Structured Query Language Injection (SQLI) Attacks: Detection and Prevention Techniques in Web Application Technologies

Nana Yaw Asabere; Wisdom Kwawu Torgby

Call for Paper

January Edition

IJCA solicits high quality original research papers for the upcoming January edition of the journal. The last date of research paper submission is 20 December 2024

Submit your paper

Know more

The week's pick

Improved Shuffled Frog Leaping Algorithm with Self-Adaptive Shuffling for Fuzzy Logic PD+G Controller Optimization in Robotic Manipulators

Duc Hoang Nguyen

Random Articles

Article:Analyzing Core Migration Protocol Wireless Ad Hoc Networks by Adopting Multiple Nodes Diverse Test-bed

November

2010

License Plate Recognition System based on Improved BP Neural Network

May

2020

Data Hiding in Audio Signals using Elliptic Curve Cryptography, Huffman Code Algorithm and Low-Bit Encoding

May

2018

Improvement of the Performance of Microstrip Patch Antenna

Aug

2016

Reseach Article

Structured Query Language Injection (SQLI) Attacks: Detection and Prevention Techniques in Web Application Technologies

by Nana Yaw Asabere, Wisdom Kwawu Torgby

International Journal of Computer Applications

Foundation of Computer Science (FCS), NY, USA

Volume 71 - Number 11

Year of Publication: 2013

Authors: Nana Yaw Asabere, Wisdom Kwawu Torgby

10.5120/12404-8908

Nana Yaw Asabere, Wisdom Kwawu Torgby . Structured Query Language Injection (SQLI) Attacks: Detection and Prevention Techniques in Web Application Technologies. International Journal of Computer Applications. 71, 11 ( June 2013), 29-39. DOI=10.5120/12404-8908

@article{ 10.5120/12404-8908,

author = { Nana Yaw Asabere, Wisdom Kwawu Torgby },

title = { Structured Query Language Injection (SQLI) Attacks: Detection and Prevention Techniques in Web Application Technologies },

journal = { International Journal of Computer Applications },

issue_date = { June 2013 },

volume = { 71 },

number = { 11 },

month = { June },

year = { 2013 },

issn = { 0975-8887 },

pages = { 29-39 },

numpages = {9},

url = { https://ijcaonline.org/archives/volume71/number11/12404-8908/ },

doi = { 10.5120/12404-8908 },

publisher = {Foundation of Computer Science (FCS), NY, USA},

address = {New York, USA}

}

%0 Journal Article

%1 2024-02-06T21:35:18.290788+05:30

%A Nana Yaw Asabere

%A Wisdom Kwawu Torgby

%T Structured Query Language Injection (SQLI) Attacks: Detection and Prevention Techniques in Web Application Technologies

%J International Journal of Computer Applications

%@ 0975-8887

%V 71

%N 11

%P 29-39

%D 2013

%I Foundation of Computer Science (FCS), NY, USA

Abstract

This paper investigates and reports on web application vulnerabilities with a specific focus on Structured Query Language Injection (SQLI) attacks and measures and how to counter such threats. SQLI attacks cause very serious dangers to web applications, they make it possible for attackers to get unhindered access to the primary source of data which is in the database and possibly the very sensitive information that the database contains. Even though practitioners and researchers in the web application security field have proposed a range of techniques to get to the bottom of the SQLI attack challenge, presently adopted approaches have either resolved the problem to some extent or have inadequacies that prevent their use and adoption. To help address this challenge, this paper presents a broad review of SQL injection attacks. An appraisal of current detection and prevention techniques against SQL injection attacks are also presented. Furthermore, a vulnerability assessment was conducted on the Centre for Computational Intelligence (CCI) Website as a case study. A snippet code that can be used to redesign the CCI website as a protective measure to counter threats of SQLI was proposed. An examination of this paper indicates that current solutions being promoted may not address the problem, and that web application firewalls provides the answer to SQLI attacks.

References

A. K. Singh and S. Roy, "A Network Based Vulnerability Scanner for Detecting SQLI Attacks in Web Applications," in Proceedings of the IEEE International Conference on Recent Advances in Information Technology, pp. 585-590, 15-17 March, 2012.
A. Avancini and M. Ceccato, "Security Testing of Web Applications: A Search-Based Approach for Cross-Site Scripting Vulnerabilities," in Proceedings of the 11th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 85-94, 25-25 Sept. 2011.
N. Teodoro and C. Serrao, "Web Application Security: Improving Critical Web-based Applications Quality Through In-depth Security Analysis," in Proceedings of the IEEE International Conference on Information Society (i-Society), pp. 457-462, 27-29, June, 2011.
H. Tian, J. Xu, K. Lian and Y. Ying, "Research on Strong-Association Rule Based Web Application Vulnerability Detection," in Proceedings of the 2nd IEEE International Conference on Computer Science and Information Technology, (ICCSIT), pp. 237-241, 2009.
T. Sccolte, W. Robertson. D. Balzarotti and E. Kirda, "Preventing Input Validation Vulnerabilities in Web Analysis Applications Through Automated Type Analysis," in Proceedings of the 36th IEEE Annual Computer Software and Applications Conference (COMPSAC), pp. 233-243, 16-20 July, 2012.
W. G. J. Halfond, J. Viegas, and A. Orso, "A Classification of SQL Injection Attacks and Countermeasures", in IEEE Proceedings, 2006, Available [Online] http://www. cc. gatech. edu/fac/Alex. Orso/papers/halfond. viegas. orso. ISSSE06. pdf (Accessed 29/04/2013).
A. Ciampa, C. A. Visaggio and M. D. Penta, " A Heuristic-based Approach for Detecting SQL-Injection Vulnerabilities in Web Applications," in ACM Proceedings of the ICSE Workshop on Software Engineering for Secure Systems, pp. 43-49, 2010.
J. Scambray, M. Shema and C. Sima, "Hacking Web Applications Exposed - 2nd ed. San Francisco", McGraw-Hill, 2006.
M. Curphey, D. Endler, W. Hau, S. Taylor, T. Smith, A. Russel, G. Mckenna, R. Parke, K. Mclaughlin, N. Tranter, A. Klein, D. Grooves, I. By-Gad, S. Huseby, M. Eizner, M. Hill and R. McNamara", A Guide to Building Secure Web Applications: The Open Web Application Security Project, 2002 Available [Online] http://www. rootsecure. net/content/downloads/pdf/owasp_guide. pdf (Accessed 09/05/2013).
M. Dermann, M. Dziadzka, B. Hemkemeier, A. Hoffmann, A. Miesel, M. Rohr and T. Schreiber, "Best Practices: Use of Web Application Firewalls", The Open Web Security Application Project, OWASP Papers Program, 2008, Available [Online] http://www. owasp. org/images/a/a6/Best_Practices_Guide_WAF_v104. en. pdf (Accessed 07/05/2013).
Planning Report 02-03 - The Economic Impacts of Inadequate Infrastructures for Software Testing", National Institute of Standards & Technology, US Department of Commerce, 2002, Available [Online] http://www. nist. gov/director/planning/upload/report02-3. pdf (Accessed 05/05/2013).
J. D. Meier, A. Mackman, M. Dunner, S. Vasireddy, R. Escamilla and A. Murukan, "Improving Web Application Security: Threats and Countermeasures," Microsoft Corporation, 2003.
K. Tyminski, "The Business Case for Web Application Firewalls," 2008, Available [Online] www. scanarmor. dk/UserFiles/File/WP_BusinessCaseForWAF_FINAL_092408. pdf (Accessed 05/05/2013).
R. Barnet, "Why Organizations Need Web Application Firewalls," 2007, Available [Online] www. scanarmor. dk/UserFiles/File/WP_Why_WAF. pdf (Accessed 03/05/2013).

Index Terms

Computer Science

Information Sciences

Keywords

Web Application Website Security Structured Query Language Injection (SQLI) Vulnerabilities