Program Analysis For Database Injections
Today businesses all around the world use databases in many different ways to store sensitive data. It is important that the data stored stay safe and does not get into the wrong hands. To perform data management in a database, the language SQL (Structured Query Language) can be used. It is extremely crucial to prevent these databases from being attacked to ensure the security of the usersâ€™ sensitive and private data. This journal will focus on the most common way hackers exploit data from databases through SQL injection, and it presents dynamic and static code testing to find and prevent these SQL cyber attacks by comparing two testing tools. It will also present a comparative analysis and static/dynamic code testing of two SQL injection detection tools. Burp Suite and Vega will be used to identify possible flaws in test cases dealing with usersâ€™ sensitive and private information. Currently, there are no comparisons of these two open-source tools to quantify the number of flaws these two tools are able to detect. Also, there are no detailed papers found fully testing the open-source Burp Suite and Vega for SQL Injection. These two open-source tools are commonly used but have not been tested enough. A static analyzer detecting SQL Injection will be used to test and compare the results of the dynamic analyzer. In addition, this paper will suggest techniques and methods to ensure the security of sensitive data from SQL injection. The prevention of SQL injection is imperative and it is crucial to secure the sensitive data from potential hackers who want to exploit it.
 McQuade, Kinnaird. Open Source Web Vulnerability Scanners: The Cost Effective Choice?.2014 Proceedings of the Conference for Information Systems Applied Research. 2014 EDSIG.
 Garn, B., Kapsalis, I., Simos, D. & Winkler, S. On the Applicability of Combinatorial Testing to Web Application Security Testing: A Case Study. ACM. July 2014. http://dx.doi.org/10.1145/2631890.2631894
 Aliero, M., Ardo, A., Ghani, I., Atiku, M. Classification of SQL Injection Detection and Prevention Measure. IOSR Journal of Engineering. Vol.06, Issue 02. February 2016.
 Dehariya, H., Skukla, P., Ahirwar, M. A Survey on Detection and Prevention Techniques of SQL Injection Attacks. International Journal of Computer Applications. Volume 137- No.5. March 2016.
 Kaur, Navdeep & Kaur, Parminder. Modeling a SQL Injection Attack. IEEE. 2016 International Conference on Computing for Sustainable Global Development (INDIACom). 2016.
 Burp Suite: https://portswigger.net/burp/
 VEGA: https://subgraph.com/vega/
 Hack Yourself First: https://hackyourselffirst.troyhunt.com
 Vicnum: http://vicnum.ciphertechs.com
 Acunetix( Forum ASP): http://testasp.vulnweb.com
 JuiceShop: https://github.com/bkimminich/juice-shop
 Altoro Mutual: http://demo.testfire.net/default.aspx
 OWASP. SQLPrevention Cheat Sheet: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
 OWASP Top 10 Web Vulnerabilities: https://www.owasp.org/index.php/Top_10_2013-Top_10
 Static Analysis vs. Dynamic Analysis: https://www.veracode.com/blog/2013/12/static-testing-vs-dynamic-testing
Authors retain the copyright of their manuscripts, and all Open Access articles are distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided that the original work is properly cited.
The use of general descriptive names, trade names, trademarks, and so forth in this publication, even if not specifically identified, does not imply that these names are not protected by the relevant laws and regulations. The submitting author is responsible for securing any permissions needed for the reuse of copyrighted materials included in the manuscript.
While the advice and information in this journal are believed to be true and accurate on the date of its going to press, neither the authors, the editors, nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.