Dissertations / Theses on the topic 'Sql-injection'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Sql-injection.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
Aryal, Dhiraj, and Anup Shakya. "A Taxonomy of SQL Injection Defense Techniques." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3076.
Full text0760880470, 0700183408
Bahureková, Beáta. "Technika SQL injection - její metody a způsoby ochrany." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2020. http://www.nusl.cz/ntk/nusl-433304.
Full textCetin, Cagri. "Authentication and SQL-Injection Prevention Techniques in Web Applications." Scholar Commons, 2019. https://scholarcommons.usf.edu/etd/7766.
Full textSjöström, Linus. "Detecting SQL Injection Attacks in VoIP using Real-time Deep Packet Inspection : Can a Deep Packet Inspection Firewall Detect SQL Injection Attacks on SIP Traffic with Reasonable Performance?" Thesis, Linköpings universitet, Institutionen för datavetenskap, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-161072.
Full textTrumble, Brandon. "Using Code Inspection, Code Modification, and Machine Learning to prevent SQL Injection." Thesis, Kutztown University of Pennsylvania, 2015. http://pqdtopen.proquest.com/#viewpdf?dispub=1590429.
Full textModern day databases store invaluable information about everyone. This information is assumed to be safe, secure, and confidential. However, as technology has become more widespread, more people are able to abuse and exploit this information for personal gain. While the ideal method to combat this issue is the enhanced education of developers, that still leaves a large amount of time where this information is insecure. This thesis outlines two potential solutions to the problem that SQL Injection presents in the context of databases. The first modifies an existing code base to use safe prepared statements rather than unsafe standard queries. The second is a neural network application that sits between the user-facing part of a web application and the application itself. The neural network is designed to analyze data being submitted by a user and detect attempts at SQL injection.
Uwagbole, Solomon. "A pattern-driven corpus to predictive analytics in mitigating SQL injection attack." Thesis, Edinburgh Napier University, 2018. http://researchrepository.napier.ac.uk/Output/1538260.
Full textGopali, Gopali. "Protecting Web Applications from SQL Injection Attacks- Guidelines for Programmers Master Thesis." Thesis, Malmö universitet, Fakulteten för teknik och samhälle (TS), 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-20238.
Full textInjection attack is the most critical web application security risk, and SQL-injection (SQLi) attack is the most reported injection attack on web applications. In this thesis, we have identified the attacking techniques used by attackers and we are also providing guidelines so that the programmers can write web application code in a secure way, to prevent the SQLi attacks.The methodology applied for the research is literature study and we used the way proof by demonstration to get the clear picture. The first step was to find out the coding flaws, then we designed guidelines that can help to protect web applications from SQLi attacks. This thesis will help the programmers to understand the various coding flaws and how those coding flaws can be prevented and for this, we have used proof by demonstration. This thesis will also contribute to the general awareness of SQLi attacks, attack types and guidelines for the programmers who are designing, developing and testing web applications.
Pandey, Amit Kumar. "Securing Web Applications From Application-Level Attack." Kent State University / OhioLINK, 2007. http://rave.ohiolink.edu/etdc/view?acc_num=kent1181098075.
Full textNorström, Alexander. "Measuring Accurancy of Vulnerability Scanners : An Evaluation with SQL Injections." Thesis, Linköpings universitet, Informationskodning, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-106628.
Full textScholte, Theodoor. "Amélioration de la sécurité par la conception des logiciels web." Thesis, Paris, ENST, 2012. http://www.theses.fr/2012ENST0024/document.
Full textThe web has become a backbone of our industry and daily life. The growing popularity of web applications and services and the increasing number of critical transactions being performed, has raised security concerns. For this reason, much effort has been spent over the past decade to make web applications more secure. Despite these efforts, recent data from SANS institute estimates that up to 60% of Internet attacks target web applications and critical vulnerabilities such as cross-site scripting and SQL injection are still very common. In this thesis, we conduct two empirical studies on a large number of web applications vulnerabilities with the aim of gaining deeper insights in how input validation flaws have evolved in the past decade and how these common vulnerabilities can be prevented. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Our studies also show that most SQL injection and a significant number of cross-site scripting vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. With these empirical results as foundation, we present IPAAS which helps developers that are unaware of security issues to write more secure web applications than they otherwise would do. It includes a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. We show that this technique results in significant and tangible security improvements for real web applications
Lokby, Patrik, and Manfred Jönsson. "Preventing SQL Injections by Hashing the Query Parameter Data." Thesis, Blekinge Tekniska Högskola, Institutionen för datalogi och datorsystemteknik, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-14922.
Full textKlock, Robert. "Quality of SQL Code Security on StackOverflow and Methods of Prevention." Oberlin College Honors Theses / OhioLINK, 2021. http://rave.ohiolink.edu/etdc/view?acc_num=oberlin1625831198110328.
Full textSmith, Grant Joseph. "Analysis and Prevention of Code-Injection Attacks on Android OS." Scholar Commons, 2014. https://scholarcommons.usf.edu/etd/5391.
Full textShahriar, Hossain. "Mutation-based testing of buffer overflows, SQL injections, and format string bugs." Thesis, Kingston, Ont. : [s.n.], 2008. http://hdl.handle.net/1974/1359.
Full textScholte, Theodoor. "Amélioration de la sécurité par la conception des logiciels web." Electronic Thesis or Diss., Paris, ENST, 2012. http://www.theses.fr/2012ENST0024.
Full textThe web has become a backbone of our industry and daily life. The growing popularity of web applications and services and the increasing number of critical transactions being performed, has raised security concerns. For this reason, much effort has been spent over the past decade to make web applications more secure. Despite these efforts, recent data from SANS institute estimates that up to 60% of Internet attacks target web applications and critical vulnerabilities such as cross-site scripting and SQL injection are still very common. In this thesis, we conduct two empirical studies on a large number of web applications vulnerabilities with the aim of gaining deeper insights in how input validation flaws have evolved in the past decade and how these common vulnerabilities can be prevented. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Our studies also show that most SQL injection and a significant number of cross-site scripting vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. With these empirical results as foundation, we present IPAAS which helps developers that are unaware of security issues to write more secure web applications than they otherwise would do. It includes a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. We show that this technique results in significant and tangible security improvements for real web applications
Wheeler, Ryan. "BlindCanSeeQL: Improved Blind SQL Injection For DB Schema Discovery Using A Predictive Dictionary From Web Scraped Word Based Lists." Scholar Commons, 2015. http://scholarcommons.usf.edu/etd/6050.
Full textFriberg, Daniel. "WordPress och säkerhet inom tillägg från tredje parter : Skydda mot SQL-injection och Cross Site Scripting. Fallstudie av tre tillägg." Thesis, Karlstads universitet, Handelshögskolan, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-36439.
Full textMatti, Erik. "Evaluation of open source web vulnerability scanners and their techniques used to find SQL injection and cross-site scripting vulnerabilities." Thesis, Linköpings universitet, Institutionen för datavetenskap, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-177606.
Full textLundberg, Karl Johan. "Investigating the current state of securityfor small sized web applications." Thesis, Linköpings universitet, Databas och informationsteknik, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-89160.
Full textKunwar, Ramesh, and Mustafa Al-Leddawi. "Reviewing Security and Privacy Aspects in Combined Mobile Information System (CMIS) for health care systems." Thesis, Blekinge Tekniska Högskola, Avdelningen för för interaktion och systemdesign, 2007. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-4649.
Full textMedlín, Dušan. "Nové technologie pro vývoj webových aplikací - Web 2.0." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2008. http://www.nusl.cz/ntk/nusl-217518.
Full textPrelgauskas, Justinas. "Vizitų registravimo sistemos projektavimas ir testavimas." Master's thesis, Lithuanian Academic Libraries Network (LABT), 2008. http://vddb.library.lt/obj/LT-eLABa-0001:E.02~2008~D_20080710_150320-49423.
Full textThis work consists of three major parts. First – engineering part – is analysis and design of call reporting system (codename – “PharmaCODE”). We will provide main details of business analysis and design decisions. Second part is all about testing and ensuring system quality, mainly by means of static source code analysis tools & methods. We will describe tools being used and provide main results of source code analysis in this part. And finally, in the third part of this we go deeper into static source code analysis and try to improve one of analysis rules. These days, when there is plenty of evolving web-based applications, security is gaining more and more impact. Most of those systems have, and depend on, back-end databases. However, web-based applications are vulnerable to SQL-injection attacks. In this paper we present technique of solving this problem using secure-coding guidelines and .NET Framework’s static code analysis methods for enforcing those guidelines. This approach lets developers discover vulnerabilities in their code early in development process. We provide a research and realization of improved code analysis rule, which can automatically discover SQL-injection vulnerabilities in MSIL code.
Linnér, Samuel. "Graybox-baserade säkerhetstest : Att kostnadseffektivt simulera illasinnade angrepp." Thesis, Växjö University, School of Mathematics and Systems Engineering, 2008. http://urn.kb.se/resolve?urn=urn:nbn:se:vxu:diva-2299.
Full textAtt genomföra ett penetrationstest av en nätverksarkitektur är komplicerat, riskfyllt och omfattande. Denna rapport utforskar hur en konsult bäst genomför ett internt penetrationstest tidseffektivt, utan att utelämna viktiga delar. I ett internt penetrationstest får konsulten ofta ta del av systemdokumentation för att skaffa sig en bild av nätverksarkitekturen, på så sätt elimineras den tid det tar att kartlägga hela nätverket manuellt. Detta medför även att eventuella anomalier i systemdokumentationen kan identifieras. Kommunikation med driftansvariga under testets gång minskar risken för missförstånd och systemkrascher. Om allvarliga sårbarheter identifieras meddelas driftpersonalen omgå-ende. Ett annat sätt att effektivisera testet är att skippa tidskrävande uppgifter som kommer att lyckas förr eller senare, t.ex. lösenordsknäckning, och istället påpeka att orsaken till sårbarheten är att angriparen har möjlighet att testa lösenord obegränsat antal gånger. Därutöver är det lämpligt att simulera vissa attacker som annars kan störa produktionen om testet genomförs i en driftsatt miljö.
Resultatet av rapporten är en checklista som kan tolkas som en generell metodik för hur ett internt penetrationstest kan genomföras. Checklistans syfte är att underlätta vid genomförande av ett test. Processen består av sju steg: förberedelse och planering, in-formationsinsamling, sårbarhetsdetektering och analys, rättighetseskalering, penetrationstest samt summering och rapportering.
A network architecture penetration test is complicated, full of risks and extensive. This report explores how a consultant carries it out in the most time effective way, without overlook important parts. In an internal penetration test the consultant are often allowed to view the system documentation of the network architecture, which saves a lot of time since no total host discovery is needed. This is also good for discovering anomalies in the system documentation. Communication with system administrators during the test minimizes the risk of misunderstanding and system crashes. If serious vulnerabilities are discovered, the system administrators have to be informed immediately. Another way to make the test more effective is to skip time consuming tasks which will succeed sooner or later, e.g. password cracking, instead; point out that the reason of the vulnerability is the ability to brute force the password. It is also appropriate to simulate attacks which otherwise could infect the production of the organization.
The result of the report is a checklist by means of a general methodology of how in-ternal penetration tests could be implemented. The purpose of the checklist is to make it easier to do internal penetration tests. The process is divided in seven steps: Planning, information gathering, vulnerability detection and analysis, privilege escalation, pene-tration test and final reporting.
Степанов, Андрій В’ячеславович, and Andrii Stepanov. "Удосконалення стандартних методів захисту веб-додатків." Master's thesis, ТНТУ, 2021. http://elartu.tntu.edu.ua/handle/lib/36798.
Full textВ роботі було проведено огляд літературних джерел в області дослідження. Здійснено огляд загального стану безпеки та вразливостей веб-додатків. Описано процес тестування безпеки веб-додатка. Також, здійснено огляд використання WAF. Описано, найпоширеніші способи захисту веб-додатків від підбору, слабкої валідації відновлення пароля, XSS та SQL-ін’єкцій. У результаті виконання дипломної роботи, були розроблені удосконалення, які є простими в реалізації, ефективними, надійними та продуктивними, що дозволяє використовувати їх при розробці нових додатків, або інтегрувати їх, як удоконалення, до вже наявних механізмів захисту додатка.
The paper reviews literature sources in the field of research. A comparative analysis of the general state of security and vulnerabilities of the web-apps is conducted. The Web-app testing process was described. Also, WAF purposes and goals was overviewed. Described the most common web-app security methods for brute force, weak password recovery validation, XSS and SQL-Injection attacks. As a result of this work enhancement to the standard web-app security methods was developed. They are easy to implement, effective, reliable and efficient. All these properties allow developers to use them in new web-apps, or integrate them to the existing security systems.
ПЕРЕЛІК УМОВНИХ ПОЗНАЧЕНЬ, СИМВОЛІВ, ОДИНИЦЬ, СКОРОЧЕНЬ І ТЕРМІНІВ... 8 ВСТУП... 9 РОЗДІЛ 1 ТЕСТУВАННЯ WEB-ДОДАТКІВ НА ВРАЗЛИВОСТІ... 12 1.1 Процес роботи веб-додатку... 12 1.2 Вразливості та їх вплив на безпеку бізнесу... 13 1.3 Стан безпеки веб додатків... 15 1.4 Короткий огляд найпоширеніших вразливостей web-додатків... 18 1.5 Тестування безпеки веб-додатків... 19 1.5.1 Актуальність тестування веб-додатків... 19 1.5.2 Процес тестування веб-додатків ... 21 1.5.3 Типи тестів безпеки веб-додатків ... 22 1.6 Web application firewall (WAF)... 23 РОЗДІЛ 2 СТАНДАРТНІ МЕТОДИ ЗАХИСТУ ВІД НАЙПОШИРЕНІШИХ ТИПІВ АТАК... 25 2.1 Підбір (brute-force attack)...27 2.1.1 Опис атаки... 27 2.2.2 Найпоширеніші методи захисту... 29 2.2 Слабка валідація відновлення пароля... 30 2.2.1 Опис атаки... 30 2.2.2 Найпоширеніші методи захисту... 30 2.3 Cross-site scripting (XSS) ... 31 2.3.1 Опис атаки ... 31 2.3.2 Найпоширеніші методи захисту... 32 2.4 SQL/No-SQL ін’єкції... 34 2.4. 1. Опис атаки... 34 2.4.2. Найпоширеніші методи захисту... 36 РОЗДІЛ 3 УДОСКОНАЛЕННЯ СТАНДАРТНИХ МЕТОДІВ ЗАХИСТУ ... 38 3.1 Удосконалення стандартних методів захисту проти атаки підбору (brute force) ... 38 3.1.1 Використання вайтліста ... 39 3.1.2 Зміна адреси сторінки ... 42 3.1.3 Використання 256-бітних ключів шифрування ... 43 3.2 Удосконалення стандартних методів захисту проти слабкої валідації відновлення пароля ... 43 3.2.1 Збільшення кількості питань ... 44 3.2.2 Використання пін-коду... 49 3.2.3 Додавання прив’язки до часу та користувача ... 51 3.3 Удосконалення стандартних методів захисту від XSS... 57 3.3.1 Використання сучасних фреймворків та бібліотек для побудови користувацьких інтерфейсів... 57 3.3.2 Дезінфекція даних, що будуть додані в CSS в якості URL атрибуту... 59 3.3.3 Дезінфекція даних при використанні element.innerHTML, element.outerHTML, document.write(...) та їх еквівалентів. ... 63 3.4 Удосконалення стандартних засобів захисту від SQL-ін’єкцій... 66 3.4.1 Приведення до цілочисельного типу... 67 3.4.2 Використання білих списків ... 71 РОЗДІЛ 4 ОХОРОНА ПРАЦІ ТА БЕЗПЕКА В НАДЗВИЧАЙНИХ СИТУАЦІЯХ 76 4.1 Охорона праці .... 76 4.2 Підвищення стійкості роботи огд об’єктів госп діяльності у воєнний час ... 78 ВИСНОВКИ .... 85 СПИСОК ЛІТЕРАТУРИ... 86 ДОДАТКИ
Nsambu, Emmanuel, and Danish Aziz. "The Defense Against the latest Cyber Espionage both insider and outsider attacks." Thesis, Mittuniversitetet, Institutionen för informationsteknologi och medier, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-16477.
Full textPanta, Purushottam. "Web Design, Development and Security." Connect to resource online, 2009. http://rave.ohiolink.edu/etdc/view?acc_num=ysu1244819478.
Full textRegéciová, Dominika. "Aplikace teorie formálních jazyků v oblasti počítačové bezpečnosti." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2018. http://www.nusl.cz/ntk/nusl-386008.
Full textWhitelaw, Clayton. "Precise Detection of Injection Attacks on Concrete Systems." Scholar Commons, 2015. http://scholarcommons.usf.edu/etd/6051.
Full textPlašil, Matouš. "Soubor laboratorních úloh k demonstraci počítačových útoků." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2015. http://www.nusl.cz/ntk/nusl-220402.
Full textPavlosek, Václav. "Webová aplikace pro výuku simulací v ns2." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2009. http://www.nusl.cz/ntk/nusl-218090.
Full textHolmberg, Daniel, and Victor Nyberg. "Functional and Security Testing of a Mobile Client-Server Application." Thesis, Linköpings universitet, Institutionen för datavetenskap, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-148710.
Full textKadlubiec, Jakub. "Mobilní systém pro sběr zpětné vazby zákazníků." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2013. http://www.nusl.cz/ntk/nusl-236177.
Full text"A research in SQL injection." 2005. http://library.cuhk.edu.hk/record=b5892623.
Full textThesis (M.Phil.)--Chinese University of Hong Kong, 2005.
Includes bibliographical references (leaves 67-68).
Abstracts in English and Chinese.
Abstract --- p.i
Acknowledgement --- p.iii
Chapter 1 --- Introduction --- p.1
Chapter 1.1 --- Motivation --- p.1
Chapter 1.1.1 --- A Story --- p.1
Chapter 1.2 --- Overview --- p.2
Chapter 1.2.1 --- Introduction of SQL Injection --- p.4
Chapter 1.3 --- The importance of SQL Injection --- p.6
Chapter 1.4 --- Thesis organization --- p.8
Chapter 2 --- Background --- p.10
Chapter 2.1 --- Flow of web applications using DBMS --- p.10
Chapter 2.2 --- Structure of DBMS --- p.12
Chapter 2.2.1 --- Tables --- p.12
Chapter 2.2.2 --- Columns --- p.12
Chapter 2.2.3 --- Rows --- p.12
Chapter 2.3 --- SQL Syntax --- p.13
Chapter 2.3.1 --- SELECT --- p.13
Chapter 2.3.2 --- AND/OR --- p.14
Chapter 2.3.3 --- INSERT --- p.15
Chapter 2.3.4 --- UPDATE --- p.16
Chapter 2.3.5 --- DELETE --- p.17
Chapter 2.3.6 --- UNION --- p.18
Chapter 3 --- Details of SQL Injection --- p.20
Chapter 3.1 --- Basic SELECT Injection --- p.20
Chapter 3.2 --- Advanced SELECT Injection --- p.23
Chapter 3.2.1 --- Single Line Comment (--) --- p.23
Chapter 3.2.2 --- Guessing the number of columns in a table --- p.23
Chapter 3.2.3 --- Guessing the column name of a table (Easy one) --- p.26
Chapter 3.2.4 --- Guessing the column name of a table (Difficult one) . --- p.27
Chapter 3.3 --- UPDATE Injection --- p.29
Chapter 3.4 --- Other Attacks --- p.30
Chapter 4 --- Current Defenses --- p.32
Chapter 4.1 --- Causes of SQL Injection attacks --- p.32
Chapter 4.2 --- Defense Methods --- p.33
Chapter 4.2.1 --- Defensive Programming --- p.34
Chapter 4.2.2 --- hiding the error messages --- p.35
Chapter 4.2.3 --- Filtering out the dangerous characters --- p.35
Chapter 4.2.4 --- Using pre-complied SQL statements --- p.36
Chapter 4.2.5 --- Checking for tautologies in SQL statements --- p.37
Chapter 4.2.6 --- Instruction set randomization --- p.38
Chapter 4.2.7 --- Building the query model --- p.40
Chapter 5 --- Proposed Solution --- p.43
Chapter 5.1 --- Introduction --- p.43
Chapter 5.2 --- Natures of SQL Injection --- p.43
Chapter 5.3 --- Our proposed system --- p.44
Chapter 5.3.1 --- Features of the system --- p.44
Chapter 5.3.2 --- Stage 1 - Checking with current signatures --- p.45
Chapter 5.3.3 --- Stage 2 - SQL Server Query --- p.45
Chapter 5.3.4 --- Stage 3 - Error Triggering --- p.46
Chapter 5.3.5 --- Stage 4 - Alarm --- p.50
Chapter 5.3.6 --- Stage 5 - Learning --- p.50
Chapter 5.4 --- Examples --- p.51
Chapter 5.4.1 --- Defensing BASIC SELECT Injection --- p.52
Chapter 5.4.2 --- Defensing Advanced SELECT Injection --- p.52
Chapter 5.4.3 --- Defensing UPDATE Injection --- p.57
Chapter 5.5 --- Comparison --- p.59
Chapter 6 --- Conclusion --- p.62
Chapter A --- Commonly used table and column names --- p.64
Chapter A.1 --- Commonly used table names for system management --- p.64
Chapter A.2 --- Commonly used column names for password storage --- p.65
Chapter A.3 --- Commonly used column names for username storage --- p.66
Bibliography --- p.67
蘇學翔. "Exploiting SQL Injection with Semantic Polymorphism." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/tvz4mu.
Full textChen, Bo Han, and 陳柏翰. "Effective Practices For Defending SQL Injection Attacks." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/89556774781629620492.
Full text長庚大學
資訊管理學系
98
When setting up a web server to read from a database, it’s important that the designer check the parameter information being passed from the customer to the webpage. Otherwise, the transmission of this data could create opportunities for assailants to find weaknesses which can be used to attack thesystem, possibly leading to loss of corporate or customer information. This study proposes the use of the Acunetix Web Vulnerability Scanner, Barracuda Web Application Firewall, and Splunk search engine to search the web server and Barracuda Web Application Firewall log file to improve defenses against SQL injection attacks by protecting the results of search engine analyses to safeguard feedback. The webpage manager only uses the Barracuda Web Application Firewall to describe the relevant attributes of the webpage outputs, This firewall device, positioned between the network firewall and the Web server, can protect the webpage automatically and can open the Barracuda Web Application Firewall transparent mode, and directly check the output of network user information. The so-called Transparent Mode need not be updated to allow for installation, settings configuration and dynamic packet filtering. Without the need to change the extant webpage application program and database settings, this safeguard can be simply and easily configurated, and operating interfaces can offer multi-lingual support to assist the work of maintenance staff and accelerate the adoption and deployment application of the equipment.
Lee, Jieh-Hua, and 李玠樺. "A Layer-based SQL Injection Prevention System." Thesis, 2012. http://ndltd.ncl.edu.tw/handle/86009733947954214171.
Full text銘傳大學
資訊傳播工程學系碩士班
100
Web applications are the most popular services on the Internet. Many services combine database with web applications to provide the necessary information. Security problems with web applications are increasing with the growth of Internet applications. Malicious users are able to use SQL Injection attacks on vulnerabilities of web applications to obtain information in the database or exploit the system. A layer-based SQL Injection prevention system (LBSIPS) is proposed in this paper to protect the database. SQL commands are collected and classified at the first step by using the inline monitor mechanism. Privileges and access control are verified by examining the database and the predefined profile and snort rules are established to filter out suspicious activities at the second step. An inline LBSIPS infrastructure is implemented and the experiment results show SQL attacks are blocked and thus it improves the security of web applications.
Wu, Ko-Chih, and 巫格至. "Automated Exploit Generation for SQL Injection Attacks." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/66937924239857964035.
Full text臺灣大學
電子工程學研究所
98
Automated static analysis tools are widely used today for finding input manipulation vulnerabilities in web applications, such as SQL injection. However, these tools may produce many false positives and these reported vulnerabilities cannot be verified easily. To verify these reported vulnerabilities, concrete attack requests need to be constructed and to be submitted to the target application, just like what hackers or black-box tools will do. Our approach is to send concrete exploits and to inspect SQL queries that are executed at run-time. Thus, it is possible to declare the reported vulnerability valid (along with true exploitable SQL commands) or bogus (i.e., false positive). Our technique is proved to be effective after the evaluation against several real-world examples.
Lu, Chian-Huey, and 盧芊慧. "Web Platform Independent SQL injection Attack Generation." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/43099096080587428778.
Full text國立交通大學
資訊科學與工程研究所
102
Internet has been an important communication media for our daily life. Most of us access information and save our personal private data in the database through web applications. However, due to the ignorance of secure programming practice of web programmers, hackers may be able to access or destroy data through potential web vulnerabilities. We developed a web platform independent SQL injection attack generation method to improve our former web attack framework called CRAXweb. The system is able to generate exploit for the target web application automatically and acts as a penetration test. CRAXweb is based on S2E, a symbolic execution platform. We accumulate the URLs of target web application through web crawler and send the HTTP request with symbolic variable to the symbolic sensor embedded in the server. For the purpose of improving efficiency of symbolic execution, we adopt the single path concolic execution mode to collect path constraint and generate the exploit. We have applied this method to several known vulnerabilities on open source web applications. The results reveal that CRAXweb is a practical exploit generation tool supporting different web platforms, including PHP, C/C++, Perl, and Python.
Aich, Dibyendu. "Secure Query Processing by Blocking SQL Injection." Thesis, 2009. http://ethesis.nitrkl.ac.in/1504/1/thesis_to_upload.pdf.
Full textSarangi, A., and S. Panchamukhi. "Blocking SQL Injection in Database Stored Procedures." Thesis, 2010. http://ethesis.nitrkl.ac.in/1703/1/Blocking_sql_injection_in_database_stored_procedures.pdf.
Full textChia, Bernard, and 謝孟峰. "Web Forensic: Evidence of SQL Injection Attack Analysis." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/81060912022228427261.
Full text國立臺北大學
資訊工程學系
102
In the WEB 2.0 generation, web attack has become a common issue and is widely used by intruders to exploit and access a system without any authorization. According to a survey from OWASP (Open Web Application Security Project’s), SQL injection attack (SQLIA) is placed first in the OWASP 2013’s top 10 list of cyber threats that is faced by the web service. SQLIA is a technique of inserting SQL meta-characters and commands into web-based input fields to change the original meaning of the SQL queries in order to manipulate the execution of the malicious SQL queries to access the databases unauthorized. SQLIA cannot be detected by any firewall or antivirus because it involves only the injection of one or many meta-characters and hence do not contain any malicious. Hence, forensic analysis is performed to find out the evidence of an attack and this plays an important role to make a conclusion on an incident whether to prove or disprove an intruder’s guilt. In previous researches, there were three ways of performing a forensic analysis namely, simple statistical analysis, parsing capabilities matching and simple signature matching. Thus, a method is proposed by analyzing the URL attack request and decoding the request before analyzing the request with the rule set that is provided by PHPIDS and then cluster these attacks by calculating the distance between every cluster and assigns the distance to the cluster with the nearest centroid point. To find the pattern of the SQL injection to cluster these attacks, a method is proposed whereby the SQL keyword is extracted as a token set from the URL request and then this token set is analyzed based on the K-mean method to find the standard centroid to cluster these attacks.
Pieš, Martin. "Systém pro detekci napadení databáze metodou "SQL injection"." Master's thesis, 2010. http://www.nusl.cz/ntk/nusl-286260.
Full textLin, Che-Chia, and 林哲嘉. "Design and Implementation of SQL Injection Penetration System." Thesis, 2013. http://ndltd.ncl.edu.tw/handle/95134447354413560501.
Full text國立中正大學
通訊工程研究所
101
More and more public web sites contain personal private data and usually store them in an associated database. Web site security becomes important day by day, because once the web site has been compromised numerous private data potentially leak out, threatening to personal privacy. According to Open Web Application Security Project (OWASP) 2013 research, the injection is the first threat of the top 10. Injections contain SQL injection, OS injection and LDAP injection, where the SQL injection is the most threatening among them. This research proposed a penetration testing system aiming at effective and fast detection on website threat of SQL injection. The system has two options: static scanning and dynamic scanning, whose initial target Uniform Resource Locators (URLs) are given by manual setting or popular search engines, respectively. The proposed scheduler can adjust the priority of target URLs according to the degree of suspicion derived from the similarity to URLs of well-known leaks, and accelerate the whole SQL penetration process. Experiments show that both precision and speed of the proposed system are better than a free web penetration tool Paros. Website developers and administrators can quickly and effectively find potential information leaks with this system.
Thomas, Stephen M. "Using automated fix generation to mitigate SQL injection vulnerabilities." 2007. http://www.lib.ncsu.edu/theses/available/etd-11062007-151028/unrestricted/etd.pdf.
Full textMigli, Roberto, and 馬若權. "A fast, multi-platform method to detect SQL Injection Attacks." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/66902532536363882776.
Full text國立臺灣科技大學
資訊工程系
97
In these years SQL injection attacks became a major threat for both small and large web sites. This special kind of injection attack exploits vulnerabilities in the web applications that interact with a backend database. In this paper we analyze the SQL injection attack patterns and the previously proposed defense methods. We found that most of the existing researches are able to detect most of the attacks, but they do not consider the complexity involved in using the defense system and the eventual cost of modification of the original program. The proposed method requires no modification of the web application code, and can be adapted to different usage scenarios, involving also different operating systems and server applications. The proposed method is able to detect all the known injection points for the test application. We compare the results achieved with a published paper under the same testing conditions.
Bento, Pedro Ricardo Saraiva. "Assessing Web Services Robustness and Security Using Malicious Data Injection." Master's thesis, 2015. http://hdl.handle.net/10316/35521.
Full textA tecnologia Web Services permite ligar aplicações criadas em diferentes plataformas, tendo atingido grande popularidade. Nos últimos anos, o uso desta tecnologia tem aumentado consideravelmente, não só como suporte a ambientes críticos de negócio, mas também em ambientes onde a robustez e segurança dos serviços é vital. Nestes ambientes, a presença de um problema de robustez ou uma vulnerabilidade de segurança pode traduzir-se em perdas a nível financeiro e/ou na reputação do fornecedor do serviço. A falta de metodologias e ferramentas adequadas para a deteção destes problemas é um dos fatores que contribui para a situação atual, onde os serviços falham na presença de entradas inválidas ou maliciosas. Nesta dissertação é discutido o estado da arte em robustez e segurança em Web Services sendo proposta uma abordagem para deteção de falhas desta área. Esta baseia-se na introdução, em tempo de execução, de um conjunto de inputs inválidos e maliciosos num serviço sob teste. Contrariamente à abordagem clássica para deteção destes problemas, as interfaces das aplicações sob teste na abordagem apresentada, são as de contacto com serviços externos, em particular com a base de dados. Deste trabalho resulta também a criação de uma ferramenta de testes, possibilitando a classificação do nível de segurança e robustez de um serviço.
The Web Services technology allows us to connect applications built on different platforms, reaching great popularity. In the last years, the use of this technology has increased considerably, not only to support the critical business environments, but also in environments where robustness and safety of services is vital. The presence of a robustness problem or a security vulnerability can be translated into substantial losses in financial terms and/or reputation of the service provider. The lack of methodologies and tools for the detection of these problems is one of the factors contributing to the current situation where services fail in the presence of invalid or malicious inputs. This dissertation discusses the state of the art of robustness and security in Web Services and proposes an approach for detection of this type of situations. This is based on the introduction, at runtime, of a set of invalid and malicious inputs to a service under test. Unlike the classical approach for detecting these problems, the interfaces of the applications under test in the developed approach, are those that contact with external services, in particular its interface with the database. This work also involves the creation of a testing tool, allowing the classification of the level of robustness and security of a service.
Wu, Ching-Ju, and 吳靜茹. "A Defense against SQL Injection Attack through Validation on Input Legitimacy." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/44317375982863901114.
Full text中原大學
資訊工程研究所
97
The development of Web 2.0 brings in the prevalence of web application services based on database support. Along with the increasing interaction with database, web application service programs become complicate, which makes it difficult to guarantee that SQL query constructed using user input is safe to database. Therefore, an effective defense mechanism against SQL injection attack from malicious user is important to the safe use of the valuable content in the database. In this thesis, a novel defense scheme is proposed. Before a web application service program is put into work, a static analysis process is applied to determine the type of each user supplied parameter to be used in constructing SQL queries. Later, when a user input is received at web server at run time, a validation procedure is performed to determine the legitimacy of the input according to its type before it is delivered to corresponding application program to construct SQL query. In this way, the possibility of constructing illegal SQL queries is eliminated. The scheme focus on the input parameters directly related to SQL query construction, which makes it possible to follow SQL syntax precisely and allow atypical yet proper input value. The scheme also avoid the problem of leaking of information internal to the web application service since the validation procedure is performed at web server before user input is delivered to the corresponding application programs. The proposed scheme is transparent to both user and the program developer. It only requires administration effort to run the static analysis process on application programs and to install the validation module in web server to achieve the desired protection against SQL injection attacks.
Huang, Hao-lun, and 黃浩倫. "TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/79047244359095359380.
Full text國立中央大學
資訊工程研究所
98
Web-based applications have become the major means of providing services by web servers and databases. These applications are the frequent target for attacks be-cause the databases underlying Web applications often contain private information (e.g., user accounts and financial records). In particular, SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to da-tabases, are one of the topmost threats to web applications. A number of research pro-totypes and commercial products that maintain the queries structure in web applica-tions have been developed but these techniques fail to address the full scope of the problem or have limitations. In this paper, we propose a novel and effective mechanism for automatically translating SQL requests to LDAP-equivalent requests to render them secure against SQL injection attacks. After queries are executed on SQL database and LDAP, our technique checks the difference in responses from SQL database and LDAP to prevent SQL injection attacks. We implemented our technique in a tool, TransSQL, consists of two steps. In the preprocessing step, Database Duplicating process, we adopt sqldump program to extract entire information of SQL database that could be used to produce LDAP schema and LDAP Data Interchange Format file. In the runtime step, Request Translation process, the technique intercepts SQL queries for translation and checks the results from LDAP against SQL database. TransSQL has been implemented in Java and deployed between web applications and databases. Our empirical evaluation has shown that TransSQL is both effectiveness and efficiency against SQL injection attacks.
Lai, Shu Mei, and 賴淑美. "Preventing SQL Injection Attacks Using the Field Attributes of User Input." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/72087296479960095398.
Full text國立政治大學
資訊科學學系
97
With the dynamic development of network application and the increasing population of using internet, providing customer service and making business through network has been a prevalent trend recently. However, the risk appears with this trend. In a borderless net world, threaten comes from all directions. With the progress of information technology, the technique of network attack becomes timeless and widespread. It seems that defense methods have to develop against these attack techniques. But the root of all should regress on the original program design – check the input data of data fields. The prevention of unceasing network attack is precisely check the content of data field and adhere to the webpage security design on principle, furthermore, the authority to access database is essential. Since most existing systems do not have exactly checkpoints of those data fields such as the length, the data type, and the data format, as a result, those conditions resulted in several network attacks like Injection Flaws and XSS. In response to various website attack constantly, the majority remodify the system source code, inspect vulnerabilities by the service of penetration test, and purchase the equipment of Intrusion Prevention Systems(IPS). However, several limitations influence the performance, such as the massive workload of remodify source code, the difficulty to implement the daily penetration test, and the costly expenses of IPS equipment. The fundamental method of this research is to check the input data of data fields which bases on the length, the data type and the data format to check input data. The hypothesis is that to implement the original design principle should prevent most website attacks. Unfortunately, most legacy system programs are massive and numerous. It is time-consuming to review and remodify all the data fields. This research investigates the analysis of network interception, integrates with the database schema and the easy-defined data type, to automatically process these procedures and rapidly generates the checklist of input data. Then, using the method of website dynamic captures technique to receive user request first and webpage input data before the system application commences to process it. According to those input data can be checked by the predefined data filed type and the length, there is no necessary to modify existing systems and can achieve the goal to prevent web attack with the minimum cost.
YANG, SHENG-CHUAN, and 楊勝全. "Research on Constructing SQL Injection Defending System Based on Knowledge Base." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/f3a6qw.
Full text中國文化大學
資訊管理學系
106
A rapid developemet of network techonology promotes web application widely ap-plied. The combination of web application and database makes system more com-pli-cated than before. Besides, it is hard to confirm the security of database access re-quest by users. Therefore, we need a defense mechanism which can effectively block the SQL injection for database by malicious users. In this thesis, we propose a defense mecha-nism different from those of other scholars. With our method, we can defend both sin-gle attack and multiple query attack. Before executing database instructions, we store all SQL instrutions composed by users into database. And then, we filter those SQL in-structons with the knowledge from knowledge base. Finally, we pass the filtered SQL instructions to database, executing them and returning the results back to the users. Fol-lowing the method above, we can avoid any SQL instructions containing improper exe-cution.