome of its implementation. In this paper, we review PHP techniques and other techniques for protecting SQL from the injection, methods for detecting SQL attacks, types of SQL injection, causes of SQL injection via getting and Post, and prevention technology for SQL vulnerabilities.

Download Full-text

SQL Injection Attack on Web Application

Asian Journal of Computer Science and Technology ◽

10.51983/ajcst-2018.7.s1.1814 ◽

2018 ◽

Vol 7 (S1) ◽

pp. 11-15

Author(s):

S. Parameswari ◽

K. Kavitha

Keyword(s):

Web Application ◽

Web Applications ◽

Sql Injection ◽

Injection Attacks ◽

Sql Injection Attack ◽

Simplified Algorithm ◽

Basic Features ◽

Sql Injection Attacks ◽

Almost All ◽

The Web

SQL injection attacks are one of the highest dangers for applications composed for the Web. These attacks are dispatched through uncommonly made client information on web applications that utilizes low level string operations to build SQL queries. An SQL injection weakness permits an assailant to stream summons straightforwardly to a web application’s hidden database and annihilate usefulness or privacy. In this paper we proposed a simplified algorithm which works on the basic features of the SQL Injection attacks and will successfully detect almost all types of SQL Injection attacks. In the paper we have also presented the experiment results in order to acknowledge the proficiency of our algorithm.

Download Full-text

Causes and Prevention of SQL Injection Attacks in Web Applications

Proceedings of the 4th International Conference on Information and Network Security - ICINS '16 ◽

10.1145/3026724.3026742 ◽

2016 ◽

Cited By ~ 1

Author(s):

Stephanos Mavromoustakos ◽

Aakash Patel ◽

Kinjal Chaudhary ◽

Parth Chokshi ◽

Shaili Patel

Keyword(s):

Web Applications ◽

Sql Injection ◽

Injection Attacks ◽

Sql Injection Attacks

Download Full-text

Hybrid method integrating SQL-IF and Naïve Bayes for SQL injection attack avoidance

Journal of Engineering and Applied Technology ◽

10.21831/jeatech.v1i2.35497 ◽

2021 ◽

Vol 1 (2) ◽

Author(s):

Faisal Yudo Hernawan ◽

Indra Hidayatulloh ◽

Ipam Fuaddina Adam

Keyword(s):

Hybrid Method ◽

Web Applications ◽

Naive Bayes ◽

Naïve Bayes ◽

Sql Injection ◽

Bayes Methods ◽

Injection Attacks ◽

Attack Patterns ◽

Sql Injection Attack ◽

Sql Injection Attacks

Web applications are the objects most targeted by attackers. The technique most often used to attack web applications is SQL injection. This attack is categorized as dangerous because it can be used to illegally retrieve, modify, delete data, and even take over databases and web applications. To prevent SQL injection attacks from being executed by the database, a system that can identify attack patterns and can learn to detect new patterns from various attack patterns that have occurred is required. This study aims to build a system that acts as a proxy to prevent SQL injection attacks using the Hybrid Method which is a combination of SQL Injection Free Secure (SQL-IF) and Naïve Bayes methods. Tests were carried out to determine the level of accuracy, the effect of constants (K) on SQL-IF, and the number of datasets on Naïve Bayes on the accuracy and efficiency (average load time) of web pages. The test results showed that the Hybrid Method can improve the accuracy of SQL injection attack prevention. Smaller K values and larger dataset will produce better accuracy. The Hybrid Method produces a longer average web page load time than using only the SQL-IF or Naïve Bayes methods.

Download Full-text