Sql-Injection Tool for finding the Vulnerability and Automatic Creation of Attacks on JSP

These days' cyber attacks have become a major concern because these attackers can steal important documents and damage websites and access confidential information and may drive many corporations that conduct their business through the web to suffer financial and reputation damages. Out of all those attacks the most dangerous cyber attack is the Structured Query Language (SQL)-injection attack. This type of attack can be easily made via normal web browsers that we use for surfing the net in our day to day life. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Most web application developers do not apply user input validation and they are not aware about the consequences of such practices. Due to these inappropriate programming practices a large room for SQL-injection attack is left open which lure the hackers to steal confidential information from the servers' database (4). In order to handle this vulnerability and detect it, we must enhance the coding structure used for web application development and this requires development of a powerful tool that can automatically create SQL-injection attacks using efficient features (different attacking patterns). Our technique for detecting SQL injection is to dynamically mine the programmer - intended query structure on any input, and to detect attacks by comparing them against the intended query structure.

[1]  Dafydd Stuttard,et al.  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws , 2007 .

[2]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[3]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[4]  Giuliano Antoniol,et al.  Automated Protection of PHP Applications Against SQL-injection Attacks , 2007, 11th European Conference on Software Maintenance and Reengineering (CSMR'07).

[5]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[6]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[7]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[8]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[9]  Mohd Syazwan Abdullah,et al.  SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks , 2011, WCIT.

[10]  Richard A. Baker,et al.  Code Reviews Enhance Software Quality , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[11]  Stephen Kost An Introduction to SQL Injection Attacks for Oracle Developers , 2007 .

[12]  Philip S. Yu,et al.  The state of the art in locally distributed Web-server systems , 2002, CSUR.