mitigating sql injection attacks

SQL injection attacks pose a significant threat to the security of databases and web applications. In these attacks, malicious actors exploit vulnerabilities in input fields or poorly sanitized user inputs to inject malicious SQL codes into the database queries. By doing so, attackers can manipulate the database and gain unauthorized access, retrieve, delete, or modify sensitive information. SQL injection attacks are often facilitated by inadequate input validation and a lack of parameterized queries in the application’s code. To mitigate this risk, developers must employ secure coding practices, such as parameterized queries and input validation, to ensure that user inputs are properly sanitized. Regular security audits and monitoring are also crucial to detect and prevent SQL injection vulnerabilities, helping to fortify the overall security posture of web applications and databases against these types of attacks.

Even with secure coding practices and regular security audits, there is still a chance of a malicious code being injected through an SQL injection attack. So, to predict whether a query could be potentially unsafe, we proposed a machine learning model using a random decision forest classifier (Aggarwal et al., 2021). From the SQL queries that we collected, we identified the features present in them, such as the number of comment characters, number of semicolons, logical operators, true conditions, keywords, and wildcard characters. This helped us get better insights into the database and we scored all the keywords based on their potential risk factor.

Other features, like comment characters and wildcard characters were given a score of 1 (least unsafe). Based on the score list, we scored the queries in the dataset and trained a machine learning model based on a random decision forest classifier to predict if a query is unsafe.

references

2021

Random Decision Forest Approach for Mitigating SQL Injection Attacks

Pranjal Aggarwal, Akash Kumar, Kshitiz Michael, and 3 more authors

In IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), Bangalore, India , 2021

Best Paper Abs DOI Bib

The paper was selected as the student best paper

Structured Query Language (SQL) is extensively used for storing, manipulating and retrieving information in the relational database management system. Using SQL statements, attackers will try to gain unauthorized access to databases and launch attacks to modify/retrieve the stored data, such attacks are called as SQL injection attacks. Such SQL Injection (SQLi) attacks tops the list of web application security risks of all the times. Identifying and mitigating the potential SQL attack statements before their execution can prevent SQLi attacks. Various techniques are proposed in the literature to mitigate SQLi attacks. In this paper, a random decision forest approach is introduced to mitigate SQLi attacks. From the experimental results, we can infer that the proposed approach achieves a precision of 97% and an accuracy of 95%.
@inproceedings{9622689sqli, author = {Aggarwal, Pranjal and Kumar, Akash and Michael, Kshitiz and Nemade, Jagrut and Sharma, Shubham and C, Pavan Kumar}, booktitle = {IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT)}, title = {Random Decision Forest Approach for Mitigating SQL Injection Attacks}, pages = {1-5}, doi = {10.1109/CONECCT52877.2021.9622689}, year = {2021}, dimensions = {true}, location = {Bangalore, India}, acceptance = {Accepted}, acceptance_rate = {7\%} }