Mitigation from SQL Injection Attacks on Web Server using Open Web Application Security Project Framework

Document Type : Original Article


1 Department of Electrical Engineering, Universitas Ahmad Dahlan, Yogyakarta, Indonesia

2 Department of Information System, Universitas Ahmad Dahlan, Yogyakarta, Indonesia


SQL injection (SQLi) is one of the most common attacks against database servers and has the potential to threaten server services by utilizing SQL commands to change, delete, or falsify data. In this study, researchers tested SQLi attacks against websites using a number of tools, including Whois, SSL Scan, Nmap, Open Web Application Security Project (OWASP) Zap, and SQL Map. Then, researchers identified SQLi vulnerabilities on the tested web server. Next, researchers developed and implemented mitigation measures to protect the website from SQLi attacks. Test results using OWASP Zap identified 14 vulnerabilities, with five of them at a medium level of 35%, seven at a low level of 50%, and two at an informational level of 14%. Meanwhile, testing using SQL Map succeeded in gaining access to the database and username on the web server. The next step in this research is to provide recommendations for installing a firewall on the website as a mitigation measure to reduce the risk of SQLi attacks. The main contribution of this research is the development of a structured methodology to identify and address SQLi vulnerabilities in web servers, which play an important role in maintaining data security and integrity in a rapidly evolving online environment.

Graphical Abstract

Mitigation from SQL Injection Attacks on Web Server using Open Web Application Security Project Framework


Main Subjects

  1. Wang B, Yao Y, Shan S, Li H, Viswanath B, Zheng H, et al., editors. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. 2019 IEEE Symposium on Security and Privacy (SP); 2019: IEEE. 10.1109/SP.2019.00031
  2. Bora A, Bezboruah T. Investigation on reliability estimation of loosely coupled software as a service execution using clustered and non-clustered web server. International Journal of Engineering, Transactions A: Basics,. 2020;33(1):75-81. 10.5829/ije.2020.33.01a.09
  3. Abdullah HS. Evaluation of open source web application vulnerability scanners. Academic Journal of Nawroz University. 2020;9(1):47-52. 10.25007/ajnu.v9n1a532
  4. Sargolzaei A, Yazdani K, Abbaspour A, Crane III CD, Dixon WE. Detection and mitigation of false data injection attacks in networked control systems. IEEE Transactions on Industrial Informatics. 2019;16(6):4281-92. 10.1109/TII.2019.2952067
  5. Thepade S, Dindorkar M, Chaudhari P, Bang S. Enhanced face presentation attack prevention employing feature fusion of pre-trained deep convolutional neural network model and thepade's sorted block truncation coding. International Journal of Engineering, Transactions A: Basics,. 2023;36(4):807-16. 10.5829/ije.2023.36.04a.17
  6. Thakre S, Bojewar S, editors. Studying the effectiveness of various tools in detecting the protecting mechanisms implemented in web-applications. 2018 International Conference on Inventive Research in Computing Applications (ICIRCA); 2018: IEEE. 10.1109/ICIRCA.2018.8597363
  7. Nasiraee H, Ashouri-Talouki M. DoS-Resistant Attribute-Based Encryption in Mobile Cloud Computing with Revocation. International Journal of Engineering, Transactions C: Aspects. 2019;32(9):1290-8. 10.5829/ije.2019.32.09c.09
  8. Helmiawan MA, Firmansyah E, Fadil I, Sofivan Y, Mahardika F, Guntara A, editors. Analysis of web security using open web application security project 10. 2020 8th International Conference on Cyber and IT Service Management (CITSM); 2020: IEEE. 10.1109/CITSM50537.2020.9268856
  9. Dalai AK, Jena SK. Neutralizing SQL injection attack using server side code modification in web applications. Security and Communication Networks. 2017;2017. 10.1155/2017/3825373
  10. Lala SK, Kumar A, Subbulakshmi T, editors. Secure web development using owasp guidelines. 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS); 2021: IEEE. 10.1109/ICICCS51141.2021.9432179
  11. Alghawazi M, Alghazzawi D, Alarifi S. Detection of sql injection attack using machine learning techniques: a systematic literature review. Journal of Cybersecurity and Privacy. 2022;2(4):764-77. 10.3390/jcp2040039
  12. Kareem FQ, Ameen SY, Salih AA, Ahmed DM, Kak SF, Yasin HM, et al. SQL injection attacks prevention system technology. Asian Journal of Research in Computer Science. 2021;10(3):13-32. 10.9734/ajrcos/2021/v10i330242
  13. Chen D, Yan Q, Wu C, Zhao J, editors. Sql injection attack detection and prevention techniques using deep learning. Journal of Physics: Conference Series; 2021: IOP Publishing. 10.1088/1742-6596/1757/1/012055
  14. Mokbal FMM, Dan W, Imran A, Jiuchuan L, Akhtar F, Xiaoxi W. MLPXSS: an integrated XSS-based attack detection scheme in web applications using multilayer perceptron technique. IEEE Access. 2019;7:100567-80. 10.1109/ACCESS.2019.2927417
  15. Hu J, Zhao W, Cui Y, editors. A survey on sql injection attacks, detection and prevention. Proceedings of the 2020 12th International Conference on Machine Learning and Computing; 2020. 10.1145/3383972.3384028
  16. Pattewar T, Patil H, Patil H, Patil N, Taneja M, Wadile T. Detection of SQL injection using machine learning: a survey. Int Res J Eng Technol(IRJET). 2019;6(11):239-46.
  17. Alenezi M, Nadeem M, Asif R. SQL injection attacks countermeasures assessments. Indonesian Journal of Electrical Engineering and Computer Science. 2021;21(2):1121-31. 10.11591/ijeecs.v21.i2.pp1121-1131
  18. Ravindran U, Potukuchi RV. A Review on Web Application Vulnerability Assessment and Penetration Testing. Review of Computer Engineering Studies. 2022;9(1). 10.18280/rces.090101
  19. Syamasudha V, Syed A, Gayatri E. The Solutions of SQL Injection Vulnerability in Web Application Security. no. 2019;6:3803-8. 10.35940/ijeat.F9395.088619
  20. Sharma K, Bhatt S. SQL injection attacks-a systematic review. International journal of information and computer security. 2019;11(4-5):493-509. 10.1504/IJICS.2019.101937
  21. Akbar M, Ridha MAF. Sql injection and cross site scripting prevention using owasp modsecurity web application firewall. JOIV: International Journal on Informatics Visualization. 2018;2(4):286-92. 10.30630/joiv.2.4.107
  22. Jana A, Maity D, editors. Code-based analysis approach to detect and prevent SQL injection attacks. 2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT); 2020: IEEE. 10.1109/ICCCNT49239.2020.9225575
  23. Alotaibi FM, Vassilakis VG. Toward an SDN-Based Web Application Firewall: Defending against SQL Injection Attacks. Future Internet. 2023;15(5):170. 10.3390/fi15050170
  24. Rankothge W, Randeniya M, Samaranayaka V, editors. Identification and mitigation tool for Sql injection attacks (SQLIA). 2020 IEEE 15th International Conference on Industrial and Information Systems (ICIIS); 2020: IEEE. 10.1109/ICIIS51140.2020.9342703
  25. Xiao M, Guo M. Computer network security and preventive measures in the age of big data. Procedia Computer Science. 2020;166:438-42. 10.1016/j.procs.2020.02.068
  26. Krishnan S, Zolkipli MF. Survey on SQL Injection and Cross-Site Scripting Malware Injection Attacks. 10.35629/5252-0502822833
  27. Hasan M, Balbahaith Z, Tarique M, editors. Detection of SQL injection attacks: a machine learning approach. 2019 International Conference on Electrical and Computing Technologies and Applications (ICECTA); 2019: IEEE. 10.1109/ICECTA48151.2019.8959617
  28. Alanda A, Satria D, Mooduto H, Kurniawan B, editors. Mobile application security penetration testing based on OWASP. IOP Conference Series: Materials Science and Engineering; 2020: IOP Publishing. 10.1088/1757-899X/846/1/012036
  29. Priyawati D, Rokhmah S, Utomo I. Website Vulnerability Testing and Analysis of Internet Management Information System Using OWASP. International Journal of Computer and Information System (IJCIS) Peer Reviewed-International Journal. 2022;3(03):2745-9659. 10.29040/ijcis.v3i3.90
  30. Alanda A, Satria D, Ardhana MI, Dahlan AA, Mooduto HA. Web application penetration testing using SQL Injection attack. JOIV: International Journal on Informatics Visualization. 2021;5(3):320-6. 10.30630/joiv.5.3.470
  31. Wiradarma AABA, Sasmita GMA. IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at the Information Gathering Stage (Case Study: X Company). International Journal of Computer Network and Information Security. 2019;10(12):17. 10.5815/ijcnis.2019.12.03
  32. Wijayanto A, Utami E, Prasetio AB, editors. Analysis of Vulnerability Webserver Office Management of Information And Documentation Diskominfo using OWASP Scanner. 2020 2nd International Conference on Cybernetics and Intelligent System (ICORIS); 2020: IEEE. 10.1109/ICORIS50180.2020.9320833
  33. Wibowo RM, Sulaksono A. Web vulnerability through Cross Site Scripting (XSS) detection with OWASP security shepherd. Indonesian Journal of Information Systems. 2021;3(2):149-59. 10.24002/ijis.v3i2.4192
  34. Ferrara P, Mandal AK, Cortesi A, Spoto F. Static analysis for discovering IoT vulnerabilities. International Journal on Software Tools for Technology Transfer. 2021;23:71-88. 10.1007/s10009-020-00592-x
  35. Qian K, Parizi RM, Lo D, editors. Owasp risk analysis driven security requirements specification for secure android mobile software development. 2018 IEEE Conference on Dependable and Secure Computing (DSC); 2018: IEEE. 10.1109/DESEC.2018.8625114
  36. Mateo Tudela F, Bermejo Higuera J-R, Bermejo Higuera J, Sicilia Montalvo J-A, Argyros MI. On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications. Applied Sciences. 2020;10(24):9119. 10.3390/app10249119
  37. Kellezi D, Boegelund C, Meng W. Securing open banking with model-view-controller architecture and OWASP. Wireless communications and mobile computing. 2021;2021:1-13. 10.1155/2021/8028073
  38. Ghanem MC, Chen TM. Reinforcement learning for efficient network penetration testing. Information. 2019;11(1):6. 10.3390/info11010006
  39. Silva RF, Barbosa R, Bernardino J. Intrusion detection systems for mitigating sql injection attacks: review and state-of-practice. International Journal of Information Security and Privacy (IJISP). 2020;14(2):20-40. 10.4018/IJISP.2020040102
  40. Khalaf M, Youssef A, El-Saadany E. Joint detection and mitigation of false data injection attacks in AGC systems. IEEE Transactions on Smart Grid. 2018;10(5):4985-95. 10.1109/TSG.2018.2872120