Protecting Web Applications from SQL Injection Attacks- Guidelines for Programmers Master Thesis

Gopali, Gopali

January 2018

Injektionsattack är den mest kritiska säkerhetsapplikationen för webbapplikationer, och SQL-injektion (SQLi) -attack är den mest rapporterade injektionsattacken på webbapplikationer. I denna avhandling har vi identifierat angreppsteknikerna som används av angripare och vi ger också riktlinjer så att programmerarna kan skriva webbapplikationskoder på ett säkert sätt för att förhindra SQLi-attackerna.Metoden som tillämpas för forskningen är litteraturstudie och vi använde vägen bevis genom demonstration för att få den tydliga bilden. Det första steget var att ta reda på kodningsfelen, då utformade vi riktlinjer som kan hjälpa till att skydda webbapplikationer från SQLi-attacker. Denna avhandling kommer att hjälpa programmerarna att förstå de olika kodningsbristerna och hur dessa kodningsfel kan förhindras och för detta har vi använt bevis genom demonstration. Denna avhandling kommer också att bidra till den allmänna medvetenheten om SQLi-attacker, attacker och riktlinjer för programmerare som designar, utvecklar och testar webbapplikationer. / Injection attack is the most critical web application security risk, and SQL-injection (SQLi) attack is the most reported injection attack on web applications. In this thesis, we have identified the attacking techniques used by attackers and we are also providing guidelines so that the programmers can write web application code in a secure way, to prevent the SQLi attacks.The methodology applied for the research is literature study and we used the way proof by demonstration to get the clear picture. The first step was to find out the coding flaws, then we designed guidelines that can help to protect web applications from SQLi attacks. This thesis will help the programmers to understand the various coding flaws and how those coding flaws can be prevented and for this, we have used proof by demonstration. This thesis will also contribute to the general awareness of SQLi attacks, attack types and guidelines for the programmers who are designing, developing and testing web applications.

Web application attacks

SQLi coding flaws

SQLi attack

SQL-Injection

Top vulnerabilities

Cyber Security

Engineering and Technology

Teknik och teknologier

Säkerhetsanalys av plugin-kod till publiceringsplattformen WordPress

Persson, Peter

January 2013

Applikationer och system flyttar i allt större utsträckning från lokala installationer på den enskilda datorn, ut i “molnet” där data skickas och hanteras via Internet. Traditionella “Desktop applikationer” blir webbapplikationer för att centralisera drift och öka tillgänglighet. Detta skifte medför ett ökande antal träffytor för personer som av en eller annan orsak vill åsamka skada eller tillskansa sig, alternativt manipulera eller förstöra, känslig eller hemlig information. Den här rapporten har för avsikt att utvärdera hur väl man kan skydda sig mot tre av de just nu vanligaste attackformerna mot webbapplikationer generellt, men WordPress specifikt. Nämligen attackformerna SQL-injection, Cross site scripting och Cross site request forgery. Resultaten av undersökningen visar att det genom en väl implementerad hantering av in- och utgående data går att skapa ett fullt acceptabelt grundskydd för att desarmera attacker av dessa typer.

WordPress

plugin

säkerhet

CSRS

XSRS

XSS

SQLI

hacker

attacker

intrång

skydd

Computer Sciences

Datavetenskap (datalogi)

Technika SQL injection - její metody a způsoby ochrany / SQL Injection Technique - its Methods and Methods of Protection

Bahureková, Beáta

January 2020

SQL injection is a technique directed against web applications using an SQL database, which can pose a huge security risk. It involves inserting code into an SQL database, and this attack exploits vulnerabilities in the database or application layer. The main goal of my thesis is to get acquainted with the essence of SQL injection, to understand the various methods of this attack technique and to show ways to defend against it. The work can be divided into these main parts, which I will discuss as follows.In the introductory part of the work I mention the theoretical basis concerning SQL injection issues. The next chapter is focused on individual methods of this technique. The analytical part is devoted to mapping the current state of test subjects, scanning tools, which form the basis for optimal research and testing of individual SQL methods, which are discussed in this part from a practical point of view along with the analysis of commands. In the last part I will implement SQL methods on selected subjects and based on the outputs I will create a universal design solution how to defend against such attacks.

Project X : All-in-one WAF testing tool

Anantaprayoon, Amata

January 2020

Web Application Firewall (WAF) is used to protect the Web application (web app). One of the advantages of having WAF is, it can detect possible attacks even if there is no validation implemented on the web app. But how can WAF protect the web app if WAF itself is vulnerable? In general, four testing methods are used to test WAF such as fuzzing, payload execution, bypassing, and footprinting. There are several open-source WAF testing tools but it appears that it only offers one or two testing methods. That means a tester is required to have multiple tools and learn how each tool works to be able to test WAF using all testing methods. This project aims to solve this difficulty by developing a WAF testing tool called ProjectX that offers all testing methods. ProjectX has been tested on a testing environment and the results show that it fulfilled its requirements. Moreover, ProjectX is available on Github for any developer who want to improve or add more functionality to it.

Web application vulnerability

OWASP top ten

Web Application Firewall

WAF

WAF testing

WAF testing tool

Modsecurity

AWS WAF

XSS

SQLI

Computer Sciences

Datavetenskap (datalogi)