An Analysis of Advanced SQL Injection Exploitation and Mitigation

Huy Kieu

Name: Huy Kieu
Major: Computer Science
Minor: Mathematics
Advisor: Thomas Montelione

While technology is unequivocally indispensable in the evolution of innovative enterprises and state-of-the-art firms, the contemporary extensive use of digital computers indubitably conveys innumerable intangible flaws and vulnerabilities, which are significantly harmful to their products. This project concentrates on a specific threat called SQL Injection, which is a prevalent web attack vector where malicious code is directly inserted into query strings in order to exploit and retrieve sensitive information from a database. How this attack can be destructive as well as different types of injection are reviewed and extensively analyzed. Throughout the scope of this project, the knowledge of how to simulate SQL Injection in different kinds of modern databases and the effective methods to prevent such attacks are fully examined. This project attempted to enhance SQLMap, an automated testing framework, by implementing CAPTCHA feature to advance the process of detecting and exploiting injection threats using Python as the programming language of choice. Although the accuracy rates were not sufficient to integrate the CAPTCHA-solving modules with the stable SQLMap, this project indicates that solving the CAPTCHA issue using OCR and CNN was tried and concluded as not reliable. Four useful techniques can be applied to prevent SQL Injection attacks are sanitizing user input comprehensively, using parameterized queries or stored procedures, setting database privileges restriction, and utilizing web application firewalls or intrusion detection systems. Thus, it is significantly essential to be aware of the threats and use proper techniques to defense the system against external attacks

Posted in Comments Enabled, Independent Study, Symposium 2022.

One response to “An Analysis of Advanced SQL Injection Exploitation and Mitigation”

  1. Jillian Morrison says:

    Huy, Great job investigating this! I always wonder how our sensitive data gets stolen and this gives me some insight. As well, even though your attempt at solving the issue did not work out, it does provide valuable information. Now future studies can look into other directions or other variations of your attempt.