CASE PROJECT 8

Course: DATABASE SECURITY (DBS401)

Semester: SP24
Class: IA1601
Student: Phạm Minh Khang
Roll number: SE140793

1. Defending Against Web Application Exploitation

1. Check and Update Software
Make sure your software is always up to date, including the operating system, web server,
database, and all the frameworks and libraries your application depends on.
2. Using Bond Parameters
Use the bond parameter for SQL queries instead of creating queries by concatenating strings.
This helps prevent entering user data directly into SQL queries.
3. Data Sanitization
Clean and check input from users before accepting it. Remove or sanitize any special characters
that could be used for SQL Injection attacks.
4. Perform Condition Monitoring
Set up a monitoring system to track variables such as the number of SQL queries performed per
minute, the number of query errors, or spikes in server resources. This helps detect unusual activity
that could be a sign of an attack.
5. Create Honeypots
Deploy honeypots, i.e. fake targets, to deceive attackers and gather information about them.
6. Employee Training
Train employees on the risk of SQL Injection and how to detect and prevent it.
7. Build a Security Team
Build a security team that operates continuously to monitor, detect, and respond to SQL
Injection attacks.
2. Time Delays
An attacker launches an SQL injection attack by inserting malicious SQL code into the website's
search function. Instead, extracting data directly, the attack creates SQL queries designed to
cause time-consuming errors based on the commands. If a website's response time increases
significantly after submitting a search query, it indicates that injected SQL code is causing a
delay in the database response. By analyzing the response times of injected queries, attackers
can deduce the structure of the database, identifying weaknesses.
3. Oracle Vulnerability
CVE-2021-44228: This is a remote code execution vulnerability in Apache Log4j. It is remotely
exploitable without authentication, i.e., may be exploited over a network without the need for a
username and password. This vulnerability has received a CVSS Base Score of 10.0 from the Apache
Software Foundation.
4. Microsoft SQL Server Vulnerability
CVE-2023-36728 is a Microsoft SQL Server Denial of Service Vulnerability.

- Published Date: October 10, 2023.

- CVSS v3 Score: 5.5.
- CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
 - Severity: Medium.
- Attack Vector: Local.
- Attack Complexity: Low.
- Privileges Required: Low.
- User Interaction: None.
- Scope: Unchanged.
- Confidentiality: None.
- Integrity: None.
- Availability: High.
5. MySQL Vulnerability
CVE-2023-21875: This vulnerability is in the MySQL Server product of Oracle MySQL (component:
Server: Security: Encryption). Supported versions that are affected are 8.0.31 and prior. This difficult to
exploit vulnerability allows a high privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all MySQL Server accessible data and unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.