Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

Understanding SQL Injection Attacks:

Best Practices for Web Application Security
Tanzila Hasan Pinky1; Kaniz Ferdous2; Jarin Tasnim3; Kazi Shohaib Islam4

Abstract:- SQL (Structured Query Language) injection risks and second to suggest and assess methods to improve
represents a security weakness that enables attackers to their ability to defend against threats. t's not only the option
run SQL commands within a web applications database. to defend ourselves from the attacker but also think like them
When exploiting a designed application lacking input to check the security of the webpages from the queries of the
validation a malicious actor can control input data to attackers. By this, all the points of the security will be tested
execute SQL queries. The objective of detecting SQL and implemented carefully. For browsing the online pages
injection vulnerabilities is to identify any section of a web and make them more user friendly as well trustworthy this
application to user input exploitation, for SQL injection research will be more convenient and facilizing for the users.
attacks and confirm that the application adequately
validates user inputs. The aim of this project is to try and However, relying on these platforms also exposes us to
form an attack chain and test the same against any security risks that could compromise our information. As
website to assess the website for any weak links and students studying computer science, it's our duty to protect.
identify any entry points that an attacker could use to
penetrate the system and take control of the same. This data and keep the confidentiality of the user’s
information’s. Our study focuses on evaluating the security
From the paper it is figured that most of the tools of web applications specifically looking into vulnerabilities
only check the vulnerability for the given URL and do not such as SQL injection, Cross Site Scripting (XSS), and
crawl through the webpages and find if the vulnerability HTTP Strict Transport Security (HSTS). Our goal is to
is present in any of the other pages. In this project, we are pinpoint weaknesses and suggest ways to strengthen defence
taking the additional step to confirm that there are no mechanisms. Divided into three parts our research delves
vulnerabilities mentioned in this research present in any into testing for SQL injection XSS scripting and HSTS
of the webpages. vulnerabilities. This study aims to provide a comprehension
of web application security paradigms by combining real
Keywords:- SQL Injection, SQL Queries, Vulnerabilities, world data and theoretical perspectives. By examining these
Website, URL, Webpages. weaknesses and exploring ways to mitigate them we aim to
offer insights, for improving web application security.
I. INTRODUCTION Through this study, we aim to enhance understanding of web
application security and help stakeholders defend against
In today's era web applications are essential, in our threats while maintaining user trust in platforms. For the
lives helping us with tasks like online shopping and sharing testing environment we are going to use the following
data. The main goal of this study is two pronged; first to structure below:
examine how well web applications can withstand security

Fig 1: Proposed Architecture of the Testing Applications

IJISRT24MAY501 www.ijisrt.com 1444

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

In this paper we will proceed with the steps; (II) Using these queries, we will test for each type of SQL
presenting the findings of our research and insights gained Injection attack [15].Moving from simpler use cases, we will
from them (III) demonstrating the outcomes of our study and use queries from the exhaustive list provided by the OWASP
research by outlining the challenges for our strategy, (IV) organization to test for advanced cases for our research
following by a discussion on the significance of our testing [13].For a deeper explanation of SQL Injection with
discoveries and (V) potential areas for further exploration, in the threat modelling, explain the impact of the attack and
future work. what the attacker is capable of, applications where SQL
Injection is common like PHP and ASP and the severity of
II. RELATED WORKS SQL Injection attacks. Also, briefing the occurrence and the
consequences of the attack. Making this remark makes one
Research on the use of the black-box method for wonder about how we could link a SQL Injection attack with
penetration testing, with a specific focus on SQL injection other forms of vulnerability [14]. In a blog the major
attacks. This research only gave more statistical information problem arises because there are not enough tests written to
than technical information and goes on to explain the validate all negative use cases when the code is developed.
vulnerability of every website and how it is important to Organizations might not have enough funding to dedicate a
perform penetration testing at regular intervals to better testing team or have sufficient manpower. For a persistent
safeguard the web application [1]. Oliver Moradov on SQL attacker, this is an easy target. The author suggests using
Injection Testing methods [10] mentioned in a blog, there are Feedback-Based Fuzzing to overcome the issues. This
5 types of testing for an SQL Injection: Stacked Query automates the testing process along with generating the test
Testing ( Completing an SQL query and writing a new one data based on the previous results [9].
on top of the previous), Error-Based Injection testing
(exploiting SQL error messages), Boolean-Based Injection III. PROPOSED MODEL
Testing ( adding conditional statements ), Out-of-Band
(Blind) Exploit Testing and Time Delay Exploit Testing  System Construction
(monitoring server response time). The fist documentation This model is a collection of tools used for checking
for SQL injection was exploited in 1998 by a researcher and vulnerabilities in a website. This framework uses various
hacker where it was mentioned that with basic coding skills, open-source applications to identify different types of
one could use unauthorized SQL commands on legitimate vulnerabilities. We implement Vulnerability Checker using
SQL statements to extract confidential information from a Python and vulnerability testing software like SQLMap,
database. There are multiple tools to test for every one of Nmap, DirBuster, Nikto and various Python modules to test
these vulnerabilities separately and there are a lot of the website for SQL Injection attacks, Man-in-the-Middle
applications that offer tests for various vulnerabilities attacks by testing if the web application has HTTP Strict-
combined. But all these tools require basic knowledge of Transport-Policy and Cross-Site scripting attack.
how the application works and the kind of parameters that
need to be sent to execute the tests [8]. In another research  SQLMap: SQLMap is an open-source penetration testing
paper network traffic patterns uses machine learning tool used for testing SQL injections which generates the
algorithms to identify unusual or suspicious traffic patterns SQL queries to test against the website. SQLMap has a
that may indicate an attempt to launch a SQL injection lot of options to choose from and it is extensive to test for
attack. The proposed detection system employs machine sql injection. Basic arguments required to execute the
learning methods to identify patterns and scrutinize gathered sqlmap command is ‘-u’ option, to specify we are going
data for indications of an SQL injection risk [3]. Since this to enter an URL and the second argument is the URL
isn't a tool there could be hurdles, in constructing the model itself.
and initiating the testing phase. Like the machine learning  Nmap: Nmap short for Network mapper, is an open-
model, another proposal uses runtime validation to detect source application to discover network and audit security
and prevent SQL Injection Attacks (SQLIA). The model uses vulnerabilities. Nmap needs the URL as a mandatory
a proxy server as a middle layer between the client and argument and depending on the requirements additional
database server to check input queries and filter out any options can be provided to get the desired output.
SQLIA [12]. For an understanding of various detection and  Dir buster: Dir buster is a Java application used for brute
prevention techniques like Hybridization of Knuth-Morris- forcing files and directories on a web application. It tries
Pratt (KPM) and Boyer-Moore (BM) algorithm, detection to find any hidden files or directories within the
model to scan SQL injection on the web environment for the application. Dir buster tool reads all files and directories
SQL Injection attacks like Tautology, Union Queries, Piggy- on the website and displays on the terminal. The output
Backed attack etc, which will be useful for us to write can also be redirected to an output file.
different SQL Injection attack queries [2].The cheat sheet  Nikto: Nikto is an open-source application that scans web
(Invicti, n.d.), like other blogs, gives an in-depth explanation servers and common gateway interfaces. Nikto provides
of different SQL injection attacks on MySQL, Microsoft support for HTTP proxy, accepts cookies, and verifies if
SQL Server, ORACLE and PostgreSQL SQL servers [5]. the server is running on any outdated components. Nikto
SQL Injection blog gives a good introduction on how to test takes 2 inputs as arguments. First, -h to indicate host URL
for SQL Injection attacks. From this blog, we will be using and the second argument URL or the IP address of the
the examples provided for basic use cases [16]. In another web application to test.
blog, there are given examples for each testing method.

IJISRT24MAY501 www.ijisrt.com 1445

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

Fig 2: Flow Chat of the System Process

A Python script combines it all and imports sqlmap-dev  Developed System

version. All options that need to be executed are sent as The Python script includes a set of tools that thoroughly
arguments to the sqlmap-dev script and the command is check the website's compliance, with cybersecurity
executed with the appropriate values and the result is standards especially focusing on HTTP Strict Transport
returned which can be redirected to a file. Various options of Security (HSTS) and the validity of Secure Socket Layer
sqlmap are tested the same way. Once the results are taken, (SSL) certificates. It also evaluates the susceptibility, to
to check for the strength web application, by checking if the cross-site scripting (XSS) by examining web forms. To
HSTS header is present in the first HTTPS response from the detect SQL Injection the script uses a subprocess to handle
server. If the HSTS header is present, then the website cannot command line inputs. It is designed for users of all skill
be downgraded to an HTTP site. Moving on to the next level levels providing two testing options: Intermediate and
of testing for cross-site scripting possibilities in the web Expert. The script implements a comprehensive suite of
application. Retrieving all the forms available on the tests, covering the gamut of injection techniques including
webpage and insert a Java script into the forms. If the website Error-based, Time-based, and Union Query-based.
executes the malicious script, then the website is vulnerable
to cross-site scripting attacks. All these tools check for the  SQL Injection Testing: Sqlmap additionally can be used
URL specified and do not go forward and check if any other to automate various tasks, making it a valuable tool for
web pages on the site is vulnerable to these attacks. Using an streamlining the testing process and maximizing
application called Dir buster, we can extract all hidden efficiency. Upon executing the SQL injection test, it was
directories and files and try to navigate to these web pages. determined that the target object was not susceptible to
By passing these webpages as arguments to the script, we injection. The testing procedure proceeds to assess the
can check if all the webpages on the website is vulnerable to remaining links discovered on the webpage. Further
any security risks. evaluation is performed to ensure that the website
remains secure against potential security threats.

IJISRT24MAY501 www.ijisrt.com 1446

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

Fig 3: Intermediate Level Users Test of SQL Map Test

IJISRT24MAY501 www.ijisrt.com 1447

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

Fig 4: For Second Level of Webpage SQL Injection Test

IJISRT24MAY501 www.ijisrt.com 1448

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

Fig 5: Both of Figures are Test Result for SQL Injection

 Cross-Site Scripting Testing: The cross-site scripting argument the wordlists created by CeWL and a
assessments are not limited to the initial URL provided predefined wordlist to navigate through the webpages to
by the user, but rather encompass a broader examination identify any hidden folder or files. Dirb identifies hidden
of other pages available on the website to identify those folders and files. We store these findings in an output file
that are susceptible to XSS attacks. For intermediate and use the found links to test for presence of cross-site
level users we go a level up and test all available scripting in all these webpages. Cross-site scripting for
webpages on the website. To retrieve the available intermediate level users is done not just for the given
webpages, we use dirb to find any hidden files or folders. website, but also for other files found using dirb tool. The
Custom Word List generator generates a wordlist based script iterates over the found webpages and applies cross-
on the words present on the website. Dirb takes as site scripting tests to identify the vulnerability if any.

Fig 6: DIRB Executions Result

IJISRT24MAY501 www.ijisrt.com 1449

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

Fig 7: Results of Cross-Site-Scripting

IJISRT24MAY501 www.ijisrt.com 1450

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

 HSTS Header Tester: Sqlmap also performs tests for technologies and components utilized in the creation of
more advanced security vulnerabilities. These tests the web application, including the version and type of
include verifying the availability of the strict-transport- database employed. These tests confirm if the specific
security header, which is an important security feature security vulnerability is present on the website. Thus,
that helps to protect against man-in-the-middle attacks. It giving the owner an idea of the security of their web
also provides valuable insight into the underlying application.

Fig 8: SSL Certification and HSTS Header Test Results for Components

 Valid SSL Certification: Sqlmap also checks for the  Remaining vulnerabilities testing in Expert level:
presence and configuration of SSL certificates, which are Remaining tests are like that of the intermediate user
used to encrypt communication between the client and level. Cross-site scripting tests are performed for all the
server. By verifying the SSL certificate, Sqlmap can hidden files and folders obtained through dirb. Tests for
identify potential vulnerabilities that could be exploited strict-transport-policy header, verification of valid SSL
by an attacker. Other tests that Sqlmap performs include certificate and check for any outdated components are a
checking for cross-site scripting vulnerabilities, testing part of expert level testing too. Expert level users can run
for cross-site request forgery, and validating the security any SQL query to test the website using this script. All
of session cookies. Tests for strict-transport-policy other functionalities are like intermediary users. User
header, verification of valid SSL certificate and check for enters a query that he wants to test on the vulnerable
any outdated components are a part of expert level testing server to see the response he receives. Every tool initiated
too. a sub process and the corresponding results were stored
in a log file which was further accessed to retrieve
information.

IJISRT24MAY501 www.ijisrt.com 1451

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

IJISRT24MAY501 www.ijisrt.com 1452

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

Fig 9: Results of the Remaining Vulnerability in the Expert Level

IV. RESULT of incorporating development practices such, as input

validation and query usage to thwart SQL attacks. The
This analysis has provided a thorough examination of serious consequences of SQL attacks, including data loss and
the current landscape of SQL injection testing and financial implications underscore why organizations should
emphasized the significance of being proactive in protecting implement security strategies that involve testing and strong
against these types of attacks. The increasing prevalence of protective measures. The thesis stresses the significance of
SQL injection attacks and the potential consequences, such XSS testing to prevent script injections on web pages and
as data breaches, highlight the need for organizations to take HSTS testing to ensure secure HTTPS transmissions that
these threats seriously. By utilizing the right tools and protect users from attacks and data breaches.
techniques, as well as implementing secure coding practices,
organizations can significantly reduce their risk of falling In the future, for easy access, as we want to secure the
victim to a SQL injection attack. It is important to note that process of online use as well as computer usage, we are also
the threat of SQL injection is constantly evolving, and working to create software for reducing the risk of SQL
organizations must stay vigilant and stay up to date with the injection attacks for the webpages. Such a tool would
latest technologies and best practices. SQL injection is a significantly improve an organization's ability to defend
serious security threat that can have devastating against attacks and maintain the confidentiality of their
consequences for organizations if not properly addressed. information.
The purpose of this thesis was to explore the various In conclusion, the thesis highlights the importance of
methods and techniques used for SQL injection testing along taking an approach, to security by staying informed about
with testing for HTTP Strict Transport Policy header and practices and emerging technologies to address evolving
check for cross-site scripting attacks. In conclusion, by security threats. If this process can be adopted by the people
taking a comprehensive and proactive approach to security who work in online businesses or use online for their
as it ensures the confidentiality, integrity of their sensitive working sites can easily protect their personal information
information. and secure credentials from SQL injection attacks. This can
ensure the confidentiality, accessibility, and integrity of the
V. CONCLUSION AND FUTURE WORK user's information.

To ensure the web applications' security we were able ACKNOWLEDGEMENT

to test the XSS and HSTS tools that will reduce the chance
of website vulnerability by SQL injection attack. For We would like to express our gratitude to parents and our
detecting the vulnerabilities this paper discusses the methods friends also dealing with the solution to SQL Injection attack
and the used tools in testing to identify the loopholes for in our research paper, we would thank the group members
attacks. Discusses methods and tools for detecting these for contributing their fullest in completing this paper.
vulnerabilities. Furthermore, it underscores the importance

IJISRT24MAY501 www.ijisrt.com 1453

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY501

REFERENCES

[1]. Alde Alanda, D. S. (September 2021). Web

Application Penetration Testing Using SQL Injection.
International Journal On Informatics Visualization,
320-326.
[2]. Shobana R, D. M. (2020). A Thorough Study On SQL
Injection Attack-Detection And Prevention
Techniques And Research Issues. Journal of
Information and Computational Science, 135-143.
[3]. Bandi Aruna, B. U. (2020). SQLID Framework In
Order To Perceive SQL Injection Attack on Web
Application. ICRAEM.
[4]. GitHub. (n.d.). sqlmapproject. Retrieved from
GitHub: https://github.com/sqlmapproject/sqlmap
[5]. Invicti. (n.d.). SQL Injection Cheat Sheet. Retrieved
from Invicti: https://www.invicti.com/blog/web-
security/sql-injection-cheat-sheet/
[6]. Chris Sullo, D. L. (n.d.). Nikto2. Retrieved from
CIRT.net: https://cirt.net/Nikto2
[7]. Kali. (n.d.). dirbuster. Retrieved from Kali:
https://www.kali.org/tools/dirbuster/
[8]. Malware Bytes. (n.d.). What is SQL Injection.
Retrieved from Malware Bytes:
https://www.malwarebytes.com/sql-injection
[9]. Wagner, R. (n.d.). How To Test for SQL Injections
[Complete Guide]. Retrieved from Code Intelligence:
https://www.code-intelligence.com/blog/how-to-
test-for-sql-injections
[10]. Moradov, O. (2022, May 12). 5 SQL Injection Test
Methods and Why to Automate Your Testing.
Retrieved from Bright:
https://brightsec.com/blog/sql-injection-test
[11]. nmap.org. (n.d.). Nmap: the Network Mapper.
Retrieved from nmap.org: https://nmap.org/
[12]. Abdalla Hadabi, E. E. (March 2022). An Efficient
Model to Detect and Prevent SQL Injection Attack.
Journal of Karary University for Engineering and
Science (JKUES), 141-146.
[13]. OWASP. (n.d.). SQL Injection | OWASP Foundation.
Retrieved from OWASP: https://owasp.org/www-
community/attacks/SQL_Injection
[14]. OWASP. (n.d.). WSTG - Latest | OWASP
Foundation. Retrieved from OWASP:
https://owasp.org/www-project-web-security-
testing-guide/latest/4-
Web_Application_Security_Testing/07-
Input_Validation_Testing/05-
Testing_for_SQL_Injection
[15]. Singh, S. (2022, July 07). Common SQL Injection
Attacks. Retrieved from Pentest Tools:
https://pentest-tools.com/blog/sql-injection-attacks
[16]. Software Testing Help. (2022, October 25). SQL
Injection Testing Tutorial (Example and Prevention
of SQL Injection Attack). Retrieved from Software
Testing Help:
https://www.softwaretestinghelp.com/sql-injection-
how-to-test-application-for-sql-injection-attacks/

IJISRT24MAY501 www.ijisrt.com 1454