Essay Example on In this paper we compared SQLi Vulnerabilities








There are over 1 billion websites today and most of them are designed using content management systems Cybersecurity is one of the most discussed topic when it comes to web application and protecting the confidentiality integrity of data has become paramount SQLi is one of the most commonly used techniques hackers use to exploit a security vulnerability in a web application In this paper we compared SQLi vulnerabilities found on the 3 most commonly used content management systems using a vulnerability scanner called Nikto then SQLMAP for penetration testing This was carried out on default WordPress Drupal and Joomla website pages installed on a LAMP server localhost Results showed that each of the content management systems were not susceptible to SQLi attacks but gave warnings about other vulnerabilities that could be exploited In addition we suggested practices that could be implemented to prevent SQL injections Keywords component formatting style styling insert key words I INTRODUCTION The aim of this paper is to compare the SQL injection vulnerabilities found on the 3 most commonly used content management systems why they are susceptible and ways on how to mitigate them

According to online statistics on the usage of content management systems WordPress is found to be the most used followed by Drupal and Joomla SQL injection vulnerabilities are among the most common vulnerabilities known to hackers and consistently appear at the top on the list of security vulnerability for the past couple of years A computer security firm Imperva was quoted to have mentioned SQL injection has one of the most harmful vulnerability in human history due to the damage that can be inflicted using this technique It is said to have accounted for over 83 percent of data breaches between the years 2005 to 2011 In this paper we used Kali Linux as it is very versatile and user friendly operating system that is used to carry out seamless and efficacious penetration testing and security auditing tasks This operating system fully open sourced which makes quite flexible for users to carry out exploits intimately LAMP stack was installed as a web platform for running the content management systems The 3 content management systems used in this paper were all installed using default configuration with no extra security feature implemented or plugin installed Nikto a web scanner that tests web servers web applications for dangerous files CGIs outdated server software and other problems was used to scan each system for various types of problems ranging from poorly configured files to SQLi injection vulnerabilities while SQLMAP which automates the process of exploiting SQLi was used as our penetration tool After carrying out the penetration test each of the content management system were all found to be protected by a type Intrusion Prevention System IPS or Web application firewall WAF which made them not vulnerable to SQL injection attacks II LITERATURE REVIEW SQL Injection can be used in different ways to cause serious damage to a web application database By using SQL Injection an attacker could access modify and delete data within a database In other cases SQL Injection can be used to execute commands on an operating system allowing an attacker to cause damage to a network that is protected by a firewall Two important characteristics of SQL injection attacks are the injection mechanism and different kind of attacks that can be carried out Below are some examples of typical SQL injection attacks

A In band SQLi Classic SQLi This is arguably the easiest to exploit of all SQL Injection attacks This type of SQL injection occurs when an attacker launches an attack by posting malicious codes into a web application and all gathering results from the database using the same communication channel i e the input malicious codes and the output database results use the same communication channel Error based SQLi is an example of an In band SQLi B Error based SQLi This SQL Injection technique relies on error messages returned by the database server after some reserved characters or malicious codes are posted on a login form of a web application The error messages give the user attacker some information about the structure of the database Error messages features are used during the phase of application development for testing and should be disabled or logged to a file with restricted access when applications Go live C Double Query based SQLi In this method the attacker combines two different queries into a single query with the sole purpose of confusing the backend database causing it to return error messages The responses from the backend database usually contains information the attacker is trying to extract D Blind SQLi Blind SQL Injection requires an attacker to create a well constructed logical query to be injected into a web application to observe the way the backend database reacts to the input It takes a longer time to exploit because the parameters are injected blindly into the application and results from the database are not displayed to the attackers thereby getting its name Blind SQL injection because the results are not dumped on the screen of the user or visible to the attacker There are two types of Blind SQL Injection and they are Boolean based blind SQLi and Time based Blind SQLi E Boolean based Blind SQLi Every technique is based on two different inputs either TRUE or FALSE In this technique for every query sent to the database it returns different results or output for either a TRUE or FALSE query result F Time based Blind SQLi This technique relies on sending SQL query to the database which causes a delay in the amount of time it takes the database to respond To create this delay in time the attacker must build a good query to force the server to work The response time indicates to the attacker whether the result of the query is TRUE or FALSE

Write and Proofread Your Essay
With Noplag Writing Assistance App

Plagiarism Checker

Spell Checker

Virtual Writing Assistant

Grammar Checker

Citation Assistance

Smart Online Editor

Start Writing Now

Start Writing like a PRO