Total views : 343

SQL Injection Attack Roadmap and Fusion

Affiliations

  • Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Serdang, Selangor, Malaysia

Abstract


With SQL Injection, an attacker can change the intended effect of dynamically generated query in a web Application. This can lead to unauthorized access to the database underlying web application, and harmful transactions on the potentially sensitive information contained in the database. Clear understanding of a problem always assists in finding stronger solution to the problem. In this paper, we conducted an extensive review of several empirical studies on SQL injection attacks and vulnerabilities, with the goal of providing the research community with better insight into possible relationship that exists between different types of SQL Injection Attacks (SQLIAs), and the types of vulnerabilities exploited by each. Consequently, the result of our study is presentation of SQLIAs fusion which shows how different types of SQLIAs lead to one another, and also presentation of step by step SQLIA roadmap. We are very optimistic that our study can help the research community with clearer understanding of SQL Injections, and thus facilitates emergence of stronger solutions to the long standing problem.

Keywords

Attack Intents, Attack Mechanism, Inter-attacks Relationship, Vulnerabilities Exploitation, Web Applications.

Full Text:

 |  (PDF views: 347)

References


  • 2011 CWE-SANS Top 25 most dangerous software errors; 2015. Available from: http://cwe.mitre.org/top25/
  • Watson D. Web application attacks. Network Security. 2007; (10):10–14. DOI: 10.1016/S1353-4858(07)70094-6.
  • Focardi R, Luccio FL, Squarcina M. Fast SQL blind injections in high latency networks. IEEE Proceedings of the 1st AESS European Conference on Satellite Telecommunications, ESTEL’12; 2012 Oct 2–5. Rome, Italy. p. 1–6. DOI: 10.1109/ESTEL.2012.6400112.
  • Garg A, Singh S. A review on web application security vulnerabilities. Advanced Research in Computer Science and Software Engineering. 2013; 3(1):222–6. Available from: http://www.ijarcsse.com/docs/papers/Volume_3/1_January2013/V3I1-0196.pdf
  • Balasundaram I, Ramaraj E. An efficient technique for detection and prevention of SQL injection attack using ASCII based string matching. Procedia Engineering. 2012; 30(2011):183–90. DOI: 10.1016/j.proeng.2012.01.850
  • Lee I, Jeong S, Yeo S, Moon J. A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling. 2012; 55(1–2):58–68. DOI: 10.1016/j.mcm.2011.01.050.
  • Abawajy J. SQLIA detection and prevention approach for RFID systems. Systems and Software. 2013; 86(3):751–8. DOI: 10.1016/j.jss.2012.11.022.
  • Kumar P, Pateriya RK. A survey on SQL injection attacks, detection and prevention techniques. IEEE Proceedings of the 3rd International Conference on Computing Communication and Networking Technologies, ICCCNT ’12. 2012 Jul 26–28. p. 1–5. DOI: 10.1109/ICCCNT.2012.6396096.
  • Rahul J, Pankaj S. A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for sql injection. Proceedings of the International Conference on Communication Systems and Network Technologies; 2012 May. p. 453–8. DOI: 10.1109/CSNT.2012.104.
  • Simone C, Diane G. SQL injection attacks with the AMPA suite. Electronic Security and Digital Forensics. 2013; (5):2. DOI: 10.1504/IJESDF.2013.055051.
  • Shahriar H, Zulkernine M. Information-theoretic detection of SQL injection attacks. IEEE Proceedings of the 14th International Symposium on High-Assurance Systems Engineering; 2012 Oct. p. 40–7. DOI: 10.1109/HASE.2012.31.
  • Shar LK, Tan HBK. Defeating SQL injection. Computer. 2013; 46(3:6265060):69–77. DOI: 10.1109/MC.2012.283.
  • Halford W, Viegas J, Orso A. A classification of SQL injection attacks and countermeasures. IEEE Proceedings of the International Symposium on Secure Software Engineering, ISSSE’06; Available from: http://www.cc.gatech.edu/fac/Alex.Orso/papers/halfond.viegas.orso.ISSSE06.pdf
  • Web application security; 2015. Available from: http://en.wikipedia.org/wiki/Web_application_security

Refbacks

  • There are currently no refbacks.


Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.