Escrow: A large-scale web vulnerability assessment tool

The reliance on Web applications has increased rapidly over the years. At the same time, the quantity and impact of application security vulnerabilities have grown as well. Amongst these vulnerabilities, SQL Injection has been classified as the most common, dangerous and prevalent web application flaw. In this paper, we propose Escrow, a large-scale SQL Injection detection tool with an exploitation module that is light-weight, fast and platform-independent. Escrow uses a custom search implementation together with a static code analysis module to find potential target web applications. Additionally, it provides a simple to use graphical user interface (GUI) to navigate through a vulnerable remote database. Escrow is implementation-agnostic, i.e. It can perform analysis on any web application regardless of the server-side implementation (PHP, ASP, etc.). Using our tool, we discovered that it is indeed possible to identify and exploit at least 100 databases per 100 minutes, without prior knowledge of their underlying implementation. We observed that for each query sent, we can scan and detect dozens of vulnerable web applications in a short space of time, while providing a means for exploitation. Finally, we provide recommendations for developers to defend against SQL injection and emphasise the need for proactive assessment and defensive coding practices

Preventing SQL Injection through Automatic Query Sanitization with ASSIST

Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove SQL injection vulnerabilities in code. In our technique, a combination of static analysis and program transformation are used to automatically instrument web applications with sanitization code. We have implemented this technique in a tool named ASSIST (Automatic and Static SQL Injection Sanitization Tool) for protecting Java-based web applications. Our experimental evaluation showed that our technique is effective against SQL injection vulnerabilities and has a low overhead.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

SQL Injection: The Longest Running Sequel in Programming History

One of the risks to a company operating a public-facing website with a Structure Query Language (SQL) database is an attacker exploiting the SQL injection vulnerability. An attacker can cause an SQL database to perform actions that the developer did not intend like revealing, modifying, or deleting sensitive data. This can cause a loss of confidentiality, integrity, and availability of information in a company’s database, and it can lead to severe costs of up to $196,000 per successful injection attack (NTT Group, 2014). This paper discusses the history of the SQL injection vulnerability, focusing on: How an attacker can exploit the SQL injection vulnerability When the SQL injection attack first appeared How the attack has changed over the years Current techniques to defend adequately against the attack The SQL injection vulnerability has been known for over seventeen (17) years, and the countermeasures are relatively simple compared to countermeasures for other threats like malware and viruses. The focus on security-minded programming can help prevent a successful SQL injection attack and avoid loss of competitive edge, regulatory fines and loss of reputation among an organization’s customers

PachyRand: SQL Randomization for the PostgreSQL JDBC Driver

Many websites are driven by web applications that deliver dynamic content stored in SQL databases. Such systems take input directly from the client via HTML forms. Without proper input validation, these systems are vulnerable to SQL injection attacks. The predominant defense against such attacks is to implement better input validation. This strategy is unlikely to succeed on its own. A better approach is to protect systems against SQL injection automatically and not rely on manual supervision or testing strategies (which are incomplete by nature). SQL randomization is a technique that defeats SQL injection attacks by transforming the language of SQL statements in a web application such that an attacker needs to guess the transformation in order to successfully inject his code. We present PachyRand, an extension to the PostgreSQL JDBC driver that performs SQL randomization. Our system is easily portable to most other JDBC drivers, has a small performance impact, and makes SQL injection attacks infeasible

ANALISIS KEAMANAN APLIKASI DATA POKOK PENDIDIKAN (DAPODIK) MENGGUNAKAN PENETRATION TESTING DAN SQL INJECTION

Seringkali masalah keamanan aplikasi terabaikan justru setelah semua peralatan dan infrastruktur pengaman telah terpasang. Bahkan pentingnya pengamanan baru disadari setelah terjadi bencana. Kerugian sebuah institusi/organisasi yang diakibatkan dari sebuah serangan terhadap sistem aplikasi sangatlah besar, tetapi hal ini sangat sukar dideteksi, karena secara umum tidak akan diakui dengan berbagai alasan. Tanpa pengamanan sistem aplikasi yang baik, penerapan teknologi sehebat apapun akan sangat membahayakan institusi/organisasi itu sendiri. Nilai informasi yang begitu penting dan strategis mengakibatkan serangan dan ancaman terhadap  aplikasi dan arus informasi semakin meningkat. Kebutuhan keamanan sistem aplikasi timbul dari kebutuhan untuk melindungi data. Pertama, dari kehilangan dan kerusakan data. Kedua, adanya pihak yang tidak diijinkan hendak mengakses atau mengubah data. Rancangan arsitektur Aplikasi Dapodik yang dihasilkan dibatasi yaitu hanya pada  aplikasi Dapodik berbasis web yang diterapkan secara offline dan online yang terkoneksi dengan internet. Pengujian keamanan aplikasi Dapodik menggunakan penetration testing dan SQL Injection. Berdasarkan hasil pengujian keamanan, dapat dinyatakan bahwa tingkat ancaman terhadap web server dan aplikasi Dapodik berada pada level aman. Hal tersebut menunjukkan bahwa tidak ada celah yang memungkinkan terjadinya ancaman dan akses ilegal yang berpotensi merusak sistem

Implementation of Customized UTP Algorithm for Attack Detection in Multitier Web Applications

Internet services and application have gained lots of importance in our daily life such as banking, travel and social networking. Personal information from any of the remote location can be communicated and managed with the help of Internet. Due to their omnipresent use for daily task, web applications have been target for attack. To deal with increasing demand and data complexity web services and applications have moved to a multitiered design. The idea is to detect attacks in multitier architecture to model the network behavior of user sessions across both the front-end web server and the back-end database. The attacks like SQL injection, cross site scripting attack, privilege escalation attack and direct DB attack can be monitored with both the web and subsequent database requestusing customized UTP algorithm, which an independent system cannot do

Ensemble Machine Learning Approaches for Detection of SQL Injection Attack

In the current era, SQL Injection Attack is a serious threat to the security of the ongoing cyber world particularly for many web applications that reside over the internet. Many webpages accept the sensitive information (e.g. username, passwords, bank details, etc.) from the users and store this information in the database that also resides over the internet. Despite the fact that this online database has much importance for remotely accessing the information by various business purposes but attackers can gain unrestricted access to these online databases or bypass authentication procedures with the help of SQL Injection Attack. This attack results in great damage and variation to database and has been ranked as the topmost security risk by OWASP TOP 10. Considering the trouble of distinguishing unknown attacks by the current principle coordinating technique, a strategy for SQL injection detection dependent on Machine Learning is proposed. Our motive is to detect this attack by splitting the queries into their corresponding tokens with the help of tokenization and then applying our algorithms over the tokenized dataset. We used four Ensemble Machine Learning algorithms: Gradient Boosting Machine (GBM), Adaptive Boosting (AdaBoost), Extended Gradient Boosting Machine (XGBM), and Light Gradient Boosting Machine (LGBM). The results yielded by our models are near to perfection with error rate being almost negligible. The best results are yielded by LGBM with an accuracy of 0.993371, and precision, recall, f1 as 0.993373, 0.993371, and 0.993370, respectively. The LGBM also yielded less error rate with False Positive Rate (FPR) and Root Mean Squared Error (RMSE) to be 0.120761 and 0.007, respectively. The worst results are yielded by AdaBoost with an accuracy of 0.991098, and precision, recall, f1 as 0.990733, 0.989175, and 0.989942, respectively. The AdaBoost also yielded high False Positive Rate (FPR) to be 0.009

A Structured Analysis of SQL Injection Runtime Mitigation Techniques

SQL injection attacks (SQLIA) still remain one of the most commonly occurring and exploited vulnerabilities. A considerable amount of research concerning SQLIA mitigation techniques has been conducted with the primary resulting solution requiring developers to code defensively. Although, defensive coding is a valid solution, the current market demand for websites is being filled by inexperienced developers with little knowledge of secure development practices. Unlike the successful case of ASLR, no SQLIA runtime mitigation technique has moved from research to enterprise use. This paper presents an in-depth analysis and classification, based on Formal Concept Analysis, of the 10 major SQLIA runtime mitigation techniques. Based on this analysis, one technique was identified that shows the greatest potential for transition to enterprise use. This analysis also serves as an enhanced SQLIA mitigation classification system. Future work includes plans to move the selected SQLIA runtime mitigation technique closer to enterprise use

SQL Injection Detection Using Machine Learning

Sharing information over the Internet over multiple platforms and web-applications has become a quite common phenomenon in the recent times. The web-based applications that accept critical information from users store this information in databases. These applications and the databases connected to them are susceptible to all kinds of information security threats due to being accessible through the Internet. The threats include attacks such as Cross Side Scripting (CSS), Denial of Service Attack (DoS0, and Structured Query Language (SQL) Injection attacks. SQL Injection attacks fall under the top ten vulnerabilities when we talk about web-based applications. Through this kind of attack, the attacker can steal critical and confidential information and hence it could have damaging effects on a business or organization. The effects could range from monetary loss, leaking confidential business information, decrease in company’s stock market value or any combination of these. In this paper we have used an algorithm called Gradient Boosting Classifier from ensemble machine learning approaches to classify and detect SQL Injection attacks