Exploring Defense of SQL Injection Attack in Penetration Testing

Exploring Defense of SQL Injection Attack in Penetration Testing

Alex Zhu (Auckland University of Technology, Auckland, New Zealand) and Wei Qi Yan (Auckland University of Technology, School of Computer and Mathematical Sciences, Auckland, New Zealand)
Copyright: © 2017 |Pages: 10
DOI: 10.4018/IJDCF.2017100106
OnDemand PDF Download:
No Current Special Offers


SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack (DDoS). The DDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectively detect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims may not be even aware of that their confidential data has been compromised for a long time. In this paper, our contribution is that we evaluate several most popular open source SQLIA tools and SQLIA prevention tools with both qualitative and quantitative assessments.
Article Preview

SQLIA is that an attacker attempts to change the logic, semantics or syntax (Halfond & Orso, 2005) and behavior of a dynamically generated SQL statement by inserting additional SQL keywords and/or operators into the statement through URL query string or HTML form values, usually with a malicious intent because a web application exists vulnerabilities of execute unsanctioned input (Kar & Panigrahi, 2013). It illustrates SQLIA as Figure 1. A successful SQLIA must meet the indispensable condition that there is vulnerability in web application (Appelt, Nguyen, Briand, & Alshahwan, 2014). Vulnerabilities include loopholes, fault, bugs, weakness or flaw of software system design (Sharma, & Jain, 2014). Some of SQLIA vulnerabilities are caused by syntax constraints of web programming languages, but most of SQLIA vulnerabilities are caused by poor programming/coding practice (McClure, & Kruger, 2005), i.e., without type checking (Joosten, & Joosten, 2015), improper validation of user input (Srivastava, 2014), data and control structures mixed together in same transporting channel (Jun & Jun, 2011), detailed error messages feedback (Smith, Williams, & Austin, 2010) and over privilege accounts. Vulnerabilities of SQLIA are the root cause of SQL queries that have not been validated before the executions, no matter which data input for these SQL queries come from user input or back-end database of web application. User input includes all forms that web users submit, or contents in Uniform Resource Locator (URL) of website or all data have been saved in HTTP cookie.

Complete Article List

Search this Journal:
Volume 14: 1 Issue (2022): Forthcoming, Available for Pre-Order
Volume 13: 6 Issues (2021): 3 Released, 3 Forthcoming
Volume 12: 4 Issues (2020)
Volume 11: 4 Issues (2019)
Volume 10: 4 Issues (2018)
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing