A complete guide to SQL Injection: detection and prevention techniques
1.Introduction
The remaining part of this article has been compiled as a full ebook.
You can download the complete ebook from the following link with $1 only.
An SQL injection is a process of applying malicious SQL queries instead of some input to extract data from the database. The breached data can be sensitive information that can be misused by attackers. That data can range from user-id, passwords to very crucial government secrets. It is not surprising that SQLi stands first in the world’s most dangerous security attacks by open web application security project(OWASP) and Imperva. They are so effective that most applications are vulnerable to at least one SQLi. There are many SQLi detections and preventive techniques (referred further as anti-SQLi or ASQLi). With every new emerging prevention technique, the new SQLi method is being found. In this project, we see how well these methods (ASQLi)fare against all types of SQLi methods. Which methods are best in which cases, What are recent trends in these preventive methods? How can we intuitively create new ASQLi for a new SQLi method?
Ref no
|
Acronym
|
Full form
|
[1]
|
SQLi
|
SQL
injection attacks
|
-
|
ASQLi
|
Anti SQL
injection methods
|
[6]
|
DAP
|
database audit and protection
|
[6]
|
DIDAFIT
|
Databases through Fingerprinting Transaction
|
[3]
|
SVM
|
Support Vector Machine
|
[1]
|
SQLiGoT
|
Detecting SQL Injection Attacks using Graph of Tokens and SVM
|
[9]
|
SQLiDDS
|
SQL injection Detection using Document Similarity
|
[13]
|
VSM
|
vector space model
|
[10]
|
SQL-IF
|
SQL-injection free
|
 |
| Fig 1. How SQL injection works |
2. Motivation
The motivation behind making an analysis of SQL detection and prevention methods is that SQLi is ranked 1 in most dangerous cybersecurity attacks. According to many sources, it is estimated that a well-developed and famous website will receive around 80-250 SQLi. This makes us need a study that can classify what are latest SQLi and how do we prevent them. How successful are current techniques? New SQLi methods are emerging very frequently and we need a study to be prepared for them. This Is a case where both sides of injection keep on improving until they reach a saturation point. Either attacks become non-preventable or the security becomes unbreachable. But the most likely scenario is completely shifting to new technology to attack/prevent. This does not mean we stop developing ASQLi. So this phase of cybersecurity needs more ASQLi than SQLi. The more we invest in studying them, we have a better chance to develop more of them.
3. Types
of SQL Injection
SQL
injection is broadly classified into 3 Types:
- In-band SQL injection
- Blind injection
- Out-of-band injection
In-band SQL injection:
In-band SQL injection (also known as classical SQLi ) is the most common and basic type of the SQL injection attacks. It occurs when an attacker uses a single channel to do both attacks and gather information. This in-band injection is possible in 2 ways i.e. error-based and union-based.
Error-Based SQLi
Error-based SQLi is an in-band SQL injection technique. In this attack, we will type or send something to the server by URL and the server will show us an error. After getting the error, we will decide on who the next target will be. This is helpful to understand the structure of a database server and obtain related information about it.
The remaining part of this article has been compiled as a full ebook.
You can download the complete ebook from the following link with $1 only.
Comments
Post a Comment