Blocking SQL Injection in Database Stored Procedures

This thesis contains a summary of all the work that has been done by us for the B-Tech project in the academic session of 2009-2010. The area chosen for the project was SQL Injection attacks and methods to prevent them, and this thesis goes on to describe four proposed models to block SQL Injection, all of them obtained from published research papers. It then gives the details of the implementation of the model “SQL Injection prevention in database stored procedures” as proposed by K. Muthuprasanna et al, which describes a technique to prevent injections attacks occurring due to dynamic SQL statements in database stored procedures, which are often used in e-commerce applications. The thesis also contains the algorithms used, data flow diagrams for the system, user interface samples and the performance reports. The particulars of some of the modifications made to the proposed model during implementation have also been documented, and there has also been included a section which discusses the possible updations that could be made to the tool, and future work

Web Security Detection Tool

According to Government Computer News (GCN) web attacks have been marked as all- time high this year. GCN says that some of the leading security software like SOPHOS detected about 15,000 newly infected web pages daily in initial three months of 2008 [13]. This has lead to the need of efficient software to make web applications robust and sustainable to these attacks. While finding information on different types of attacks, I found that SQL injection and cross site scripting are the most famous among attackers. These attacks are used extensively since, they can be performed using different techniques and it is difficult to make a web application completely immune to these attacks. There are myriad detection tools available which help to detect vulnerabilities in web applications. These tools are mainly categorized as white-box and black-box testing tools. In this writing project, we aim to develop a detection tool which would be efficient and helpful for the users to pinpoint possible vulnerabilities in his/her PHP scripts. We propose a technique to integrate the aforementioned categories of tools under one framework to achieve better detection against possible vulnerabilities. Our system focuses on giving the developer a simple and concise tool which would help him/her to correct possible loopholes in the PHP code snippets

SQL Injection analysis, Detection and Prevention

Web sites are dynamic, static, and most of the time a combination of both. Web sites need protection in their database to assure security. An SQL injection attacks interactive web applications that provide database services. These applications take user inputs and use them to create an SQL query at run time. In an SQL injection attack, an attacker might insert a malicious SQL query as input to perform an unauthorized database operation. Using SQL injection attacks, an attacker can retrieve or modify confidential and sensitive information from the database. It may jeopardize the confidentiality and security of Web sites which totally depends on databases. This report presents a “code reengineering” that implicitly protects the applications which are written in PHP from SQL injection attacks. It uses an original approach that combines static as well as dynamic analysis. [2] In this report, I mentioned an automated technique for moving out SQL injection vulnerabilities from Java code by converting plain text inputs received from users into prepared statements. [3

Security in web applications: a comparative analysis of key SQL injection detection techniques

Over the years, technological advances have driven massive proliferation of web systems and businesses have harbored a seemingly insatiable need for Internet systems and services. Whilst data is considered as a key asset to businesses and that their security is of extreme importance, there has been growing cybersecurity threats faced by web systems. One of the key attacks that web applications are vulnerable to is SQL injection (SQLi) attacks and successful attacks can reveal sensitive information to attackers or even deface web systems. As part of SQLi defence strategy, effective detection of SQLi attacks is important. Even though different techniques have been devised over the years to detect SQLi attacks, limited work has been undertaken to review and compare the effectiveness of these detection techniques. As such, in order to address this gap in literature, this paper performs a review and comparative analysis of the different SQLi detection techniques, with the aim to detect SQLi attacks in an effective manner and enhance the security of web applications. As part of the investigation, seven SQLi detection techniques including machine learning based detection are reviewed and their effectiveness against different types of SQLi attacks are compared. Results identified positive tainting and adoption of machine learning among the most effective techniques and stored procedures based SQLi as the most challenging attack to detect

The Importance of Developing Preventive Techniques for SQL Injection Attacks

Many intentionally vulnerable web applications are circulating on the Internet that serve as a legal test ground for practicing SQL injection attacks. For demonstration purposes the attacks will target an Acunetix test web application created using PHP programming language and MySQL relational database. In the practical part, the execution of the attack itself largely depends on the database management system, so the displayed syntax is intended only for the MySQL database management system. Example of an automated attack will be executed on SQLmap in a Linux Kali virtualized environment. Security guidelines with a purpose of protecting databases are also discussed

A survey on SQL injection prevention methods

Database plays a very important role in everyone’s life including the organizations since everything today is connected via Internet and to manage so many data. There is a need of database which helps organizations to organize, sort and manage the data and to ensure that the data which a user is receiving and sending through the mean of database is secure since the database stores almost everything such as Banking details which includes user id, Password and so. Thus, it means that the data are really valuable and confidential to us and therefore security really matters for database. SQL Injection Attacks on the database are becoming common in this era where the hackers are trying to steal the valuable data of an individual through the mean of SQL Injection Attack by using malicious query on the application. This application reveals the individual data by an efficient and the best SQL Injection Prevention technique is required in order to protect the individual data from being stolen by the hackers. Therefore, this paper will be focusing on reviewing different types of SQL Injection prevention methods and SQL injection types. The initial finding of this paper can make comparison of different types of SQL Injection Prevention methods which will enable the Database Administrator to choose the best and the efficient SQL Injection Prevention Method for their organization. Consequently, Preventing of SQL Injection Attack from happening which would ultimately result in no data loss of an user

A Discriminative Survey on SQL Injection Methods to Detect Vulnerabilities in Web applications

SQL Injection Attacks are extremely sober intrusion assaults on web based application since such types of assaults could reveals the secrets and safety of information. In actuality, illegal personnel intrude to the web based database and then after consequently, access to the information. To avoid such type of assault different methods are recommended by various researchers but they are not adequate since most of implemented methods will not prevent all type of assaults. In this paper we did survey on the various sorts of SQL Injection attacks and on the various present SQL Injection Attacks avoidance methods available. We analyzed that the existing SQL Injection Attacks avoidance methods will require the client side information, one by one and then authenticate which will create typical the developer’s job to write different validation codes for every web page which is receiving in the server side. Keywords: SQL Injection, Attacks, Vulnerability, WWW, XS