Vulnerability analysis with SQLMAP applied to APEX 5 environments

Main Article Content

Esteban Crespo-Martinez https://orcid.org/0000-0002-3061-9045

Abstract

Databases are usually the main targets of an attack, specifically for the information that they store, since, according to Druker, information is power. In this work vulnerability tests are performed of the database of an ERP software developed in APEX 5. For this purpose, FOSS tools are used to test and analyze vulnerabilities of databases, identifying that sessions used by ERP based on Oracle APEX are carried out randomly, and besides are generated again at particular times. It is therefore concluded that, with the tests applied and the updates of SQLMAP to the date of the experiment, it has not been possible to vulnerate the ERP software with SQL injection techniques.
Abstract 234 | PDF (Español (España)) Downloads 467 PDF Downloads 111

References

[1] A. Barinas López, A. C. Alarcón Aldana, and M. Callejas Cuervo, “Vulnerabilidad de ambientes virtuales de aprendizaje utilizando SQLMAP, RIPS, W3AF y Nessus,” Ventana Informática, no. 30, pp. 247–260, 2014. [Online]. Available: https://doi.org/10.30554/ventanainform.30.276.2014
[2] S. Mohammadi and A. Namadchian, “Anomalybased Web Attack Detection: The Application of Deep Neural Network Seq2Seq With Attention Mechanism,” The ISC International Journal of Information Security, vol. 12, no. 1, pp. 44–54, 2020. [Online]. Available: http://doi.org/10.22042/ISECURE.2020.199009.479
[3] K. L. Ingham, A. Somayaji, J. Burge, and S. Forrest, “Learning DFA representations of HTTP for protecting web applications,” Computer Networks, vol. 51, no. 5, pp. 1239–1255, 2007, from Intrusion Detection to Self-Protection. [Online]. Available: https://doi.org/10.1016/j.comnet.2006.09.016
[4] B. Dwan, “The Computer Virus – From There to Here.: An Historical Perspective.” Computer Fraud & Security, vol. 2000, no. 12, pp. 13–16, 2000. [Online]. Available: https://doi.org/10.1016/S1361-3723(00)12026-3
[5] O. Ojagbule, H. Wimmer, and R. J. Haddad, “Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP,” in SoutheastCon 2018, 2018, pp. 1–7. [Online]. Available: https://doi.org/10.1109/SECON.2018.8479130
[6] C. Kruegel, G. Vigna, and W. Robertson, “A multi-model approach to the detection of web-based attacks,” Computer Networks, vol. 48, no. 5, pp. 717–738, 2005, web Security. [Online]. Available: https://doi.org/10.1016/j.comnet.2005.01.009
[7] F. Santin, J. A. Oliveira de Figueiredo, and V. Lago Machado, “Uso da ferramenta sqlMap para detecção de vulnerabilidades de SQL Injection,” in Anais do EATI - Encontro Anual de Tecnologia da Informação, 2017. [Online]. Available: https://bit.ly/340cKP6
[8] J. Clarke, SQL Injection Attacks and Defense (Second Edition), second edition ed., J. Clarke, Ed. Boston: Syngress, 2012. [Online]. Available: https://doi.org/10.1016/B978-1-59-749963-7.00012-8
[9] D. E. Nofal and A. Amer, SQL Injection Attacks Detection and Prevention Based on Neuro-Fuzzy Technique. Springer, Cham, 2019. [Online]. Available: https://doi.org/10.1007/978-3-030-31129-2_66
[10] B. Bin Halib, E. Budiman, and H. Jati Setyadi, “Teknik HackingWeb Server Dengan SQLMAP Di Kali Linux,” Jurnal Rekayasa Teknologi Informasi, vol. 1, no. 1, pp. 67–72, 2017. [Online]. Available: http://dx.doi.org/10.30872/jurti.v1i1.642
[11] OWASP. (2017) lobally recognized by developers as the first step towards more secure coding. [Online]. Available: https://bit.ly/2JTb9DF
[12] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “SecuBat: A Web Vulnerability Scanner,” in Proceedings of the 15th International Conference
on World Wide Web, ser. WWW ’06. New York, NY, USA: Association for Computing Machinery, 2006, pp. 247–256. [Online]. Available: https://doi.org/10.1145/1135777.1135817
[13] J. Fonseca, M. Vieira, and H. Madeira, “Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks,” in 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), 2007, pp. 365–372. [Online]. Available: https://doi.org/10.1109/PRDC.2007.55
[14] E. B. Setiawan and A. Setiyadi, “Web vulnerability analysis and implementation,” IOP Conference Series: Materials Science and Engineering, vol. 407, p. 012081, sep 2018. [Online]. Available: https://doi.org/10.1088%2F1757-899x%2F407%2F1%2F012081
[15] J. Atoum and A. Qaralleh, “A hybrid technique for SQL injection attacks detection and prevention,” International Journal of Database Management Systems ( IJDMS, vol. 6, no. 1, pp. 21–28, 2014. [Online]. Available: http://doi.org/10.5121/ijdms.2014.6102
[16] D. Herrmann and H. Pridöhl, Basic Concepts and Models of Cybersecurity, 2020, vol. 21. [Online]. Available: https://doi.org/10.1007/978-3-030-29053-5_2
[17] AVI Network. (2020) SQL Injection Attack. [Online]. Available: https://bit.ly/3mb96YF
[18] P. Ramasamy and S. Abburu, “SQL Injection Attack: Detection and Prevention,” International Journal of Engineering Science and Technology, vol. 4, no. 4, pp. 1396–1401, 2016. [Online]. Available: https://bit.ly/3n7aSeV
[19] XS Code. (2020) XS:Code. [Online]. Available: https://bit.ly/37MYc6s
[20] D. Novski Neto, “Web (eternamente) revisitada: análise de vulnerabilidades web e de ferramentas de código aberto para exploração,” 2019. [Online]. Available: https://bit.ly/37VrNui
[21] V. K. Gudipati, T. Venna, S. Subburaj, and O. Abuzaghleh, “Advanced automated SQL injection attacks and defensive mechanisms,” in 2016 Annual Connecticut Conference on Industrial Electronics, Technology Automation (CT-IETA), 2016, pp. 1–6. [Online]. Available: https://doi.org/10.1109/CT-IETA.2016.7868248
[22] C. Cetin, D. Goldgof, and J. Ligatti, “SQLIdentifier Injection Attacks,” in 2019 IEEE Conference on Communications and Network Security (CNS), 2019, pp. 151–159. [Online]. Available: https://doi.org/10.1109/CNS.2019.8802743
[23] J. P. Singh, “Analysis of SQL Injection Detection Techniques,” 2016. [Online]. Available: https://bit.ly/375XeDh
[24] O. Ojagbule, H. Wimmer, and R. J. Haddad, “Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP,” in SoutheastCon 2018, 2018, pp. 1–7. [Online]. Available: https://doi.org/10.1109/SECON.2018.8479130
[25] A. Ciampa, C. A. Visaggio, and M. Di Penta, “A Heuristic-Based Approach for Detecting SQL-Injection Vulnerabilities in Web Applications,” in Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, ser. SESS ’10. New York, NY, USA: Association for Computing Machinery, 2010, pp. 43–49. [Online]. Available: https://doi.org/10.1145/1809100.1809107
[26] R. Alsahafi, “SQL Injection Detection and Prevention Techniques,” International Journal of Scientific & Technology Research, vol. 8, no. 1, pp. 182–185, 2019. [Online]. Available: https://bit.ly/2W24Ksp
[27] L. Wichman, “Mass SQL injection for malware distribution,” SANS Institute, Tech. Rep., 2011. [Online]. Available: https://bit.ly/2Ke3ks0
[28] JAVANICUS. (2016) Posts Related to Web-Pentest-SQL-Injection. [Online]. Available: https://bit.ly/2IEFUMc
[29] V. Sunkari and C. V. Guru rao, “Protect Web Applications against SQL Injection Attacks Using Binary Evaluation Approach,” International Journal of Innovations in Engineering and Technology (IJIET), pp. 484–490, 2016. [Online]. Available: https://bit.ly/377eVSR
[30] W. G. J. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks,” in Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ser. ASE ’05. New York, NY, USA: Association for Computing Machinery, 2005, pp. 174–183. [Online]. Available: https://doi.org/10.1145/1101908.1101935
[31] M. A. Prabakar, M. KarthiKeyan, and K. Marimuthu, “An efficient technique for preventing SQL injection attack using pattern matching algorithm,” in 2013 IEEE International Conference ON Emerging Trends in Computing, Communication and Nanotechnology (ICECCN), 2013, pp. 503–506. [Online]. Available: https://doi.org/10.1109/ICE-CCN.2013.6528551
[32] G. Yigit and M. Arnavutoglu, “SQL Injection Attacks Detection & Prevention Techniques,” International Journal of Computer Theory and Engineering, vol. 9, no. 5, pp. 351–356, 2017. [Online]. Available: https://bit.ly/3qKrEm5
[33] S. W. Boyd and A. D. Keromytis, “Boyd s.w., keromytis a.d.” in International Conference on Applied Cryptography and Network Security, 2004, pp. 292–302. [Online]. Available: https://doi.org/10.1007/978-3-540-24852-1_21
[34] L. Ntagwabira and S. L. Kang, “Use of Query tokenization to detect and prevent SQL injection attacks,” in 2010 3rd International Conference on Computer Science and Information Technology, vol. 2, 2010, pp. 438–440. [Online]. Available: https://doi.org/10.1109/ICCSIT.2010.5565202
[35] G. Buehrer, B. W. Weide, and P. A. G. Sivilotti, “Using Parse Tree Validation to Prevent SQL Injection Attacks,” in Proceedings of the 5th International Workshop on Software Engineering and Middleware, ser. SEM ’05. New York, NY, USA: Association for Computing Machinery, 2005, pp. 106–113. [Online]. Available: https://doi.org/10.1145/1108473.1108496
[36] F. D. Nembhard, M. M. Carvalho, and T. C. Eskridge, “Towards the application of recommender systems to secure coding,” EURASIP Journal on Information Security, vol. 2019, no. 1, p. 9, Jun. 2019. [Online]. Available: https://doi.org/10.1186/s13635-019-0092-4