Critical Evaluation of SQL Injection Security Measures in Web Applications
DOI:
https://doi.org/10.31185/wjps.566Keywords:
SQL Injection, Agent-based Vulnerability Response System (AVRS), Machine Learning, Vulnerability Scanning, Malware DetectionAbstract
Given that SQL injection attacks continue to pose a substantial threat to the security of web applications, this paper critically assesses sophisticated security measures intended to mitigate these vulnerabilities. We investigate the Agent-based Vulnerability Response System (AVRS), which improves traditional intrusion detection systems by incorporating mobile agents that provide increased autonomy and mobility. This system integrates a comprehensive vulnerability database and machine learning techniques to enable real-time threat detection and response. The VIWeb vulnerability scanner is introduced in the study, which evaluates three machine learning models—Decision Trees, Support Vector Machines (SVMs), and Artificial Neural Networks (ANNs)—for malware detection. The scanner employs algorithms such as the Reverse Resemblance Algorithm and Malicious String-Matching Algorithm. According to performance metrics, ANN surpasses SVM and Decision Tree approaches in its ability to classify threats, achieving the highest accuracy (86.50%) accurately. The results emphasize the potential of integrating machine learning with conventional security measures to fortify defenses against SQL injection assaults, thereby establishing the groundwork for future research and implementation strategies.
References
C. Sharma and S. Jain, "SQL injection attacks on web applications. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 7, 24–26 (2017).
B. Mukhtar and M. Azer, "Evaluating themodsecurity web application firewall against SQL injection attacks. In: 2020 15th International Conference on Computer Engineering and Systems (ICCES), pp. 2–7 (2020).
M Alenezi, M., Nadeem, Asif, R.: SQL injection attacks countermeasures assessments. Indon. J. Electr. Eng. Comput. Sci. 21, 1121–1131 (2020).
L., Qian. M. Zhu, Z., Hu, J., Liu, S.: Research of SQL Injection Attack and Prevention Technology. In: 2015 International Conference on Estimation, Detection and Information Fusion (ICEDIF), pp. 303–306 (2015)
M. Horner., T. Hyslip., SQL injection: the longest running sequel in programming history. J. Digit. Forensics Secur. Law 12, 10 (2017.
L. Ma and C. Gao, “Research on SQL injection attack and prevention technology based on web. In: 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA), pp. 176–179 (2019).
Z. Alwan., and M., Younis, "Detection and prevention of SQL injection attack: a survey”. Int. J. Comput. Sci. Mob. Comput. 6, 5–17 (2017).
C. Ping, "A second-order SQL injection detection method. In: Proceedings of 2017 IEEE 2nd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), vol. 2018-January, pp. 1792–1796 (2018)," PACIS 2009 Proceedings, p. 16, 2009.
N. Karthikeyan and R. Vivekanandan, "A novel technique to detect and prevent SQL injection attacks using bitap string matching algorithm. High Technol. Lett. J. 27, 252–264 (2021).
J., Abirami, R., Devakunchari., and C., Valliyammai, “A top web security vulnerability SQL injection attack—Survey. In 2015 Seventh International Conference on Advanced Computing (ICoAC) (pp. 1-9). IEEE.
C. Sharma. S., C., Jain "Explorative study of SQL injection attacks and mechanisms to secure web application database-A. Int J Adv Comput Sci Appl, 7(3), 79-87.
A., Pramod., A., Ghosh. And A., Mohan, “SQLI detection system for a safer web application. In 2015 IEEE International Advance Computing Conference (IACC) (pp. 237-240). IEEE.
N.,. Antunes, and M. Vieira, “Detecting SQL injection vulnerabilities in web services. In 2009 Fourth Latin-American Symposium on Dependable Computing (pp. 17-24). IEEE, 2009.
T. Pattewar, and H., Patil "Detection of SQL injection using machine learning: a survey. Int. Res. J. Eng. Technol. (IRJET) 6, 239–246 (2019).
M., Reddy, T., Balamurugan., “Applied machine learning predictive analytics to SQL injection attack detection and prevention. Eur. J. Mol. Clin. Med. 7, 3543–3553 (2020).
F. Hernawan. S., C., Hidayatulloh, "Hybrid method integrating SQL-IF and Naïve Bayes for SQL injection attack avoidance. J. Eng. Appl. Technol. 1, 85–96 (2020).
D., Chen., Q., Yan. And C., Zhao, “.: SQL injection attack detection and prevention rechniques using deep learning. J. Phys: Conf. Ser. 1757, 012055 (2021).
R., K., Sonakshi, and G. Gopal, “Prevention of SQL injection attacks using RC4 and blowfish encryption techniques. Int. J. Eng. Res. V5, 25–29 (2016).
M. Sood, and S., Singh "SQL injection prevention technique using encryption. Int. J. Adv. Comput. Eng. Netw. 5, 5–8 (2017).
K. Sharma and S. Bhatt, "Efficient method to prevent SQL injection attacks using password encryption. IAETSD J. Adv. Res. Appl. Sci. 5, 90–96 (2018).
M., Muttaqin, R., “Implementation of AES-128 and token-base64 to prevent SQL injection attacks via HTTP. Int. J. Adv. Trends Comput. Sci. Eng. 9, 2876–2882 (2020).
P. Jayali. S., V., Chougule "SQL injection detection and prevention using pattern matching algorithm. Int. J. Adv. Res. Comput. Commun. Eng. 5, 145–147 (2016).
M., Kashyape., A., Agrawal. And A., Gahlod, “A hybrid approach for prevention of SQL injection attack using pattern matching Mitali. Int. Res. J. Adv. Eng. Sci. 2, 194–197 (2017).
O.C., Abikoye, A., Abubakar. A., H., Dokoro, “A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm. EURASIP J. Inf. Secur. 2020(1), 1–14 (2020). https://doi.org/10.1186/s13 635-020-00113-y.
N., Karthikeyan. R. Vivekanandan, "Detection of SQL injection using machine learning: a survey. Int. Res. J. Eng. Technol. (IRJET) 6, 239–246 (2019).
K., Poulsen, “Guesswork Plagues Web Hole Reporting. https://www.securityfocus.com/new s/346.
O. Shezaf., "Russian hackers broke into a RI GOV website. https://web.archive.org/web/201 10213051033/http://www.xiom.com/whid-2006-3.
K., Ward., Redmond channel partner online: hacker defaces Microsoft U.K. web page. https:// web.archive.org/web/20071223181645/http://rcpmag.com/news/article.aspx?editorialsid= 8762.
P., McDougall, and G. Gopal, “Prevention of SQL injection attacks using RC4 and blowfish encryption techniques. Int. J. Eng. Res. V5, 25–29 (2016).
S. Lemon, "Mass SQL injection attack hits Chinese websites. https://www.computerworld. com/article/2536020/mass-sql-injection-attack-hits-chinese-web-sites.html.
D., Danchev., “Kaspersky’s Malaysian site hacked by Turkish hacker | ZDNet. https://www. zdnet.com/article/kasperskys-malaysian-site-hacked-by-turkish-hacker/.
BBC NEWS | Business | US man ‘stole 130m card numbers’. http://news.bbc.co.uk/2/hi/ame ricas/8206305.stm.
Yap, J.: 450,000 user passwords leaked in Yahoo breach | ZDNet. https://www.zdnet.com/art icle/450000-user-passwords-leaked-in-yahoo-breach/.
TalkTalk gets record £400,000 fine for failing to prevent October 2015 attack. https://web. archive.org/web/20161024090111/https://ico.org.uk/about-the-ico/news-and-events/newsand-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015- attack/.
S. Khandelwal., "Fortnite flaws allowed hackers to takeover gamers’ accounts. https://thehac kernews.com/2019/01/fortnite-account-hacked.html.
K., Hu., A survey on SQL injection attacks, detection and prevention. In: CMLC 2020: 2020 12th International Conference on Machine Learning and Computing, pp. 483–488. Association for Computing Machinery, New York (2020).
M., Althunayyan, and M. Saxena, “Evaluation of black-box web application security scanners in detecting injection vulnerabilities. Electronics, 11(13), 2049.
S. Lemon, "Mass SQL injection attack hits Chinese websites. https://www.computerworld. com/article/2536020/mass-sql-injection-attack-hits-chinese-web-sites.html.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Haneen mohammed adhab Al salmawi
This work is licensed under a Creative Commons Attribution 4.0 International License.
