Web Application Penetration Testing Using SQL Injection Attack

A web application is a very important requirement in the information and digitalization era. With the increasing use of the internet and the growing number of web applications, every web application requires an adequate security level to store information safely and avoid cyber attacks. Web applications go through rapid development phases with short turnaround times, challenging to eliminate vulnerabilities. The vulnerability on the web application can be analyzed using the penetration testing method. This research uses penetration testing with the black-box method to test web application security based on the list of most attacks on the Open Web Application Security Project (OWASP), namely SQL Injection. SQL injection allows attackers to obtain unrestricted access to the databases and potentially collecting sensitive information from databases. This research randomly tested several websites such as government, schools, and other commercial websites with several techniques of SQL injection attack. Testing was carried out on ten websites randomly by looking for gaps to test security using the SQL injection attack. The results of testing conducted 80% of the websites tested have a weakness against SQL injection attacks. Based on this research, SQL injection is still the most prevalent threat for web applications. Further research can explain detailed information about SQL injection with specific techniques and how to prevent this attack.

An Improved SQL Injection Attack Detection Model Using Machine Learning Techniques

SQL Injection Attack (SQLIA) is a common cyberattack that target web application database. With the ever increasing and varying techniques to exploit web application SQLIA vulnerabilities, there is no a comprehensive method that can solve this kind of attacks. Therefore, these various of attack techniques required to establish many methods against in order to mitigate its threats. However, most of these methods have not yet been evaluated, where it is still just theories and require to implement and measure its performance and set its limitation. Moreover, most of the existing SQL injection countermeasures either used syntax-based detection methods or a list of predefined rules to detect the SQL injection, which is vulnerable in advance and sophisticated type of attacks because attackers create new ways to evade the detection utilizing their pre-knowledge. Although semantic-based features can improve the detection, up to our knowledge, no studies focused on extracting the semantic features from SQL stamens. This paper, investigates a designed model that can improve the efficacy of the SQL injection attack detection using machine learning techniques by extracting the semantic features that can effectively indicate the SQL injection attack. Also, a tenfold approach will be used to evaluate and validate the proposed detection model.

ADMINISTRATION SYSTEM FOR END TO END LUXURY APARTMENT MANAGEMENT SOFTWARE

A majority of unpleasant issues faced by landlords and tenants seem to grow due to lack of communication. Late rent payments turns into an eviction. A non-functional AC or a broken window becomes a reason to break a lease. Fortunately, building a positive relationship doesn't take much effort and it all starts with one basic idea: communication. This project is entitled as “Administration System for end to end luxury apartment management software”, which is a software for managing highly customizable multiple apartments, flat, building or any kind of real estate properties. The software is to ease property management burdens on small and independent landlords.The challenge was to conceptualize and develop a simple,streamlined managementtool for smaller property owners.The toolneeded tobe able to managemarketing for the property, encourageon-time payments by tenants, keeptrack of transactions, and handle maintenance requests. The key technologies used for creating the software are HTML, CSS, Bootstrap, JavaScript, Python, MySQL and jQuery. In Existing security system there is authentication at user level the user id and password submitted by user is verified at login process end if the user id and password exist then the user would be able to access the system. But some smart user usually uses SQL injection in order to violate the security of database using wild character of SQL. They sometime use SQL statement too in order to get the login process confused. They pass the sub query of sql in password field instead of password in order to get the confirmation. Here we have to develop a secure system for authentication access and apply SQL INJECTION attack to check its security.

A Secure Methodology to Detect and Prevent Ddos and Sql Injection Attacks

As most of the applications host on cloud, Security is a major concern for the data owners. The cloud environment has to be secure and protect data owner data from cloud attacks. In this project work, we study about securing firewall against client side attacks namely Denial of firewall and SQL injection attacks. Denial of firewall is nothing but overloading the firewall by bursting n number of requests through vulnerable scripts. SQL injection attack is defined as bypassing the security protocols by malicious scripts. Thus we proposed to design and develop a web application to detect and prevent denial of firewall and SQL injection attacks. The denial of firewall attack can be performed using Java environment based servers and prevention can be performed using Digital Signature Algorithm (DSA) in which filter based approach and software puzzle based approach are performed to detect the malicious script based requests. Once the Deep Packet Inspection (DPI): filter based approach and software puzzle based approach are find satisfactory only the request would be processed. If the request is find malicious automatically the requested IP address would be blocked. Various type of SQL injection attacks namely SQL login bypass, Blind injection, SQL sleep attack, Data fetching attack are analysed and performed. The SQL injection attack can be prevented using PREPARE statements. This statements are created to make the SQL queries more efficient and render security benefits. This statement provides effective prevention mechanism against SQL injection attacks. Thus our proposed solution, provides high security against firewall attacks namely denial of firewall and SQL injection securing the data owner files and preventing compromising of firewall

Ensemble Machine Learning Approaches for Detection of SQL Injection Attack

In the current era, SQL Injection Attack is a serious threat to the security of the ongoing cyber world particularly for many web applications that reside over the internet. Many webpages accept the sensitive information (e.g. username, passwords, bank details, etc.) from the users and store this information in the database that also resides over the internet. Despite the fact that this online database has much importance for remotely accessing the information by various business purposes but attackers can gain unrestricted access to these online databases or bypass authentication procedures with the help of SQL Injection Attack. This attack results in great damage and variation to database and has been ranked as the topmost security risk by OWASP TOP 10. Considering the trouble of distinguishing unknown attacks by the current principle coordinating technique, a strategy for SQL injection detection dependent on Machine Learning is proposed. Our motive is to detect this attack by splitting the queries into their corresponding tokens with the help of tokenization and then applying our algorithms over the tokenized dataset. We used four Ensemble Machine Learning algorithms: Gradient Boosting Machine (GBM), Adaptive Boosting (AdaBoost), Extended Gradient Boosting Machine (XGBM), and Light Gradient Boosting Machine (LGBM). The results yielded by our models are near to perfection with error rate being almost negligible. The best results are yielded by LGBM with an accuracy of 0.993371, and precision, recall, f1 as 0.993373, 0.993371, and 0.993370, respectively. The LGBM also yielded less error rate with False Positive Rate (FPR) and Root Mean Squared Error (RMSE) to be 0.120761 and 0.007, respectively. The worst results are yielded by AdaBoost with an accuracy of 0.991098, and precision, recall, f1 as 0.990733, 0.989175, and 0.989942, respectively. The AdaBoost also yielded high False Positive Rate (FPR) to be 0.009.