Detect And Mitigate Sql Injection By Experiment Computer Science Essay


This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This Project explores the methods used to attack, detect and defend database systems with the aim of producing a series of recommendations in the form of a security policy. This could then be used by IT professionals to secure their applications and database systems. The main focus of this project is investigating SQL injection and other threats fased by database administrators.

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any Procedure that constructs SQL statements should be reviewed for injection vulnerablities becuase SQL Server will execute all syntactically valid queries that it receives. Even paramerterized data can be manipulated by a skilled and dtermined attacker.

The primary form of SQL injection consists of direct insertion of code into user input cariables that are concatenated with SQL command and executed. A less direct attack injects malicious code into strings that are destined for storage in a table of as metadata. When the strored strings are subsequently concatenated into a synamic SQL command, the malicious code is executed.

The injection process works by permaturely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "-". Subsequent text is ignored at execution time.

The detection of SQL injection attacks has primarily been accomplished through pattern matching techniques against signatures and keywords known to be malicious. Until recently, this techniques has been successfull. Now attackers are hiding their malicious intent in a variety of ways to escape detection. These attemps detection requre new technoloty and techniques in order to be discovered and stopped before reaching critical systems and causing the exposure or destruction or corporate data.

Despite SQL injection's well-earned reputation as a relatively common and dangerous SQL Server attack vector, there are several ways to protect against this type of attack. The first, and most obvious, is to ensure that Web applications properly validate user-supplied input. Input can be filtered so that only known good input is accepted, known bad input could be stripped out, bad input could be escaped, and finally, bad input could be rejected entirely. Often a combination of these approaches is the best solution.

The idea behind allowing only known good input is defining a set of permitted characters for each data type used by the application. A telephone number input field, for example, would only accept the digits 0 to 9; a surname field should only contain upper- or lowercase letters from A to Z. The application could also be programmed to reject SQL keywords such as select or exec. Care should be taken to ensure that all possible keywords are included. A filter checking for the select keyword could be bypassed by alternative encodings:


The key objectives for this project are:

To study and examine the complete Sql Injection threat anaylsis.

To demonstrate the methods and their complete process of SQL Injection.

To examine the methods of identifying attacks of SQL Injection on a database webapplication.

To evaluate the preventative technologies from SQL Injection attacks.

Construct and test a security policy.

- How the Objectives will be achieved

To understand the scope of a threat surface, all segments of the control system and emphasis on entry points will be examined. The communication link between data and decision layers is the primary attack surface for SQL Injection. This Project will facilitate understand what SQL Injection is and why it is a significant threat to control system environments.

To have a brief view of all types of Sql Injection including First Order Attack, Second Order Attack, Literal Attack, Blind Sql Injection, Cross site Scripting and Escape String Sql injection etc and their complete processes will be implemented by coding examples.

Methods of identifying attacks of SQL Injection on the database application will be examined with different techniques such as routine application database audits should be used to determine if the application has been compromised. Querying the database for common HTML tags used by worms can reveal signs that the applicatoin is spreading malware and many others techniques will be described in this project.

Eliminating SQL injection vulnerabilities in a web application is the best approach to fight worms. Performing full application security audits can determine the presence of vulnerabilities in the systems. These penetration tests mimic an attacker by utilizing many of the same tools and techniques to identify weaknesses. On the other hand various commercial and free automated tools such as SQL Inject-Me are able to detect the presence of SQL injection vulnerabilities in web application.

To ensure that security is built into the web application, a security policy will be constructed for the web application and are mandated for compliance with many requlation such as SARBANES-OXLEY to demonstrate that it has taken "due diligence" in safeguarding application security and information policy. One security policy is constructed then it will be implemented to test and verify whether the security mechanisms perate correctly. This will be done through penetration testing which involves manullay or automatically trying to minic an attackers actions to check if any tested scenarios result in security breaches.

Writing Services

Essay Writing

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.