Prevent the SQL Injection base on Session using the static ID of retrieving the URL
DOI:
https://doi.org/10.25098/8.1.32Keywords:
SQL injection, SQL injection attack, Query parameters, Session, Database SecurityAbstract
Today, the rise in cyber threats has underscored the vulnerability of web applications, making website security a continuous challenge. Structured Query Language (SQL) injection attacks are among the top ten security vulnerabilities recognized by the Open Web Application Security Project (OWASP). Structured Query Language injection is still the most typical vulnerability and the most critical security threat due to the diversity of forms and dramatic changes that it could lead to, including financial losses, data leaks, and serious database corruption that could paralyze a site. One vulnerability in a web application is sending sensitive data through the Uniform Resource Locator (URL) query string. Therefore, the Uniform Resource Locator query string can be a trap for Structured Query Language injection attacks to steal user data. This paper proposes an solution based on a session using the static identifier of retrieving the Uniform Resource Locator to prevent Structured Query Language injection vulnerabilities.
References
M. C. Jaeger, M. C. Vieira, and C. A. Tacla, "Web services standards: An overview," Journal of Information Systems Engineering & Management, vol. 3, no. 3, pp. 1-11, 2018.
Zhiquan Lai, Yongjun Shen and Guidong Zhang, "A security risk assessment method of website based on threat analysis combined with AHP and entropy weight," 2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS), 2016, pp. 481-484, doi: 10.1109/ICSESS.2016.7883113.
Yin, C., Awlla, A. H., Yin, Z., & Wang, J. 2015.Botnet detection based on genetic neural network. International Journal of Security and Its Applications, 9(11): 97-104.
Peng Tang, Weidong Qiu, Zheng Huang, Huijuan Lian, Guozhen Liu, Detection of SQL injection based on artificial neural network, Knowledge-Based Systems, Volume 190, 2020, 105528.
Q. Li, W. Li, J. Wang and M. Cheng, "A SQL Injection Detection Method Based on Adaptive Deep Forest," in IEEE Access, vol. 7, pp. 145385-145394, 2019, doi: 10.1109/ACCESS.2019.2944951.
M. Hasan, Z. Balbahaith and M. Tarique, "Detection of SQL Injection Attacks: A Machine Learning Approach," 2019 International Conference on Electrical and Computing Technologies and Applications (ICECTA), 2019, pp. 1-6, doi: 10.1109/ICECTA48151.2019.8959617.
X. Xie, C. Ren, Y. Fu, J. Xu and J. Guo, "SQL Injection Detection for Web Applications Based on Elastic-Pooling CNN," in IEEE Access, vol. 7, pp. 151475-151481, 2019, doi: 10.1109/ACCESS.2019.2947527.
Mamdouh Alenezi, Muhammad Nadeem, Raja Asif, "SQL injection attacks countermeasures assessments", Indonesian Journal of Electrical Engineering and Computer Science, Vol. 21, No. 2, February 2021, pp. 1121-1131.
Abikoye, O.C., Abubakar, A., Dokoro, A.H. et al. A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm. EURASIP J. on Info. Security 2020, 14 (2020).
JANG Young-Su. Detection of SQL Injection Vulnerability in Embedded SQL. IEICE Transactions on Information and Systems, IEICE TRANS. INF. & SYST., VOL.E103–D, NO.5 MAY 2020.
Falor, A., Hirani, M., Vedant, H., Mehta, P., Krishnan, D. (2022). A Deep Learning Approach for Detection of SQL Injection Attacks Using Convolutional Neural Networks. In: Gupta, D., Polkowski, Z., Khanna, A., Bhattacharyya, S., Castillo, O. (eds) Proceedings of Data Analytics and Management. Lecture Notes on Data Engineering and Communications Technologies, vol 91. Springer, Singapore.
S. Nanhay, D. Mohit, R.S. Raw, and K. Suresh, “SQL Injection: Types, Methodology, Attack Queries and Prevention”, in 3rd International Conference on Computing for Sustainable Global Development (INDIACom), 2016, p. 2872 – 2876.
K.G. Vamshi, V. Trinadh, S. Soundabaya, and A. Omar, “Advanced Automated SQL Injection Attacks and Defensive Mechanisms”, in Annual Connecticut Conference on Industrial Electronics, Technology & Automation (CT-IETA), 2016, p. 1-6.
K. Krit and S. Chitsutha, “Machine Learning for SQL Injection Prevention on Server- Side Scripting”, in International Computer Science and Engineering Conference (ICSEC), 2016, p. 1-6.
P.K. Raja and Z. Bing, “Enhanced Approach to Detection of SQL Injection Attack”, in 15th IEEE International Conference on Machine Learning and Applications (ICMLA), 2016, p. 466 – 469.
D. Rhythm and G. Himanshu, “SQL Filtering: An Effective Technique to prevent SQL Injection Attack”, in International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO), 2016, p. 312 – 317.
Kolšek, Mitja. "Session fixation vulnerability in web-based applications", "Acros Security"
Available online: http://www.acrossecurity.com/papers/session_fixation.pdf,2002 (Accessed 14 Sep 2022).
IETF, RFC2616: Hypertext Transfer Protocol -- HTTP/1.1, Available online: https://tools.ietf.org/html/rfc2616 (Accessed 14 Sep 2022).
OWASP, Session Management Cheat Sheet, Available online: https://github.com/OWASP/CheatSheetSeries/blob/mast er/cheatsheets/Session_Management_Cheat_Sheet.md (Accessed 14 Sep 2022).
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
SJCUS's open access articles are published under a Creative Commons Attribution CC-BY-NC-ND 4.0 license.