Program Analysis For Database Injections

  • Chelsea Ramsingh Student, Department of Computer Science, Iona College 715 North Avenue, New Rochelle NY 10801
  • Paolina Centonze Iona College 715 North Ave. New Rochelle, New York 10801

Abstract

Today businesses all around the world use databases in many different ways to store sensitive data. It is important that the data stored stay safe and does not get into the wrong hands. To perform data management in a database, the language SQL (Structured Query Language) can be used. It is extremely crucial to prevent these databases from being attacked to ensure the security of the users’ sensitive and private data. This journal will focus on the most common way hackers exploit data from databases through SQL injection, and it presents dynamic and static code testing to find and prevent these SQL cyber attacks by comparing two testing tools. It will also present a comparative analysis and static/dynamic code testing of two SQL injection detection tools. Burp Suite and Vega will be used to identify possible flaws in test cases dealing with users’ sensitive and private information. Currently, there are no comparisons of these two open-source tools to quantify the number of flaws these two tools are able to detect. Also, there are no detailed papers found fully testing the open-source Burp Suite and Vega for SQL Injection. These two open-source tools are commonly used but have not been tested enough. A static analyzer detecting SQL Injection will be used to test and compare the results of the dynamic analyzer. In addition, this paper will suggest techniques and methods to ensure the security of sensitive data from SQL injection. The prevention of SQL injection is imperative and it is crucial to secure the sensitive data from potential hackers who want to exploit it.

References

[1] Ceccato, Mariano & Scandariato, Riccardo. Static Analysis and Penetration Testing from the Perspective of Maintenance Teams. ACM. September 2016.
[2] McQuade, Kinnaird. Open Source Web Vulnerability Scanners: The Cost Effective Choice?.2014 Proceedings of the Conference for Information Systems Applied Research. 2014 EDSIG.
[3] Garn, B., Kapsalis, I., Simos, D. & Winkler, S. On the Applicability of Combinatorial Testing to Web Application Security Testing: A Case Study. ACM. July 2014. http://dx.doi.org/10.1145/2631890.2631894
[4] Aliero, M., Ardo, A., Ghani, I., Atiku, M. Classification of SQL Injection Detection and Prevention Measure. IOSR Journal of Engineering. Vol.06, Issue 02. February 2016.
[5] Dehariya, H., Skukla, P., Ahirwar, M. A Survey on Detection and Prevention Techniques of SQL Injection Attacks. International Journal of Computer Applications. Volume 137- No.5. March 2016.
[6] Kaur, Navdeep & Kaur, Parminder. Modeling a SQL Injection Attack. IEEE. 2016 International Conference on Computing for Sustainable Global Development (INDIACom). 2016.
[7] Burp Suite: https://portswigger.net/burp/
[8] VEGA: https://subgraph.com/vega/
[9] Hack Yourself First: https://hackyourselffirst.troyhunt.com
[10] Vicnum: http://vicnum.ciphertechs.com
[11] Acunetix( Forum ASP): http://testasp.vulnweb.com
[12] JuiceShop: https://github.com/bkimminich/juice-shop
[13] Altoro Mutual: http://demo.testfire.net/default.aspx
[14] OWASP. SQLPrevention Cheat Sheet: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[15] OWASP Top 10 Web Vulnerabilities: https://www.owasp.org/index.php/Top_10_2013-Top_10
[16] Static Analysis vs. Dynamic Analysis: https://www.veracode.com/blog/2013/12/static-testing-vs-dynamic-testing
Published
2017-09-16
How to Cite
RAMSINGH, Chelsea; CENTONZE, Paolina. Program Analysis For Database Injections. INTERNATIONAL JOURNAL OF COMPUTERS & TECHNOLOGY, [S.l.], v. 16, n. 6, p. 6977-6986, sep. 2017. ISSN 2277-3061. Available at: <http://cirworld.com/index.php/ijct/article/view/6332>. Date accessed: 19 oct. 2017. doi: https://doi.org/10.24297/ijct.v16i6.6332.
Section
Articles