An Approach to Detect and Prevent SQL Injection and XSS Vulnerability in the Web Application

An Approach to Detect and Prevent SQL Injection and XSS Vulnerability in the Web Application

  IJETT-book-cover           
  
© 2023 by IJETT Journal
Volume-71 Issue-8
Year of Publication : 2023
Author : Shekhar Disawal, Ugrasen Suman
DOI : 10.14445/22315381/IJETT-V71I8P219

How to Cite?

Shekhar Disawal, Ugrasen Suman, "A Novel Hybrid Features with Ensemble and Data Augmentation for Efficient and Resilient Malware Variant Detection," International Journal of Engineering Trends and Technology, vol. 71, no. 8, pp.216-224, 2023. Crossref, https://doi.org/10.14445/22315381/IJETT-V71I8P219

Abstract
SQL Injection (SQLI) and Cross-Site Scripting (XSS) are commonly exploited vulnerabilities in web applications, particularly those connected to sensitive data like banking, finance, and e-commerce. These attacks allow the attackers to gain unauthorized access to the system and manipulate or delete crucial data. The attack is carried out by injecting malicious SQL statements into a query through an unvalidated input field. As a result, it is crucial to find effective solutions to detect and prevent these vulnerabilities in web applications. Although several methods have been proposed by researchers, existing solutions have limitations and inefficiencies in protecting against web attacks. In this paper, we propose a Web Vulnerability-Detection Prevention Methodology (WV-DPM) that can effectively detect and prevent SQL injection and XSS attacks. To evaluate the effectiveness of our proposed methodology, we have implemented it and compared it with existing methodologies.

Keywords
SQL injection, Prevention, Detection, Vulnerability, Web application.

References
[1] Sudhakar Choudhary, Arvind Kumar Jain, and Anil Kumar, “A Detail Survey on Various Aspects of SQLIA,” International Journal of Computer Applications, vol. 161, no. 12, pp. 34–39, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[2] Mazoon Al Rubaiei et al., “SQLIA Detection and Prevention Techniques,” 9th International Conference on System Modeling & Advancement in Research Trends, pp. 115–121, 2020.
[CrossRef] [Publisher Link]
[3] Acunetix Web Application Vulnerability Report 2019, 2019. [Online]. Available: https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2019/ [4] Qi Li et al., “LSTM-based SQL Injection Detection Method for an Intelligent Transportation System,” IEEE Transactions on Vehicular Technology, vol. 68 no. 5, pp. 4182-4191, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[5] Shashank Gupta, and B. B. Gupta, “XSS-Secure as a Service for the Platforms of Online Social Network-Based Multimedia Web Applications in Cloud,” Multimedia Tools and Applications, vol. 77, no. 4, pp. 4829-4861, 2018.
[CrossRef] [Google Scholar] [Publisher Link]
[6] Peng Tang et al., “Detection of SQL Injection Based on Artificial Neural Networks,” Knowledge-Based Systems, vol. 190, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[7] Da-Yu Kao, Chung-Jui Lai, and Ching-Wei Su, “A Framework for SQL Injection Investigations: Detection, Investigation, and Forensics,” IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 2838–2843, 2018.
[CrossRef] [Google Scholar] [Publisher Link]
[8] Gary Wassermann et al., “Static Checking of Dynamically Generated Queries in Database Applications,” ACM Transactions on Software Engineering and Methodology, vol. 16, no. 4, pp. 14-es, 2007.
[CrossRef] [Google Scholar] [Publisher Link]
[9] Aqsa Afroz et al., “An Algorithm for Prevention and Detection of Cross-Site Scripting Attacks,” SSRG International Journal of Computer Science and Engineering, vol. 7, no. 7, pp. 8-18, 2020.
[CrossRef] [Publisher Link]
[10] Benjamin Appiah, Eugene Opoku-Mensah, and Zhiguang Qin, “SQL Injection Attack Detection Using Fingerprints and Pattern Matching Technique,” 8th IEEE International Conference on Software Engineering and Service Science (ICSESS), pp. 583–587, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[11] Rathod Mahesh Pandurang, and Deepak C. Karia, “A Mapping-Based Model for Preventing Cross-Site Scripting and SQL Injection Attacks on Web Application and its Impact Analysis,” 1st International Conference on Next Generation Computing Technologies (NGCT), pp. 414–418, 2015.
[CrossRef] [Google Scholar] [Publisher Link]
[12] William G J Halfond, and Alessandro Orso, “AMNESIA: Analysis and Monitoring For Neutralizing SQL-Injection Attacks,” Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183, 2005.
[CrossRef] [Google Scholar] [Publisher Link]
[13] Zeli Xiao et al., “An Approach for SQL Injection Detection Based on Behavior and Response Analysis,” IEEE 9th International Conference on Communication Software and Networks (ICCSN), pp. 1437–1442, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[14] Qais Temeiza, Mohammad Temeiza, and Jamil Itmazi, “A Novel Method for Preventing SQL Injection using SHA-1 Algorithm and Syntax-Awareness,” Joint International Conference on Information and Communication Technologies for Education and Training and International Conference on Computing in Arabic (ICCA-TICET), pp. 1-4, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[15] Geogiana Buja et al., “Detection Model for SQL Injection Attack: An Approach for Preventing a Web Application from the SQL Injection Attack,” IEEE Symposium on Computer Applications and Industrial Electronics (ISCAIE), pp. 60–64, 2014.
[CrossRef] [Google Scholar] [Publisher Link]
[16] Dian kurnia, Hendry, and Muhammad Syahputra Novelan, “The Forensic Approach Uses Snort from SQL Injection Attacks on the Server,” International Journal of Computer Trends and Technology, vol. 68, no. 6, pp. 51-56, 2020.
[CrossRef] [Publisher Link]
[17] Shekhar Disawal, and Ugrasen Suman, “An Analysis and Classification of Vulnerabilities in Web-Based Application Development,” 8th International Conference on Computing for Sustainable Global Development (INDIACom), pp. 782-785, 2021.
[Google Scholar] [Publisher Link]
[18] Oluwakemi Christiana Abikoye et al., “A Novel Technique to Prevent SQL Injection and Cross-Site Scripting Attacks Using Knuth-Morris-Pratt String Match Algorithm,” EURASIP Journal on Information Security, vol. 2020, no. 14, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[19] Karis D'silva et al., “An Effective Method for Preventing SQL Injection Attack and Session Hijacking,” IEEE International Conference on Recent Trends in Electronics Information & Communication Technology (RTEICT), pp. 697–701, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[20] Utpal Upadhyay, and Girish Khilari, “SQL Injection Avoidance for Protected Database with ASCII using SNORT and Honeypot,” International Conference on Advanced Communication Control and Computing Technologies (ICACCCT), pp. 596–599, 2016.
[CrossRef] [Google Scholar] [Publisher Link]
[21] Ashish John, Ajay Agarwal, and Manish Bhardwaj, “An Adaptive Algorithm to Prevent SQL Injection,” American Journal of Networks and Communications, vol. 4, no. 3-1, pp. 12–15, 2015.
[CrossRef] [Google Scholar] [Publisher Link]
[22] Chen Ping et al., “Research and Implementation of SQL Injection Prevention Method based on ISR,” IEEE International Conference on Computer and Communications, pp. 1153–1156, 2016.
[CrossRef] [Google Scholar] [Publisher Link]
[23] G. Buja, K. B. Abd Jalil, et al., “Detection model for SQL injection attack: an approach for preventing a web application from the SQL injection attack,” Symposium on Computer Applications and Industrial Electronics, IEEE, pp. 60–64, 2014.
[24] Ahmad Ghafarian, “A Hybrid Method for Detection and Prevention of SQL Injection Attacks,” IEEE Computing Conference, pp. 833–838, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[25] Nilesh Yadav, and Narendra Shekokar, "SQLI Detection Based on LDA Topic Model," International Journal of Engineering Trends and Technology, vol. 69, no. 11, pp. 47-52, 2021.
[CrossRef] [Publisher Link]
[26] M. Amutha Prabakar, M. Karthikeyan, K. Marimuthu, “An Efficient Technique for Preventing SQL Injection Attack Using Pattern Matching Algorithm,” IEEE International Conference on Emerging Trends in Computing, Communication and Nanotechnology, pp. 503–506, 2013.
[CrossRef] [Google Scholar] [Publisher Link]
[27] Debasish Das, Utpal Sharma, and D.K. Bhattacharyya, “An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching,” International Journal of Computer Applications, vol. 1, no. 25, pp. 28-34, 2010.
[CrossRef] [Google Scholar] [Publisher Link]
[28] Mukesh Kumar Gupta, Mahesh Chand Govil, and Girdhari Singh, “A Context-Sensitive Approach for Precise Detection of Cross-Site Scripting Vulnerabilities,” International Conference on Innovations in Information Technology (IIT), pp. 7-12, 2014.
[CrossRef] [Google Scholar] [Publisher Link]
[29] Ashwin Ramesh, Anirban Bhowmick, and Anand Vardhan Lal et al., “An Authentication Mechanism to Prevent SQL Injection by Syntactic Analysis,” International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15), pp. 1–6, 2015.
[CrossRef] [Google Scholar] [Publisher Link]