A Study of Online Database Servers: The Case of SQL - Injection, How Evil that could be?
Asian Journal of Research in Computer Science, Volume 14, Issue 4,
Page 198-211
DOI:
10.9734/ajrcos/2022/v14i4304
Abstract
SQL injection attack is one of the most serious security vulnerabilities in many Databases Managements systems. Most of these vulnerabilities are caused by lack of input validation and SQL parameters used particularity at this time of technology revolution. The results of a SQL injection attack (SQLIA) are unpleasant because the attacker could wipe the entire contents of the victim's database or shut it down. As such, SQLIA can be used as important weapons in cyber warfare. As an attempt of breaching of number of application data bases systems two SQL injection techniques were used to successful locating vulnerable points during this research which are Blind Text Injection Differential and Error based Exploitation. The motivations behind were to find out where the databases systems are most likely to face an attack and proactively shore up those weaknesses before exploitation by hackers. The success of both techniques is a result of poor web server (online database server) design especially in the selection of error messages (or answers) they display to website users if something goes wrong. The approach through examination of error messages (error codes) did enable to precisely know the backend Database Management System (DBMS) type and version and what exactly are parameters (variables) which can allow “illegally” injecting codes (a SQL query). Additionally, the paper presents SQLIA cases and their impact in Tanzania cyber space as well as it suggests the possible mitigation ways while reflecting the collected data with what currently existing in cyberworld as far as SQL injection attack is concern to present the reality.
- First SQLIA
- second code injection
- third cyber warfare
- fourth SQLMap
- fifth security
How to Cite
References
Wikipedia. SQL Injection; 2017.
Available:https://en.wikipedia.org/wiki/SQL_injection May, 2017
Imperva. Web Application Attack Report; 2015.
Available:https://www.imperva.com/download.asp?id=509 April, 2016.
Enemy at the Gates: Analyzing Attacks on Financial Services
Available:https://www.akamai.com/lp/soti/enemy-at-the-gates-analyzing-attacks-on-financial-services
Access on 12, 08, 2022
Indrani Balasundram, Ramaraj E. Prevention of SQL injection attacks by using service oriented authentication technique. International Journal of Modeling and Optimization. 2013;3(3):286-S385.
Tang P, Qiu W, Huang Z, et al. SQL injection behavior mining based deep learning. In: International Conference on Advanced Data Mining and Applications. Springer, Cham, Nanjing, 2018:445–454. Google Scholar
Zhang L, Tan C, Yu F. “An improved rainbow table attack for long passwords.” Procedia Computer Science. 2017;107:47–52.
Deniz Gurkan, Fatima Merchant. “Interoperable medical instrument networking and access system with security considerations for critical care”. Journal of Healthcare Engineering, 2010;1(4):637- 654.
Zar Chi Su Su Hlaing, Myo Khaing. A detection and prevention technique on SQL injection attacks”. 2020 IEEE Conference on Computer Applications (ICCA), IEEE Xplore; 2020.
SQLmap-Automatic SQL injection and database etakeover tool.
Available:http://SQLmap.org
Duchene F, Rawat S, Richier JL, Groz R. KameleonFuzz: Evolutionary fuzzing for black-box XSS detection. In Proceedings of the 4th ACM conference on Data and application security and privacy. 2014:37-48. ACM
Medeiros I, Neves NF, Correia M. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In Proceedings of the 23rd International Conference on World Wide Web. 2014:63-74. ACM.
Tyrone Grandison, Evimaria Terzi. Intrusion Detection Technology; 2007. DOI: https://doi.org/10.1007/978-0-387-39940-9_209
McClure RA, Kruger IH. SQL DOM: Compile time checking of dynamic SQL statements. 2005m:88-96.
William R. Cook, Siddhartha Rai. Safe query objects: Statically-typed objects as remotely-executable queries, Conference: 27th International Conference on Software Engineering (ICSE 2005). 2005:15-21. St. Louis, Missouri, USA
Balasundarama I, Ramaraj E. “An efficient technique for detection and prevention of SQL injection attack using ASCII based string matching”. International Conference on Communication Technology and System Design. 2011;30(2012):183–190.
Manish Kumar, Indu L. Detection and prevention of SQL injection attack. International Journal of Computer Science and Information Technologies. 2014;5(1):374-377.
Raniah Alsahafi. SQL injection attacks: Detection and prevention techniques. International Journal of Scientific & Technology Research 2019;8(01).
SingCERT's Security Bulletin.
Available:https://www.csa.gov.sg/singcert/Alerts/sb-2022-018
Access on 12, 08, 2022
Khanna S, Verma AK. Classification of SQL injection attacks using fuzzy tainting. In: Sa P, Sahoo M, Murugappan M, Wu Y, Majhi B. (eds). Progress in Intelligent Computing Techniques: Theory, Practice, and Applications. Advances in Intelligent Systems and Computing, Springer, Singapore. 2018;518.
Available:https://doi.org/10.1007/978-981-10-3373-5_46
Asha NM, Varun Kumar, Vaidhyanathan G. Preventing SQL injection attacks. International Journal of Computer Applications. 2012;52(13):0975 – 8887.
Charles MJ, Pfleeger P, Pfleeger SL. Security in computing. 5th ed.; Springer: Berlin/Heidelberg, Germany; 2004.
Exploit Database. Full SQL injection tutorial (MySQL); 2016.
Available:https://www.exploit-db.com/papers/13045/. 2017.
Johnny Long. Google hacking for penetration testers: Explore the dark side of googling. Syngress Publishing; 2005.
Singh Kalsi T, Kaur N, et al. “Methods for preventing SQL injection attacks: A review”. International Journal of Adanced Engineering Technology.
E-ISSN: 0976-394.
-
Abstract View: 177 times
PDF Download: 138 times
