Connection String Parameter Pollution (CSPP) Attacks

International Journal of Computer Applications, 2013

This paper investigates and reports on web application vulnerabilities with a specific focus on Structured Query Language Injection (SQLI) attacks and measures and how to counter such threats. SQLI attacks cause very serious dangers to web applications, they make it possible for attackers to get unhindered access to the primary source of data which is in the database and possibly the very sensitive information that the database contains. Even though practitioners and researchers in the web application security field have proposed a range of techniques to get to the bottom of the SQLI attack challenge, presently adopted approaches have either resolved the problem to some extent or have inadequacies that prevent their use and adoption. To help address this challenge, this paper presents a broad review of SQL injection attacks. An appraisal of current detection and prevention techniques against SQL injection attacks are also presented. Furthermore, a vulnerability assessment was conducted on the Centre for Computational Intelligence (CCI) Website as a case study. A snippet code that can be used to redesign the CCI website as a protective measure to counter threats of SQLI was proposed. An examination of this paper indicates that current solutions being promoted may not address the problem, and that web application firewalls provides the answer to SQLI attacks.

2013

Abstract-- When an internet user interacts in web environment by surfing the Net, sending electronic mail messages and participating in online forums lot of data is generated which may have user’s private information. If this information is captured by third party tools and techniques; it may cause a breach in end user privacy. In the Web environment, end user privacy is one of the most controversial legal issues. In this paper issues related to information leakage through SQL injection attacks are presented and protection mechanisms are also discussed.

Information Management & Computer Security, 2011

Code injection exploits a software vulnerability through which a malicious user can make an application run unauthorized code. Server applications frequently employ dynamic and domain-specific languages, which are used as vectors for the attack. We propose a generic approach that prevents the class of injection attacks involving these vectors: our scheme detects attacks by using location-specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. We have applied our approach successfully to defend against attacks targeting sql, xpath and JavaScript.

SQL injections have become a serious threat to the integrity, confidentiality and security of web applications. Attackers can gain unauthorized access to the database and can cause serious damage to the web application. Researchers have proposed various solutions to this problem. Many tools have also been devised to deal with this problem but each come with a limitation. In this paper, study about SQL injections has been done. Various types of SQL injection and tools to counter them has been discussed in this paper. For each technique, we have discussed its strengths and weaknesses in addressing the entire range of SQL injection attacks.

2013

SQL injection attacks are a serious security threat to Web applications. They allow attackers to gain unrestricted access to the databases underlying the applications and to retrieve sensitive information from databases. Many researchers and practitioners have proposed various methods to solve the SQL injection problem, current ways either fail to solve the full scope of the problem or have limitations that prevent their use. Many researchers and practitioners are familiar with only a subset of the wide range of techniques available to attackers who are trying to take advantage of SQL injection vulnerabilities. Many solutions proposed in the literature solve only some of the issues related to SQL injection. To solve this problem, we give an extensive review of the different types of SQL injection attacks. For each type of attack, we provide descriptions and examples of how attacks of that type could be performed. We also analyze existing detection and prevention techniques against S...

Network Security, 2007

International Journal of Computer Applications, 2011

For internet, web application exists and for web application syntax, semantics, coding and design exists, and for coding and designing, algorithm exists, and for algorithm, protecting techniques and rules exists, But as the internet technologies advanced, vulnerability also advanced .Various old procedures, algorithm functions, coding and designing syntax and semantics are there, which are vulnerable to attack and if used could be easily traced or hacked by the attacker. Old practices which are vulnerable should be banned in organization, companies and govt. sectors and secure guidelines should be issued, which consists of security guildelines.and should be strictly followed. In this paper we have proposed coding flaws at different platforms and their solutions.

Today, most of the web applications are associated with database at back-end so there are possibilities of SQL injection attacks (SQLIA) on it. A number of preventive measures have also been discovered by various researchers to overcome this attack, but which measure is more convenient and provides fast access to application without compromising the security is also a major concern nowadays. This paper provides a clear distinction among different types of SQLIAs and how these can be performed on local server. Also, demonstration of SQLIAs on live websites is provided for better understanding of URL attacks. Finally, a complete set of guidelines is provided to help understand the causes of various SQLIAs and how to detect them prior and their preventive measures for the developers of database-driven web applications and researchers.

… , 2009. ICSE 2009. …, 2009

We present a technique for finding security vulnerabilities in Web applications. SQL Injection (SQLI) and crosssite scripting (XSS) attacks are widespread forms of attack in which the attacker crafts the input to the application to access or modify user data and execute malicious code. In the most serious attacks (called second-order, or persistent, XSS), an attacker can corrupt a database so as to cause subsequent users to execute malicious code.

Journal of Theoretical and Applied Information Technology, 2015

Recently, Web applications have been used for most of the activities in animation. These applications are affected by the structured query language injection (SQLI). In this paper, four major objectives can be organized to direct the work study are:  Conduct a detailed review of various SQLI attacks and investigation of previous approaches that detected and prevented these attacks in Web applications.  Compare the performance metrics of the different techniques to evaluate the precision of the results and the cost of the time required to identify the efficiency of the techniques.  Evaluate the effectiveness of the techniques in practices based on the effectiveness metrics.  Define the efficiency and effectiveness direction of defensive approaches. The main contributions of this work are:  Summary and analysis of a critical review (strengths and weaknesses) of the defensive approaches that have been implemented.  Comparison of the result accuracy of the different approaches through an evaluation using the standard performance metrics.  Evaluation of the effectiveness of the techniques in practice.  Identification and focus on the critical and important lines or defensive techniques that need comprehensive studies by future researchers through which the advantages of high efficiency and effectiveness can be obtained.