Escolar Documentos
Profissional Documentos
Cultura Documentos
Injection
ABSTRACT:
This article speaks about the improvement in the
development process of the application to avoid the
SQLIA attack at the preliminary level, especially at
the source code itself. We discuss about the
possible methods to attack an SQLIA providing the
pseudo code for better understanding. A prototype
of the solution i.e. consolidating the validation into
a single custom component termed as Injection Box
control (IBC) that takes care of all the possible
preventive measures for controlling the SQLIA at
the source code level itself.
Keywords: SQL rand, Sql injection vulnerabilities,
Sql injection attack prevention.
1. INTRODUCTION
Web applications enable much of todays online
business including online banking, online
shopping, and online university admissions and
various online governmental activities. Anyone can
use a web browser and can access them, and the
data they manage typically has significant value
both to the users and to the service providers. [1, 2,
3, 4, 5 and 6] The standard language for accessing
database servers including MySQL, Oracle, and
SQL Server is SQL (Standard Query Language).
Web programming languages such as java and
asp.net provide various methods for constructing
and executing SQL statements, but developers
often misuse these methods due to lack of training
and development experience and resultant occurs
as SQL injection vulnerabilities. To construct SQL
statement the developers usually use the dynamic
query building with string concatenation. [7, 8, 9,
10, 11 and 12 ] The system forms queries with
inputs directly received from the external sources,
during runtime. This method makes it possible to
build different queries based on varying conditions
set by the user.
However, as this is the cause of many sql injection
vulnerabilities. Consequently, vulnerabilities that
allow an attacker to compromise a web
applications control of its data pose a significant
threat. SQL command injection vulnerabilities
comprise most of this class.
A sql injection [SqlI] attack occurs when a
malicious user, through specially crafted input
causes a web application to generate and send a
query that send a query that functions differently
than the intended programmer.
ExecuteQuery (sQuery)
3.2.1. SQLI Attack Method 1
Here if an hacker tries to inject an input Address1;
Delete from table name ;, then if appropriate
permission are available for that system then it can
completely wipe out the data e.g customer data for
that organization.
Similarly we can use; Truncate table, ; Drop
table; instead of delete statement.
4. Existing Framework
In the existing process, User tries to give inputs
that are passed to the DB server without validating
<error
statusCode="404"
redirect="~/error/PageNotFound.aspx" />
<error
statusCode="500"
redirect="~/error/InternalError.aspx" />
</customErrors> </System.Web>
Figure 2:
Prevention
Proposed
Process
for
SQLIA
6. Proposed Solution
A simple solution thought of SQLIA attack is
creating an custom component termed as Injection
Box Control (IBC) with the below checks made at
the code level to block the SQLIA.
Strip all the possible SQL vulnerables at the
server side code e.g Truncate, Drop, Delete, etc.
And pass the diffused vulnerable SQL to the
Database server .ie. IBC act as an validation layer
for the SQL vulnerables.
Future Work
Conclusion
Open Redirection
Zahra Shafiei is a
Student at the University of JNTUH and
Completed bachelor in mathematics applied in
computer. She is an expert on security in cloud
environment and her research interests also include
experimental Security evaluation, fault injection,
security benchmarking, software development
processes, and software quality assurance.