ABSTRACT
SQL injections are one of the most widely used techniques to attack data-driven applications. Thus, the potential for cyber-attacks increases consistently. To create awareness of hacker attacks, we demonstrate a web-based educational game. The game shows how SQL injections work and which kind of attacks they enable, e.g., logging in without knowing a user’s password, deleting data or retrieving secret or sensitive data. At each level, the players have to fill out login or search forms or use URL parameters to attack an example retail website. While solving these tasks, players can look at the SQL query and the application code. The players learn how SQL injections work, how dangerous they are, and how to make their own applications more robust against SQL injections, for example by using prepared statements.
- Abdul Bashah Mat Ali, Mohd Syazwan Abdullah, Jasem Alostad, 2011. SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks. Procedia Computer Science 3 (2011), 453–458.Google ScholarCross Ref
- Chris Anley. 2002. Advanced SQL injection in SQL server applications. (2002).Google Scholar
- Nor Fatimah Awang and Azizah Abd Manaf. 2015. Automated Security Testing Framework for Detecting SQL Injection Vulnerability in Web Application. In International Conference on Global Security, Safety, and Sustainability. Springer, 160–171.Google Scholar
- Justin Clarke. 2009. SQL injection attacks and defense. Elsevier, New York.Google Scholar
- Gregory Conti, Thomas Babbitt, and John Nelson. 2011. Hacking competitions and their untapped potential for security education. IEEE Security & Privacy 9, 3 (2011), 56–59.Google ScholarDigital Library
- CVE. 2022. About CVE. Retrieved January 7, 2022 from https://www.cve.org/About/OverviewGoogle Scholar
- Alexis Deveria. 2022. Web SQL Database. Retrieved January 6, 2022 from https://caniuse.com/sql-storageGoogle Scholar
- Jakwan Hussain. 2022. Injection Game. Retrieved January 7, 2022 from https://injection.pythonanywhere.comGoogle Scholar
- Imperva Inc.2013. Imperva Web Application Attack Report.Google Scholar
- Malcolm McDonald. 2020. Web Security for Developers - Real Threats, Practical Defense. No Starch Press, München.Google Scholar
- Nathaniel Mott. 2021. Countless Serves Are Vulnerable to Apache Log4j Zero-Day Exploit. PC Magazine (2021).Google Scholar
- Johannes Schildgen. 2014. SQL Island: An Adventure Game to Learn the Database Language SQL. Conference: The 8th European Conference on Games Based Learning (ECGBL 2014) (2014).Google Scholar
- Dave Wichers. 2013. Owasp top-10 2013. OWASP Foundation, February(2013).Google Scholar
Recommendations
A Learning Platform for SQL Injection
SIGCSE '19: Proceedings of the 50th ACM Technical Symposium on Computer Science EducationWe present a web application system where users can learn about and practice SQL injection attacks. Our system is designed for students in a university level database or computer security class, and is aimed towards students familiar with SQL but with ...
SQL Injections: The blackhat's toolbox: SQL injections
SQL injections are among the least understood types of web application attack, but they are also among the most dangerous. A database exposed to the web can be a critical point of information leakage, if the application code designed to enable access is ...
Analysis of different technique for detection of SQL injection
ICWET '11: Proceedings of the International Conference & Workshop on Emerging Trends in TechnologyVulnerability in web applications allows malicious users to obtain unrestricted access to private and confidential information. SQL Injection vulnerabilities are particularly relevant, as web services frequently access a relational database using SQL ...
Comments