A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection

Today almost all organizations have improved their performance through allowing more information exchange within their organization as well as between their distributers, suppliers, and customers using web support. Databases are central to the modern websites as they provide necessary data as well as stores critical information such as user credentials, financial and payment information, company statistics etc. These websites have been continuously targeted by highly motivated malicious users to acquire monetary gain. Structured Query Language (SQL) injection and Cross Site Scripting Attack (XSS) is perhaps one of the most common application layer attack technique used by attacker to deface the website, manipulate or delete the content through inputting unwanted command strings. Structured Query Language Injection Attacks (SQLIA) is ranked 1st in the Open Web Application Security Project (OWASP) [1] top 10 vulnerability list and has resulted in massive attacks on a number of websites in the past few years. In this paper, we present a detailed review on various types of Structured Query Language Injection attacks, Cross Site Scripting Attack, vulnerabilities, and prevention techniques. Besides presenting our findings from the survey, we also propose future expectations and possible development of countermeasures against Structured Query Language Injection attacks.

[1]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[2]  G. Aghila,et al.  Combinatorial Approach for Preventing SQL Injection Attacks , 2009, 2009 IEEE International Advance Computing Conference.

[3]  Jianhua Sun,et al.  An execution-flow based method for detecting Cross-site Scripting attacks , 2010, The 2nd International Conference on Software Engineering and Data Mining.

[4]  Samik Basu,et al.  Analysis & Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[5]  Laurie A. Williams,et al.  On automated prepared statement generation to remove SQL injection vulnerabilities , 2009, Inf. Softw. Technol..

[6]  Pratheep Bunyatnoparat,et al.  Protecting cookies from Cross Site Script attacks using Dynamic Cookies Rewriting technique , 2011, 13th International Conference on Advanced Communication Technology (ICACT2011).

[7]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[8]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[9]  Rahul Johari,et al.  Secure Query Processing in Delay Tolerant Network Using Java Cryptography Architecture , 2011, 2011 International Conference on Computational Intelligence and Communication Networks.

[10]  Jeom-Goo Kim,et al.  Injection Attack Detection Using the Removal of SQL Query Attribute Values , 2011, 2011 International Conference on Information Science and Applications.

[11]  Qing Tan,et al.  Effective SQL Injection Attack Reconstruction Using Network Recording , 2011, 2011 IEEE 11th International Conference on Computer and Information Technology.

[12]  Rahul Johari,et al.  Insecure Query Processing in the Delay/Fault Tolerant Mobile Sensor Network (DFT-MSN) and Mobile Peer to Peer Network , 2011 .

[13]  Agostino Cortesi,et al.  Obfuscation-based analysis of SQL injection attacks , 2010, The IEEE symposium on Computers and Communications.