SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks

Ali, Asif; Shakhatreh, Ala’ Yaseen Ibrahim; Abdullah, Mohd Syazwan; Alostad, Jasem M.

doi:10.1016/j.procs.2010.12.076

Cited by 28 publications

(6 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ref. [17] designed an SQLi scanning model using the MySQL injector tool that can easily conduct penetration tests on a PHP-based website. The tool contains four developmental phases in which phase one is called Inception.…”

Section: Related Workmentioning

confidence: 99%

A Regeneration Model for Mitigation Against Attacks on HTTP Servers for Mobile Wireless Networks

Akinwale,

Olajubu,

Aderounmu

2024

Int. j. electr. comput. eng. syst. (Online)

View full text Add to dashboard Cite

The widespread expansion of the internet has fueled a global surge in the utilization of various online transactions, with a significant portion of such services operating on mobile web platforms. Simultaneously, the deployment of innovative Mobile Ad Hoc Network (MANET) technologies and mobile applications has grown as solutions for diverse tasks. Unfortunately, this progress has attracted the attention of hackers, who continually devise new strategies to exploit the vulnerabilities inherent in mobile networks. This study aims to address the escalating challenges posed by cyber threats in the era of widespread internet expansion, particularly focusing on securing mobile web platforms against sophisticated attacks such as Structured Query Language Injection (SQLi) for web-based database solutions and Denial of Service (DoS/DDoS) for various applications. In response to the identified vulnerabilities, this paper proposes an HTTP regeneration (HReg) model that not only detects various cyber-attacks but also ensures the uninterrupted provision of critical services during such incidents. The model introduces an innovative regeneration algorithm capable of scanning both the connection channel and web application to detect attacks, creating survivable connections within the underlying TCP engine to replace compromised ones during an ongoing attack. In simulated environments using OMNeT++, where the server is subjected to attacks, the experimental results demonstrate the efficacy of the model. The response and performance metrics, including throughput (73%), delivery ratio (68.8%), delay (3s), and network load, showcase the model's ability to detect and neutralize attacks. A comparison with state-of-the-art approaches highlights the superior performance of the regeneration model, attributed to its additional survivability layer. While the regeneration model proves robust in simulated environments, its real-world application may encounter limitations. Future research should explore these limitations to enhance the practical applicability of the proposed model. The proposed HReg model's resilient performance under attack conditions ensures the survivability of web-based applications. This innovative approach offers practical implications for securing mobile web platforms, providing continuous delivery of critical services even in the face of persistent and evolving cyber threats. This research addresses a significant gap in existing efforts by not only focusing on attack detection but also emphasizing the development of a survivable TCP connection for HTTP servers during attacks. The introduced regeneration model stands out for its unique ability to maintain service continuity, showcasing originality in the approach to cybersecurity in the context of web-based applications.

show abstract

Section: Related Workmentioning

confidence: 99%

A Regeneration Model for Mitigation Against Attacks on HTTP Servers for Mobile Wireless Networks

Akinwale,

Olajubu,

Aderounmu

2024

Int. j. electr. comput. eng. syst. (Online)

View full text Add to dashboard Cite

show abstract

“…If it is wrong, then the website page has a very significant different characteristic (W. G. Halfond, Viegas, & Orso, 2006). Research on Blind SQL injection was carried out by Ali et al with an application called MySQLInjector that scans website servers to detect hidden SQL vulnerable gaps that are efficient in penetrating their targets (Ali, Shakhatreh, Abdullah, & Alostad, 2011). MySQLInjector has three Blind SQL features, including Blind SQL Injection based on True/False response, True/Error response and Order by.…”

Section: B Blind Sql Injectionmentioning

confidence: 99%

Study the Best PenTest Algorithm for Blind SQL Injection Attacks

Nugroho

Mandala

2020

ijoict

View full text Add to dashboard Cite

<p>There are several types of SQL injection attacks. One of the most popular SQL Injection Attacks is Blind SQL. This attack is performed by exploiting a gap in the database server when executing query words. If the server responds to an invalid query, the attacker will then reverse the engineering part of the SQL query, which is obtained from the error message of the server. The process of generating a blind SQL injection attack is complicated. As a result, a Pentester often requires a long time to penetrate the database server. This research provides solutions to the problems above by developing the automation of a blind SQL injection attack. The method used in this research is to generate keywords, such as the database name and table name so that the attacker can retrieve information about the user name and password. This research also compares several search algorithms, such as linear search, binary search, and interpolation search for generating the keywords of the attack. Automation of the Blind SQL Injection was successfully developed, and the performance of the keywords generation for each algorithm was also successfully measured, i.e., 1.7852 seconds for Binary Search, 1.789 seconds for interpolation and 1.902 seconds for Linear Search.</p>

show abstract

“…Penetration testing tools such as MySQLInjector [13], V1p3R (Viper) [14], Sania [15], SAFELI [16], WAVES [17], [18], and [19] gather information from the web application and in order to analyze the application's response, they inject attacks according to the information gathered. V1p3R uses stored error patterns, and Sania uses SQL parse tree comparison for SQLIA detection.…”

Section: Staticmentioning

confidence: 99%

Web Application Reinforcement via Efficient Systematic Analysis and Runtime Validation (ESARV)

Lashkaripour¹

2020

IJEEI

View full text Add to dashboard Cite

Securing the data, a fundamental asset in an organization, against SQL Injection (SQLI), the most frequent attack in web applications, is vital. In SQLI, an attacker alters the structure of the actual query by injecting code via the input, and gaining access to the database. This paper proposes a new method for securing web applications against SQLI Attacks (SQLIAs). It contains two phases based on systematic analysis and runtime validation and uses our new technique for detection and prevention. At the static phase, our method removes user inputs from SQL queries and gathers as much information as possible, from static and dynamic queries in order to minimize the overhead at runtime. On the other hand, at the dynamic phase, the prepared information alongside our technique are used to check the validity of the runtime query. To facilitate the usage of our method and show our expectations in practice, ESARV was implemented. The empirical evaluations demonstrated in this paper, indicate that ESARV is efficient, accurate, effective, and also has no deployment requirements.

show abstract

SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks

Cited by 28 publications

References 8 publications

A Regeneration Model for Mitigation Against Attacks on HTTP Servers for Mobile Wireless Networks

A Regeneration Model for Mitigation Against Attacks on HTTP Servers for Mobile Wireless Networks

Study the Best PenTest Algorithm for Blind SQL Injection Attacks

Web Application Reinforcement via Efficient Systematic Analysis and Runtime Validation (ESARV)

Contact Info

Product

Resources

About