Web Security against SQL Injection Attack E-Book

Web Security against SQL Injection Attack

Chapter 1: Introduction

At this time network based operation acts as an essential task in creatural activity. Web application is a set of rules and taken against web services bluffs. Day to day many tasks are now based on web. Web application has become a much approved program for a wide range of services like webmail, online access, Government websites, online retail sales, and many other services. It provides a huge facility to entrance way of database via Internet. From the usages of web services it causes increases the attacks on the web. There are lots of attacks be found in the web application. But the SQL Injection Attack is the most dangerous and challenging attack for the web application [1].

Web applications are the backbone of today’s business and it has a platform for a wide range of services that provide on-line access. The use of web applications has become increasingly popular in our daily life as reading newspaper, making online payment for shopping etc. web applications accepts the data from the users. This data is retrieved from the database through the queries. Web application can have sensitive and confidential data which is stored in database. Websites and services are especially at risk due to their universal exposure and their extensive use of the firewall-friendly HTTP protocol. Web applications offer a great facility to access the database through the Internet, which has provided the required service to customers, but unfortunately these advantages have raised a number of security vulnerabilities from improper code. SQL injection attack is the top most risk associated to a web application according to OWASP (Open Web Application Security Project).

In today’s age, all work is done online provided the flexibility and portability of web applications. The data are stored in databases which can be accessed anywhere and anytime through a network. These databases are built on basis of Code’s principle which uses SQL ("sequel") to interact with external environment. All web applications are depended on the Internet. Example: online banking, university admissions, shopping, and various government activities. So, we can say that these activities are the key component of today’s Internet Infrastructure. The web applications like financial applications, healthcare application, government websites, etc. are interact with the backend database many times for the client’s request response. If such web applications are compromised for the security will result in financial, informational, ethical, legal consequences issues for the web application [2].

.

1.1 Overview of SQL Injection Attack:-

Structured Query Language (SQL) is a high level language used in database management systems (DBMSs). SQL was originally developed in the early 1970’s by Edgar F. Codes at IBM. It allows the user to modify, delete or just access data. The “query” is unit of execution in SQL which returns a set of rows and columns when satisfies the condition specified in query. SQL Injection Attack is the popular method of hacking or cracking at present. During this attack the attacker to compose, scan, renew, rework or destroy data which stored in the database. That type of attack grant to attacker to transform the innovative SQL query to a number of injurious codes in the database to get delicate information or to break down the information from the database. In SQL Injection Attack attacker generates injurious code into a traditional consumer information area of web application to access authorization and endless source. An injurious attacker can extract shaded instruction, transform, or even despoil our entire data stored in a back-end database. SQL Injection is deed shelter vulnerableness at the database layer. It is a straightforward scheme in which attackers insert some SQL cipher to the primary cipher in the database to fetch impressible data or to break down the whole story [15].

SQL injection is a type of web based attack in which the attacker injects SQL commands at entry points of web application to authorize the database. SQL database are attractive targets because they often contain valuable information for example username, passwords, email ids, credit card details, and personal data. SQL injection attack is one of the most popular attacks used in system hacking or cracking. Web application can be harmed by SQL INJECTION ATTACK using SQL INJECTION ATTACK attacker can gain information or have unauthorized access to the system. When attackers gain control over web application maximum damage is caused.

The type of attack which allows the attacker to alter the original SQL query by adding the injected SQL code in the fields is known as SQL injection attack. SQL injection attacks are nothing but injecting malicious queries by the hackers into the application projected queries to get the desired outputs from the database. SQL Injection allows an attacker to create, read, update, modify, or delete data stored in the back-end database. Thus, SQL injection exploits security vulnerabilities at the database layer. SQL injection attack is an easiest method of attack in which attackers inject some SQL codes to the original code in the database to get sensitive information or to destroy the information. An SQL Injection can destroy your database. SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a SELECT query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied. However, most Web forms have no mechanisms in place to block input other than names and passwords. Unless such precautions are taken, an attacker can use the input boxes to send their own request to the database, which could allow them to download the entire database or interact with it in other illicit ways. SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. SQL Injection is a hacking or cracking method i.e. based on the security vulnerabilities of web application. SQL Injection allows an attacker to create, read, update, modify, or delete data stored in the back-end database. Thus, SQL injection exploits security vulnerabilities at the database layer. SQL Injection Attacks are one of the most serious threats for the Web based applications. SQL Injection may allow an attacker to gain complete access to their database, which contains sensitive information. The resulting security violations can include identity theft, fraud and loss of confidential information [4].

 In some cases, attackers can use an SQL Injection to take control of and corrupt the system. SQL Injection Attacks are one of the most serious threats to web application security. They are frequently employed by malicious users for a variety of reasons like financial fraud, theft of confidential data, cyber terrorism, or simply for fun. SQL Injection is a type of attack which the attacker adds Structured Query Language code to input box of a web form to gain access or make changes to data. SQL Injection Attack vulnerability allows an attacker to flow commands directly to a web application's underlying database and destroy functionality or confidentiality. SQL Injection refers to a class of code injection attack in which data provided by the user. The communication between web server and database is done with the help of SQL commands. With the help of special crafted SQL commands attacker can access the user information. SQL injection is an attack on web-applications which have vulnerabilities. Actually these vulnerabilities are the weakness in the design of web application due to logic, syntax or semantics.