Developing a SQL Injection Exploitation Tool with Natural Language Generation

Boekweg, Kate Isabelle

22 April 2024

Websites are a popular tool in our modern world, used daily by many companies and individuals. However, they are also rife with vulnerabilities, including SQL injection (SQLI) vulnerabilities. SQLI attacks can lead to significant damage to the data stored within web applications and their databases. Due to the dangers posed by these attacks, many countermeasures have been researched and implemented to protect websites against this threat. Various tools have been developed to enhance the process of detecting SQLI vulnerabilities and active SQLI attacks. Many of these tools have integrated machine learning technologies, aiming to improve their efficiency and effectiveness. Penetration testing is another valid method of detecting and fixing SQLI vulnerabilities, and there are tools designed to automate this process. Some of these automated exploitation tools have also incorporated machine learning techniques. This research aims to identify design requirements of a SQLI exploitation tool that utilizes Natural Language Generation for attack data. This research also aims to compare this new SQLI exploitation to existing tools. This research integrates various components from existing research projects to develop and evaluate the effectiveness of the proposed SQLI exploitation tool. This research establishes a framework for a SQL injection exploitation tool. Additionally, the study successfully tests multiple components of this new tool and compares the accuracy and speed of the new tool to already existing tools.

SQL injection

injection detection

cybersecurity

machine learning

offensive security

Engineering

Technika SQL injection - její metody a způsoby ochrany / SQL Injection Technique - its Methods and Methods of Protection

Bahureková, Beáta

January 2020

SQL injection is a technique directed against web applications using an SQL database, which can pose a huge security risk. It involves inserting code into an SQL database, and this attack exploits vulnerabilities in the database or application layer. The main goal of my thesis is to get acquainted with the essence of SQL injection, to understand the various methods of this attack technique and to show ways to defend against it. The work can be divided into these main parts, which I will discuss as follows.In the introductory part of the work I mention the theoretical basis concerning SQL injection issues. The next chapter is focused on individual methods of this technique. The analytical part is devoted to mapping the current state of test subjects, scanning tools, which form the basis for optimal research and testing of individual SQL methods, which are discussed in this part from a practical point of view along with the analysis of commands. In the last part I will implement SQL methods on selected subjects and based on the outputs I will create a universal design solution how to defend against such attacks.

Reliability Enhancements for Real-Time Operations of Electric Power Systems

January 2017

abstract: The flexibility in power system networks is not fully modeled in existing real-time contingency analysis (RTCA) and real-time security-constrained economic dispatch (RT SCED) applications. Thus, corrective transmission switching (CTS) is proposed in this dissertation to enable RTCA and RT SCED to take advantage of the flexibility in the transmission system in a practical way. RTCA is first conducted to identify critical contingencies that may cause violations. Then, for each critical contingency, CTS is performed to determine the beneficial switching actions that can reduce post-contingency violations. To reduce computational burden, fast heuristic algorithms are proposed to generate candidate switching lists. Numerical simulations performed on three large-scale realistic power systems (TVA, ERCOT, and PJM) demonstrate that CTS can significantly reduce post-contingency violations. Parallel computing can further reduce the solution time. RT SCED is to eliminate the actual overloads and potential post-contingency overloads identified by RTCA. Procedure-A, which is consistent with existing industry practices, is proposed to connect RTCA and RT SCED. As CTS can reduce post-contingency violations, higher branch limits, referred to as pseudo limits, may be available for some contingency-case network constraints. Thus, Procedure-B is proposed to take advantage of the reliability benefits provided by CTS. With the proposed Procedure-B, CTS can be modeled in RT SCED implicitly through the proposed pseudo limits for contingency-case network constraints, which requires no change to existing RT SCED tools. Numerical simulations demonstrate that the proposed Procedure-A can effectively eliminate the flow violations reported by RTCA and that the proposed Procedure-B can reduce most of the congestion cost with consideration of CTS. The system status may be inaccurately estimated due to false data injection (FDI) cyber-attacks, which may mislead operators to adjust the system improperly and cause network violations. Thus, a two-stage FDI detection (FDID) approach, along with several metrics and an alert system, is proposed in this dissertation to detect FDI attacks. The first stage is to determine whether the system is under attack and the second stage would identify the target branch. Numerical simulations demonstrate the effectiveness of the proposed two-stage FDID approach. / Dissertation/Thesis / Doctoral Dissertation Electrical Engineering 2017

Electrical engineering

contingency analysis

corrective transmission switching

false data injection cyber-attack

false data injection detection

power system real-time operations

security-constrained economic dispatch