Publication: Information Systems Security
| dc.contributor.author | Jha, Somesh | |
| dc.contributor.author | Mathuria, Anish | |
| dc.date.accessioned | 2025-09-22T06:30:28Z | |
| dc.date.issued | 2010-12-07 | |
| dc.description | 2.1 Web Application Vulnerabilities Many web application vulnerabilities havebeenwell documented andthemi- gation methods havealso beenintroduced [1]. The most common cause ofthose vulnerabilities isthe insu?cient input validation. Any data originated from o- side of the program code, forexample input data provided by user through a web form, shouldalwaysbeconsidered malicious andmustbesanitized before use.SQLInjection, Remote code execution orCross-site Scriptingarethe very common vulnerabilities ofthattype [3]. Below isabrief introduction toSQL- jection vulnerability though the security testingmethodpresented in thispaper is not limited toit. SQLinjectionvulnerabilityallowsanattackertoillegallymanipulatedatabase byinjectingmalicious SQL codes into the values of input parameters of http requests sentto the victim web site. 1: Fig.1. An example of a program written in PHP which contains SQL Injection v- nerability Figure 1 showsaprogram that uses the database query function mysql query togetuserinformationcorrespondingtothe userspeci?edby the GETinput- rameterusername andthen printtheresultto the clientbrowser.Anormalhttp request with the input parameter username looks like "http://example. com/ index.php?username=bob". The dynamically created database query at line2 is "SELECT * FROM users WHERE username='bob' AND usertype='user'". Thisprogram is vulnerabletoSQLInjection attacks because mysql query uses the input value of username without sanitizingmalicious codes. A malicious code can be a stringthatcontains SQL symbols ork- words.Ifan attacker sendarequest with SQL code ('alice'-') - jected "http://example.com/index.php?username=alice'-", the query becomes "SELECT* FROM users WHERE username='alice'--' AND usertype='user'". | |
| dc.identifier.citation | Jha, Somesh and Mathuria, Anish (Eds.) Information Systems Security, (LNCS vol. 6503), Berlin: Springer, 2010. | |
| dc.identifier.isbn | 9783642177149 | |
| dc.identifier.uri | https://ir.daiict.ac.in/handle/dau.ir/2192 | |
| dc.language.iso | en | |
| dc.publisher | Springer, Berlin | |
| dc.title | Information Systems Security | |
| dc.type | Book | |
| dspace.entity.type | Publication | |
| relation.isAuthorOfPublication | 078fff3e-c9c9-46b3-b171-66587e178807 | |
| relation.isAuthorOfPublication.latestForDiscovery | 078fff3e-c9c9-46b3-b171-66587e178807 |
Files
License bundle
1 - 1 of 1
Loading...
- Name:
- license.txt
- Size:
- 1.71 KB
- Format:
- Item-specific license agreed to upon submission
- Description: