Análisis de vulnerabilidades con SQLMAP aplicada a entornos APEX 5

Contenido principal del artículo

Esteban Crespo-Martinez https://orcid.org/0000-0002-3061-9045

Resumen

Las bases de datos son usualmente los principales objetivos de un ataque, específicamente por la información que en ella reside, ya que, de acuerdo con Druker, la información es poder. En este trabajo se realizan las pruebas de vulnerabilidad de la base de datos de un software ERP desarrollado en APEX 5. Para ello, se utilizan herramientas FOSS de prueba y análisis de vulnerabilidades de bases de datos, identificando que las sesiones que utiliza ERP basada en Oracle APEX son realizadas de manera aleatoria y que, además, son nuevamente generadas en determinados momentos. Se concluye que, con las pruebas aplicadas y las actualizaciones de SQLMAP a la fecha del experimento, no se ha conseguido vulnerar el software ERP con técnicas de inyección SQL.
Abstract 17 | PDF Downloads 19 PDF (English) Downloads 12

Citas

[1] A. Barinas López, A. C. Alarcón Aldana, and M. Callejas Cuervo, “Vulnerabilidad de ambientes virtuales de aprendizaje utilizando SQLMAP, RIPS, W3AF y Nessus,” Ventana Informática, no. 30, pp. 247–260, 2014. [Online]. Available: https://doi.org/10.30554/ventanainform.30.276.2014
[2] S. Mohammadi and A. Namadchian, “Anomalybased Web Attack Detection: The Application of Deep Neural Network Seq2Seq With Attention Mechanism,” The ISC International Journal of Information Security, vol. 12, no. 1, pp. 44–54, 2020. [Online]. Available: http://doi.org/10.22042/ISECURE.2020.199009.479
[3] K. L. Ingham, A. Somayaji, J. Burge, and S. Forrest, “Learning DFA representations of HTTP for protecting web applications,” Computer Networks, vol. 51, no. 5, pp. 1239–1255, 2007, from Intrusion Detection to Self-Protection. [Online]. Available: https://doi.org/10.1016/j.comnet.2006.09.016
[4] B. Dwan, “The Computer Virus – From There to Here.: An Historical Perspective.” Computer Fraud & Security, vol. 2000, no. 12, pp. 13–16, 2000. [Online]. Available: https://doi.org/10.1016/S1361-3723(00)12026-3
[5] O. Ojagbule, H. Wimmer, and R. J. Haddad, “Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP,” in SoutheastCon 2018, 2018, pp. 1–7. [Online]. Available: https://doi.org/10.1109/SECON.2018.8479130
[6] C. Kruegel, G. Vigna, and W. Robertson, “A multi-model approach to the detection of web-based attacks,” Computer Networks, vol. 48, no. 5, pp. 717–738, 2005, web Security. [Online]. Available: https://doi.org/10.1016/j.comnet.2005.01.009
[7] F. Santin, J. A. Oliveira de Figueiredo, and V. Lago Machado, “Uso da ferramenta sqlMap para detecção de vulnerabilidades de SQL Injection,” in Anais do EATI - Encontro Anual de Tecnologia da Informação, 2017. [Online]. Available: https://bit.ly/340cKP6
[8] J. Clarke, SQL Injection Attacks and Defense (Second Edition), second edition ed., J. Clarke, Ed. Boston: Syngress, 2012. [Online]. Available: https://doi.org/10.1016/B978-1-59-749963-7.00012-8
[9] D. E. Nofal and A. Amer, SQL Injection Attacks Detection and Prevention Based on Neuro-Fuzzy Technique. Springer, Cham, 2019. [Online]. Available: https://doi.org/10.1007/978-3-030-31129-2_66
[10] B. Bin Halib, E. Budiman, and H. Jati Setyadi, “Teknik HackingWeb Server Dengan SQLMAP Di Kali Linux,” Jurnal Rekayasa Teknologi Informasi, vol. 1, no. 1, pp. 67–72, 2017. [Online]. Available: http://dx.doi.org/10.30872/jurti.v1i1.642
[11] OWASP. (2017) lobally recognized by developers as the first step towards more secure coding. [Online]. Available: https://bit.ly/2JTb9DF
[12] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “SecuBat: A Web Vulnerability Scanner,” in Proceedings of the 15th International Conference
on World Wide Web, ser. WWW ’06. New York, NY, USA: Association for Computing Machinery, 2006, pp. 247–256. [Online]. Available: https://doi.org/10.1145/1135777.1135817
[13] J. Fonseca, M. Vieira, and H. Madeira, “Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks,” in 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), 2007, pp. 365–372. [Online]. Available: https://doi.org/10.1109/PRDC.2007.55
[14] E. B. Setiawan and A. Setiyadi, “Web vulnerability analysis and implementation,” IOP Conference Series: Materials Science and Engineering, vol. 407, p. 012081, sep 2018. [Online]. Available: https://doi.org/10.1088%2F1757-899x%2F407%2F1%2F012081
[15] J. Atoum and A. Qaralleh, “A hybrid technique for SQL injection attacks detection and prevention,” International Journal of Database Management Systems ( IJDMS, vol. 6, no. 1, pp. 21–28, 2014. [Online]. Available: http://doi.org/10.5121/ijdms.2014.6102
[16] D. Herrmann and H. Pridöhl, Basic Concepts and Models of Cybersecurity, 2020, vol. 21. [Online]. Available: https://doi.org/10.1007/978-3-030-29053-5_2
[17] AVI Network. (2020) SQL Injection Attack. [Online]. Available: https://bit.ly/3mb96YF
[18] P. Ramasamy and S. Abburu, “SQL Injection Attack: Detection and Prevention,” International Journal of Engineering Science and Technology, vol. 4, no. 4, pp. 1396–1401, 2016. [Online]. Available: https://bit.ly/3n7aSeV
[19] XS Code. (2020) XS:Code. [Online]. Available: https://bit.ly/37MYc6s
[20] D. Novski Neto, “Web (eternamente) revisitada: análise de vulnerabilidades web e de ferramentas de código aberto para exploração,” 2019. [Online]. Available: https://bit.ly/37VrNui
[21] V. K. Gudipati, T. Venna, S. Subburaj, and O. Abuzaghleh, “Advanced automated SQL injection attacks and defensive mechanisms,” in 2016 Annual Connecticut Conference on Industrial Electronics, Technology Automation (CT-IETA), 2016, pp. 1–6. [Online]. Available: https://doi.org/10.1109/CT-IETA.2016.7868248
[22] C. Cetin, D. Goldgof, and J. Ligatti, “SQLIdentifier Injection Attacks,” in 2019 IEEE Conference on Communications and Network Security (CNS), 2019, pp. 151–159. [Online]. Available: https://doi.org/10.1109/CNS.2019.8802743
[23] J. P. Singh, “Analysis of SQL Injection Detection Techniques,” 2016. [Online]. Available: https://bit.ly/375XeDh
[24] O. Ojagbule, H. Wimmer, and R. J. Haddad, “Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP,” in SoutheastCon 2018, 2018, pp. 1–7. [Online]. Available: https://doi.org/10.1109/SECON.2018.8479130
[25] A. Ciampa, C. A. Visaggio, and M. Di Penta, “A Heuristic-Based Approach for Detecting SQL-Injection Vulnerabilities in Web Applications,” in Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, ser. SESS ’10. New York, NY, USA: Association for Computing Machinery, 2010, pp. 43–49. [Online]. Available: https://doi.org/10.1145/1809100.1809107
[26] R. Alsahafi, “SQL Injection Detection and Prevention Techniques,” International Journal of Scientific & Technology Research, vol. 8, no. 1, pp. 182–185, 2019. [Online]. Available: https://bit.ly/2W24Ksp
[27] L. Wichman, “Mass SQL injection for malware distribution,” SANS Institute, Tech. Rep., 2011. [Online]. Available: https://bit.ly/2Ke3ks0
[28] JAVANICUS. (2016) Posts Related to Web-Pentest-SQL-Injection. [Online]. Available: https://bit.ly/2IEFUMc
[29] V. Sunkari and C. V. Guru rao, “Protect Web Applications against SQL Injection Attacks Using Binary Evaluation Approach,” International Journal of Innovations in Engineering and Technology (IJIET), pp. 484–490, 2016. [Online]. Available: https://bit.ly/377eVSR
[30] W. G. J. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks,” in Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ser. ASE ’05. New York, NY, USA: Association for Computing Machinery, 2005, pp. 174–183. [Online]. Available: https://doi.org/10.1145/1101908.1101935
[31] M. A. Prabakar, M. KarthiKeyan, and K. Marimuthu, “An efficient technique for preventing SQL injection attack using pattern matching algorithm,” in 2013 IEEE International Conference ON Emerging Trends in Computing, Communication and Nanotechnology (ICECCN), 2013, pp. 503–506. [Online]. Available: https://doi.org/10.1109/ICE-CCN.2013.6528551
[32] G. Yigit and M. Arnavutoglu, “SQL Injection Attacks Detection & Prevention Techniques,” International Journal of Computer Theory and Engineering, vol. 9, no. 5, pp. 351–356, 2017. [Online]. Available: https://bit.ly/3qKrEm5
[33] S. W. Boyd and A. D. Keromytis, “Boyd s.w., keromytis a.d.” in International Conference on Applied Cryptography and Network Security, 2004, pp. 292–302. [Online]. Available: https://doi.org/10.1007/978-3-540-24852-1_21
[34] L. Ntagwabira and S. L. Kang, “Use of Query tokenization to detect and prevent SQL injection attacks,” in 2010 3rd International Conference on Computer Science and Information Technology, vol. 2, 2010, pp. 438–440. [Online]. Available: https://doi.org/10.1109/ICCSIT.2010.5565202
[35] G. Buehrer, B. W. Weide, and P. A. G. Sivilotti, “Using Parse Tree Validation to Prevent SQL Injection Attacks,” in Proceedings of the 5th International Workshop on Software Engineering and Middleware, ser. SEM ’05. New York, NY, USA: Association for Computing Machinery, 2005, pp. 106–113. [Online]. Available: https://doi.org/10.1145/1108473.1108496
[36] F. D. Nembhard, M. M. Carvalho, and T. C. Eskridge, “Towards the application of recommender systems to secure coding,” EURASIP Journal on Information Security, vol. 2019, no. 1, p. 9, Jun. 2019. [Online]. Available: https://doi.org/10.1186/s13635-019-0092-4