SQLI Attacks: Current State and Mitigation in SDLC
The SQL injection is a predominant type of attack and threat to web applications. This attack attempts to subvert the relationship between a webpage and its supporting database. Due to widespread availability of valuable data and automated tools on web, a
- PDF / 220,378 Bytes
- 8 Pages / 439.37 x 666.142 pts Page_size
- 92 Downloads / 147 Views
Abstract The SQL injection is a predominant type of attack and threat to web applications. This attack attempts to subvert the relationship between a webpage and its supporting database. Due to widespread availability of valuable data and automated tools on web, attackers are motivated to launch high profile attacks on targeted websites. This paper is an effort to know the current state of SQL injection attacks. Different Researchers have proposed various solutions to address SQL injection problems. In this research work, those countermeasures are identified and applied to a vulnerable application and database system, then result are illustrated. Keywords Attack applications
⋅
Security
⋅
Sql injection
⋅
Secure development
⋅
Web
1 Introduction SQL injection (SQLI) continues to be one of the most predominant web application threat as it has compromised large number of websites including those of some high profile companies. It allows attackers to obtain unauthorized access to the backend database to change the intended application-generated SQL queries. This type of attack exploits vulnerabilities existing in web applications or stored procedures in the backend database server [1, 2]. It allows attackers to inject crafted malicious SQL query segment to change the intended effect, so that attacker can view, edit or make the data unavailable to other users, or even corrupt the database server. When an application becomes susceptible to SQLI Attack (SQLIA), attacker can get total control and access to database [3]. A successful SQLIA can read sensitive data from D. Kaur (✉) Lyallpur Khalsa College, Jalandhar, India e-mail: [email protected] P. Kaur Guru Nanak Dev University, Amritsar, India e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2017 S.C. Satapathy et al. (eds.), Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications, Advances in Intelligent Systems and Computing 515, DOI 10.1007/978-981-10-3153-3_67
673
674
D. Kaur and P. Kaur
database, modify database data (insert/update/delete), execute administration operations on database (such as shut down DBMS and make it unavailable), recover the content of given file present on DBMS file system and in some cases can also issue commands to operating system [1]. This research paper examines the current state of SQLIAs by following various related news in recent years and analyzing previous years attacks data and scanning few websites with automated vulnerability scanner in Sect. 2. Section 3 discusses the developed vulnerable application and analyses the SQLI vulnerability status by implementation of known countermeasures from different Researchers and security organizations. The scan result before and after are shown and illustrated. Section 4 concludes the paper and provides the future directions.
2 Current State of SQLI Attacks SQL injection attacks and its prevention has become one of the most active topics of research in industry and academia. There have been significant progr
Data Loading...
