StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

SQL Injection Vulnerabilities - Research Paper Example

Cite this document
Summary
The aim of the paper "SQL Injection Vulnerabilities" is to provide comprehensive guidance on the use of the open source techniques and tools for independent identification of common SQL injection vulnerabilities simulating the attacker’s approaches…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER96.7% of users find it useful
SQL Injection Vulnerabilities
Read Text Preview

Extract of sample "SQL Injection Vulnerabilities"

SQL Injection Vulnerabilities INTRODUCTION SQL injection is a of vulnerability that poses extremely high risks in the presentthreat landscape. The MITRE Common Weakness Enumeration (CWE) ranked SQL injection as first in the list of top 25 most dangerous software errors. Many high profile intrusions have demonstrated the exploitation of these vulnerabilities. Abundance of information exist on the prevention of SQL injection vulnerabilities; however, much of such information is always technically designed for the web application developers and not the general user community. This forms the basis of the article: to provide comprehensive guidance on the use of the open source techniques and tools for independent identification of common SQL injection vulnerabilities simulating the attacker’s approaches. EXPLANATION OF PAPER The causes of the SQL injection vulnerabilities can basically be attributed to the acceptance of data from un-trusted sources by the software applications, lack of proper sanitization and validation of the data, and the consequent use of the data in the dynamic construction of an SQL query. The SQL injection is most common in the web based applications even though other applications that integrate SQL are also exposed to such threats. The persistence of this threat can be linked to the existence of the underlying causes in almost all web applications in spite of the implemented technology, programming language, web framework or even popularity. Many of the high profile intrusions that implicate SQL injection often attract lots of attention, which can be associated with the quite inherent breach of confidentiality in the stored data in the compromised databases. The loss of confidentiality and the resultant financial costs and downtime involved in the recovery efforts, negative publicity, and regulatory penalties are some of the initial impacts of a successful compromise. The integrity of the database can also be compromised in other sites that do not involve, hold or use sensitive customer or financial information. Exploiting SQL injection vulnerabilities enables an attacker to persistently foist dynamic and storage page content generation that would include malicious code in the attacked site. The visitors to the site may thus be redirected to malicious sites or tricked to install malicious codes. The SQL injection attack vectors are represented by data passed to the vulnerable web application from the user and which is processed by supporting database. Practically, the most common SQL injection attack vectors arise from the data transmitted through HTTP POST and HTTP GET. Other attack vectors are HTTP User-Agent, HTTP cookie data, and Referer header values. The exploitation of some SQL injection vulnerabilities can be effected through the authentication of unprivileged user accounts, all of which depends on where the application fails in the sanitization of the input. This means that the sites that readily and easily allow the users to create new accounts hold additional risks. The automatic detection of the vulnerabilities of the SQL injections depends on the heuristics of the behavior of the target application in responding to the specially crafted queries. The techniques involved in the detection heuristics are classified into three categories. The Boolean-based blind SQL injection which includes the supply of multiple valid statements that bears evaluation to true or false in the affected area at the request of HTTP. Through the comparison of the response page between both situations, the success of the injection can be inferred by the tool. The Time-based blind SQL injection entails the supply of valid SQL statements in the affected area in the request of HTTP that made the database stop for a particular time period. Through the comparison of the times of response between the variously timed injected requests and the normal requests, the tool can establish whether or not the implementation of the SQL statement was successful. The Error based SQL injection entails the supply of invalid SQL statements to the affected areas within the request of HTTP. Monitoring of the HTTP responses is then effected by the tool for the known error messages that have come from the database server. There are two tools that are commonly used in the testing SQL injection; they include the OWASP ZAP and sqlmap. OWASP ZAP is an analysis tool for the applications that communicate via the HTTPS and HTTP. It functions as an intercepting proxy, which allows for the review and modification of requests and responses by the user before their sending between the browser and server. The tool also monitors the interaction the web application and the user’s browser. The features that is inclusive in the tool capacity to effectively investigate a web server for any links that can be hidden or obscured in the process of the normal interactions. The sqlmap is an open source penetration and python-based testing tool that mechanizes the process of SQL injection flaws detection. It also includes features that enable vulnerable systems exploitation such as database fingerprinting, data collection from compromised databases, server’s underlying file system access, and execution of commands on the operating system through the out-of-bands connections. A command line user interface is employed by the sqlmap. MY OPINION I agree with the article’s advancement that the information regarding the SQL injection has been highly technicalized to suit only the professional web developers and not to suit the common users such as the administrators. There is need for the information to be simplified in a manner that would enable the everyday consumers of information technology to be aware of the SQL injection vulnerabilities, causes, impacts and the available techniques and tools for avoiding, preventing or managing any compromise to the database system. The acceptance of data from un-trusted sources usually expose the users to the SQL inject vulnerability as they are more likely to improperly sanitize and validate data, or to completely fail to do so at all. The attacks resulting from the SQL injections quite often become headlines across the world because of their detrimental impacts on the confidentiality of data available in the databases. The breach of confidentiality of the consumer or financial information is always very likely. This is another reason why I agree with the fact advanced by the article concerning SQL injection being one of the most, if not the most, dangerous software errors. SUMMARY SQL injection is a class of vulnerability that poses extremely high risks in the present threat landscape. The causes of the SQL injection vulnerabilities can basically be attributed to the acceptance of data from un-trusted sources by the software applications, lack of proper sanitization and validation of the data, and the consequent use of the data in the dynamic construction of an SQL query. The SQL injection is most common in the web based applications even though other applications that integrate SQL are also exposed to such threats. The SQL injection attack vectors are represented by data passed to the vulnerable web application from the user and which is processed by supporting database. Practically, the most common SQL injection attack vectors arise from the data transmitted through HTTP POST and HTTP GET. Other attack vectors are HTTP User-Agent, HTTP cookie data, and Referer header values. The sites that readily and easily allow the users to create new accounts hold additional risks. The automatic detection of the vulnerabilities of the SQL injections depends on the heuristics of the behavior of the target application in responding to the specially crafted queries. The techniques involved in the detection heuristics are classified into three categories: The Boolean-based blind SQL injection, the Time-based blind SQL injection and the Error based SQL injection. OWASP ZAP and sqlmap are two tools that are commonly used in the in the testing SQL injection. OWASP ZAP is an analysis tool for the applications that communicate via the HTTPS and HTTP. It functions as an intercepting proxy, which allows for the review and modification of requests and responses by the user before their sending between the browser and server. Sqlmap is an open source penetration and python-based testing tool that mechanizes the process of SQL injection flaws detection. It also includes features that enable vulnerable systems exploitation such as database fingerprinting, data collection from compromised databases, server’s underlying file system access, and execution of commands on the operating system through the out-of-bands connections. BIBLIOGRAPHY Dougherty, C. (2013). Practical identification of SQL injection vulnerabilities. Retrieved from https://www.us-cert.gov/sites/default/files/publications/Practical-SQLi-Identification.pdf Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“SQL Injection Vulnerabilities Research Paper Example | Topics and Well Written Essays - 1250 words”, n.d.)
SQL Injection Vulnerabilities Research Paper Example | Topics and Well Written Essays - 1250 words. Retrieved from https://studentshare.org/information-technology/1700485-sql-injection-vulnerabilities
(SQL Injection Vulnerabilities Research Paper Example | Topics and Well Written Essays - 1250 Words)
SQL Injection Vulnerabilities Research Paper Example | Topics and Well Written Essays - 1250 Words. https://studentshare.org/information-technology/1700485-sql-injection-vulnerabilities.
“SQL Injection Vulnerabilities Research Paper Example | Topics and Well Written Essays - 1250 Words”, n.d. https://studentshare.org/information-technology/1700485-sql-injection-vulnerabilities.
  • Cited: 0 times

CHECK THESE SAMPLES OF SQL Injection Vulnerabilities

HSBC E-Business Challenges and Mitigation

This essay, HSBC E-Business Challenges and Mitigation, presents HSBC's online activities which are a great way to interconnect all its business functions and services for its customers.... The “Anytime Anywhere” concept would enable accessibility and greater risk for damage.... nbsp;… According to the study the various security concerns arise as a result of various individuals who passionately developed intelligent programs with negative and illicit attitude and make sure that all the various concerns are highlighted to its full extent....
5 Pages (1250 words) Essay

Session Hijacking

Session hijacking is a term used in computer science as a method of gaining access to a computer system's information without authorization, by exploiting a valid session of a computer (session keys).... It can also be used to refer to stealing of a magic cookie (a piece of text that is used to for maintaining website sessions)....
5 Pages (1250 words) Essay

Web Server Hacking

hellip; Generally, despite all the efforts made by computer experts, the vulnerabilities can never be completely eradicated therefore web server attacks cannot be completely eliminated.... There is therefore a need to understand the server vulnerabilities in a system in order to perform particular functions to improve security (Leyden, 2002)....
8 Pages (2000 words) Essay

Information Security: Security Policies for the User Domain

One of the worst vulnerabilities for user domains are insider attacks.... The User Domain, one of seven domains in an IT infrastructure, is considered to be the domain most at risk for attack and compromise, primarily due to the inherent weakness of the human interaction element....
6 Pages (1500 words) Term Paper

Attack Prevention Article Evaluation

ne of the worst vulnerabilities for user domains are insider attacks.... n order to ensure that vulnerabilities are addressed, certain elements need to be addressed.... Furthermore, an effective patch management process can close vulnerabilities before malicious users or worms have an opportunity to exploit them.... huge problem with human engineering is avoiding sql Ad hoc injections.... The fourth element that important to address was to rectify the sql ad hoc injections....
2 Pages (500 words) Essay

Penetration Testing

hellip; Generally, system vulnerabilities in this system exist where file transfer is massively used.... E-commerce systems tend to be high-end targets for security breaches and vulnerabilities.... Such vulnerabilities can be exploited by conducting certain attack tests that target to steal information and corrupt the system functioning.... Various systems call for various methods so as to exploit their varied vulnerabilities....
6 Pages (1500 words) Essay

Penetration Testing and Advanced Hacking Techniques

The paper “Penetration Testing and Advanced Hacking Techniques” provides a description of the most popular Hacking Techniques (Distributed Denial of Service Attacks, Session Hijacking, sql injection, Hacking a Web Server and etc.... and gives the possible countermeasures to resist them....
7 Pages (1750 words) Case Study

The Major Security Threats

In this scenario, this report covers some of the most important security threats, such as Session Hijacking, sql injection, Hacking a Web server, Hacking a Wireless Network, and Hacking Mobile platform.... The paper 'The Major Security Threats' presents computer and network security that has turned out to be a serious challenge for governments, organizations, and individuals....
8 Pages (2000 words) Term Paper
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us