Blocking SQL Injection in Database Stored Procedures

This thesis contains a summary of all the work that has been done by us for the B-Tech project in the academic session of 2009-2010. The area chosen for the project was SQL Injection attacks and methods to prevent them, and this thesis goes on to describe four proposed models to block SQL Injection, all of them obtained from published research papers. It then gives the details of the implementation of the model “SQL Injection prevention in database stored procedures” as proposed by K. Muthuprasanna et al, which describes a technique to prevent injections attacks occurring due to dynamic SQL statements in database stored procedures, which are often used in e-commerce applications. The thesis also contains the algorithms used, data flow diagrams for the system, user interface samples and the performance reports. The particulars of some of the modifications made to the proposed model during implementation have also been documented, and there has also been included a section which discusses the possible updations that could be made to the tool, and future work

OPTIMIZING PHP API CALLS WITH PAGINATION AND CACHING

The Keweenaw Time Traveler (KeTT) project is devoted to mapping the historical and social landscapes of the Keweenaw Peninsula. During the project, it was discovered that the server-side performance needed improvement. To address this issue, the Optimizing PHP API Calls with Pagination and Caching initiative was launched. This initiative focused on refining API calls, implementing server caching and pagination, and fortifying security against common vulnerabilities. The project successfully mitigated risks associated with SQL Injection and XSS through meticulous code enhancements while improving error handling. Additionally, the introduction of Scroll-Induced Pagination optimized data delivery, significantly reducing response times, and elevating the user experience. Server-side caching further expedited API interactions, offering near-instantaneous results, and improved debugging efficiency. Future recommendations include advanced caching mechanisms, API rate limiting, and intelligent data prefetching. This comprehensive overhaul not only strengthened the application\u27s performance but also set a precedent for future developments in optimizing web-based applications

Teaching Secure Programming to Information Systems Students via OWASP Techniques and Libraries

Current and future Information Systems (IS) personnel and management need to understand SQL Injection, cross-site scripting (XSS), and other web-originating information security vulnerabilities. These can have severe negative impacts, and minimizing these threats is an important consideration for application developers. There are many resources on the Internet and in books to help educate people about these and similar intrusions. The Open Web Application Security Project (OWASP) includes a robust amount of information on this subject and is an excellent starting point in the creation of lecture, demonstration, and student practice on the subject. Using OWASP resources and active software examples is an effective and efficient method to teach IS students on potential security breaches and their prevention

Web Server Security and Survey on Web Application Security

A web server is a computer host configured and connected to Internet, for serving the web pages on request. Information on the public web server is accessed by anyone and anywhere on the Internet. Since web servers are open to public access they can be subjected to attempts by hackers to compromise the servers security. Hackers can deface websites and steal data valuable data from systems. This can translate into significant loss of revenue if it is a financial institution or e-commerce site. In the case of corporate or government systems, loss of important data means launch of information espionages or information warfare on their sites. Apart from data loss or theft, web defacement can also result in significant damage to the image of company [1]. The fact that an attacker can strike remotely makes a Web server an appealing target. Understanding threats to Web server and being able to identify appropriate countermeasures permits to anticipate many attacks and thwart the ever-growing numbers of attackers [3]. This work begins by reviewing the most common threats that affect Web servers. It then uses this perspective to find certain countermeasures. A key concept of this work focuses on the survey of most prevailing attacks that occurs due to certain vulnerabilities present in the web technology or programming which are exploited by attackers and also presents general countermeasures. In addition, various methods to detect and prevent those attacks are discussed and highlighted the summary and comparative analysis of the approaches on the basis of different attacks that shows you how to improve Web servers security

SQL Injection Vulnerability Detection Using Deep Learning: A Feature-based Approach

SQL injection (SQLi), a well-known exploitation technique, is a serious risk factor for database-driven web applications that are used to manage the core business functions of organizations. SQLi enables an unauthorized user to get access to sensitive information of the database, and subsequently, to the application’s administrative privileges. Therefore, the detection of SQLi is crucial for businesses to prevent financial losses. There are different rules and learning-based solutions to help with detection, and pattern recognition through support vector machines (SVMs) and random forest (RF) have recently become popular in detecting SQLi. However, these classifiers ensure 97.33% accuracy with our dataset. In this paper, we propose a deep learning-based solution for detecting SQLi in web applications. The solution employs both correlation and chi-squared methods to rank the features from the dataset. Feed-forward network approach has been applied not only in feature selection but also in the detection process. Our solution provides 98.04% accuracy over 1,850+ recorded datasets, where it proves its superior efficiency among other existing machine learning solutions

Sensei : enforcing secure coding guidelines in the integrated development environment

We discuss the potential benefits, requirements, and implementation challenges of a security-by-design approach in which an integrated development environment (IDE) plugin assists software developers to write code that complies with secure coding guidelines. We discuss how such a plugin can enable a company's policy-setting security experts and developers to pass their knowledge on to each other more efficiently, and to let developers more effectively put that knowledge into practice. This is achieved by letting the team members develop customized rule sets that formalize coding guidelines and by letting the plugin check the compliance of code being written to those rule sets in real time, similar to an as-you-type spell checker. Upon detected violations, the plugin suggests options to quickly fix them and offers additional information for the developer. We share our experience with proof-of-concept designs and implementations rolled out in multiple companies, and present some future research and development directions

Demonstration of Cyberattacks and Mitigation of Vulnerabilities in a Webserver Interface for a Cybersecure Power Router

Cyberattacks are a threat to critical infrastructure, which must be secured against them to ensure continued operation. A defense-in-depth approach is necessary to secure all layers of a smart-grid system and contain the impact of any exploited vulnerabilities. In this undergraduate thesis a webserver interface for smart-grid devices communicating over Modbus TCP was developed and exposed to SQL Injection attacks and Cross-Site Scripting attacks. Analysis was performed on Supply-Chain attacks and a mitigation developed for attacks stemming from compromised Content Delivery Networks. All attempted attacks were unable to exploit vulnerabilities in the webserver due to its use of input sanitization and access controls

Static Analysis for Discovering Security Vulnerabilities in Web Applications on the Asp.Net Platform

Tato bakalářská práce popisuje jak teoretické základy, tak způsob vytvoření statického analyzátoru založeném na platformě .NET Framework a službách poskytnutých prostřednictvím .NET Compiler Platform. Tento analyzátor detekuje bezpečnostní slabiny typu SQL injection na platformě ASP.NET MVC. Analyzátor nejdříve sestrojuje grafy řízení toku jako abstraktní reprezentaci analyzovaného programu. Poté využívá statické analýzy pro sledování potenciálně nedůvěryhodných dat. Nakonec jsou výsledky analýzy prezentovány uživateli.This Bachelor thesis is intended to describe theoretical foundations as well as the construction of a static taint analyser based on the .NET Framework and the analysis services provided by the .NET Compiler Platform. This analyser detects SQL injection security vulnerabilities on the ASP.NET MVC platform. Firstly, the analyser constructs control flow graphs as an abstract representation of the analysed program. Then, it uses a static taint analysis to track potentially distrusted and tainted data values. Finally, analysis results are presented to the user.

Sql Injection Attacks and Countermeasures: a Survey of Website Development Practices

This study involved the development and subsequent use of a bespoke SQL Injection vulnerability scanner to analyze a set of unique approaches to common tasks, identified by conducting interviews with developers of high-traffic Web sites. The vulnerability scanner was developed to address many recognized shortcomings in existing scanning software, principal among which were the requirements for a comprehensive yet lightweight solution, with which to quickly test targeted aspects of online applications; and a scriptable, Linux-based system. Emulations of each approach were built, using PHP and MySQL, which were then analyzed with the aid of the bespoke scanner. All discovered vulnerabilities were resolved and despite the variety of approaches to securing online applications, adopted by those interviewed; a small number of root causes of SQL Injection vulnerabilities were identified. This allowed a SQL injection security checklist to be compiled to facilitate developers in identifying insecure practices prior to an online application\u27s initial release and following any modifications or upgrades