Detection of structure query language injection vulnerability in web driven database application

Muhammad Saidu Aliero, Kashif Naseer Qureshi, Muhammad Fermi Pasha, Awais Ahmad, Gwanggil Jeon

Research output: Contribution to journalArticleResearchpeer-review

1 Citation (Scopus)

Abstract

Structure Query Language Injection Attack is among the top 10-security threats that can be used on the web application to cause severe damage or gain unauthorized data access to the application server. Many reports have indicated an average of 64% of global websites are at risk of being attack by SQL injection, and many of the top companies have experienced thousands of attacks attempts through SQL injection. The current trend shows the increasing number of attacks factor as a result of the daily deployment of these applications without security detection and prevention mechanism is placed. To overcome this challenge, researches in academia and industry presented a proposal that automates SQL injection vulnerabilities assessment on the tested application. Current studies show the need to enhance techniques of these proposals to reduce the false alarms. In this study, we propose a component-based technique to minimize the incidence of inaccurate results, as well as enable the ease of improving the proposed solution. The study uses three costumed applications as tested to evaluate the accuracy of the proposed solution. Each of these testbed consists of several vulnerabilities where the experimental evaluation performs to test the proposed tool. An empirical evaluation is carried out on three vulnerable custom websites to evaluate the effectiveness of the proposed study. The experiment results indicated significant results in terms of high accuracy. On the other hand, the proposed solution also has better capabilities to analyze page response based on four different techniques. Moreover, the proposed solution is the only solution that performs stored procedure attacks SQL and bypass login authentication even if the returned records are limited restriction is applied.

Original languageEnglish
Article numbere5936
Number of pages14
JournalConcurrency Computation: Practice and Experience
DOIs
Publication statusAccepted/In press - Jul 2020

Keywords

  • attacks
  • scanners
  • SQL injection
  • SQLI
  • vulnerabilities

Cite this