Bulletin of TUIT: Management and Communication Technologies

TECHNIQUES TO PREVENT SQL INJECTION AND CROSS-SITE SCRIPTING

Khujakulov Toshtemir Abdikhafizovich1

Gaipnazarov Rustam Takhiritdinovich2,
Majidova Yulduz Daniyarovna3,
Nurbekov Shuxrat Melisovich4

Tashkent University of Applied Sciences, [email protected], Toshkent, Uzbekistan

Department of Convergence of digital technologies, Tashkent University of information technologies named
after Muhammad al-Khwarizmi, [email protected], Toshkent, Uzbekistan
Tashkent University of Applied Sciences [email protected], Toshkent, Uzbekistan

Abstract: The article discusses a to successfully detect and prevent attacks,

method for preventing SQL injections and register an attack record in the database,
cross-site scripting using the Knuth- block the system by its mac address, and
Morris-Pratt string matching algorithm. also generate a warning message. Thus, the
SQL injection and cross-site proposed technique turned out to be more
scripting remain a major threat to data- effective in detecting and preventing SQL
driven web applications. There are more injections and XSS attacks.
and more cases where hackers gain Keywords: SQL injections, XSS
unlimited access to the internal database of attacks, server, scripting, algorithm.
web applications in order to steal, edit and
destroy confidential data. Therefore, The Internet is quickly becoming a
measures must be taken to curb the consumer technology with 8.39 billion
growing threats of SQL injection and XSS users in January 2023, up from 5.48 billion
attacks. This study presents a technique to users in January 2022. This showed that
detect and prevent these threats using the more than a million new users were
Knuth-Morris-Pratt string matching connecting daily. This growth is fueled by
algorithm. The algorithm was used to data-driven web applications and services
match the user's input string with a stored that enable users to carry out their online
injection string pattern to detect any activities with ease. Most of today's
malicious code. The implementation was organizations and individuals rely heavily
carried out using the PHP scripting on these web applications to connect with
language and the Apache XAMPP server. their numerous clients. User input through
The security level of the method was web applications is used to query internal
measured using various test cases of SQL databases to provide the required
injection, cross-site scripting (XSS), and information. Thus, this trend has opened
code injection attacks. The results obtained up web applications and services to attack
showed that the proposed technique is able by hackers. Moreover, the popularity of
Khujakulov Toshtemir Abdikhafizovich1 ,Gaipnazarov Rustam Takhiritdinovich2, Majidova Yulduz Daniyarovna3,
Nurbekov Shuxrat Melisovich4 2024.Vol-2(19)
Bulletin of TUIT: Management and Communication Technologies
web applications on social networks, important issues and therefore web security
financial transactions and health problems has become a major concern. The
are growing very quickly; As a result, vulnerabilities are primarily application
software vulnerabilities become very

layer vulnerabilities such as domain name The WHERE clause now contains
server attacks, inline frame flaws, remote two conditions separated by the logical OR
file inclusion, web authentication flaws, operator. The first condition may not be
remote code execution, XSS, and SQL TRUE, but the second condition must be
injection. TRUE because 1 is always equal to 1 and
A survey by the Open Web the logical "OR" operator returns TRUE if
Application Security Project (OWASP) one or both conditions are TRUE.
identified the top 10 vulnerabilities as of Therefore, the hacker gains access without
June 2023: implementation flaws, broken needing to know the password. Sometimes
authentication and session management, incorrect input values can also be provided
sensitive data disclosure, XML external intentionally so that error messages are
entity, broken access control, security detected that help attackers understand the
misconfiguration, XSS, insecurity, database schema. Thus, SQL injection
deserialization, use of components with poses a serious threat to web application
known vulnerabilities, insufficient logging users.
and monitoring. However, among these SQL injection attacks can be divided
forms of attacks, XSS and SQL injection into six categories:
have been identified as the most dangerous a) Logical SQL injection or
[5]. tautology attack:
The WordPress Security Learning Boolean values (True or False) are
Center also claims that if SQL injection used to perform this type of SQL injection.
and XSS vulnerabilities can be handled in A malicious SQL query causes a web
code, then 65% of vulnerabilities will be application to return different results
eliminated. Because web applications use depending on whether the query returns a
data provided by users in SQL queries, TRUE or FALSE result.
hackers can manipulate this data and insert For example, “aaa OR 2 = 2” was
SQL met characters into input fields to inserted into the SQL query “SELECT ∗
access, change, or delete database content. FROM users WHERE password = aaa OR
For example, the WHERE clause in 2 = 2” as a password to change the
a SQL query SELECT*FROM users structure of the WHERE clause of the
WHERE password = 1234 can be original query.
changed when hackers enter data such This produces an SQL query with
as "anything" OR "1" = "1". two different conditions separated by the

Khujakulov Toshtemir Abdikhafizovich1 ,Gaipnazarov Rustam Takhiritdinovich2, Majidova Yulduz Daniyarovna3,

Nurbekov Shuxrat Melisovich4 2024.Vol-2(19)
Bulletin of TUIT: Management and Communication Technologies
logical OR operator. The first condition SELECT * FROM customer WHERE
“password = aaa” could be is false, but the pin = convert (int, (SELECT first Name
second condition "2 = 2" must be true. FROM customer LIMIT 1)) attempts to
Therefore, the logical OR operator returns convert the first customer name in the
true if at least one of its operands is true, customer table to an integer type, which
thereby forcing the web application to is not possible.
return a different result. As a result, the database server
b) Union Based SQL Injection: issues an error containing information
This is the most popular of all SQL about the table structure.
injections. d) Batch SQL Injection
It uses the UNION operator to Query/Backup Attack:
integrate two or more select statements This form of injection is dangerous
into an SQL query, thereby illegally as it attempts to gain complete control of
retrieving data from the database. the database. The attacker terminates the
For example, in the SQL query application's original request and injects
“SELECT ∗ FROM customers WHERE his own request into the database server.
password = 123 UNION SELECT For example, when considering the SQL
creditCardNo, pin FROM customers,” the query:
attacker enters the SQL statement “123 aaa; INSERT INTO
UNION SELECT creditCardNo, pin FROM users('Abubakar', '1234'); #, the first
customers” instead of the required semicolon (;) ends the original query,
password. and the query adds the username
So the query provides all the credit "Abubakar" and password "1234" to the
card numbers with their PINs from the users table and the hash (#) comments
customers table. out the remaining query so that it is not
c) Error-based SQL injection: executed by the server.
This is the simplest of all SQL However, this form of attack only
injection vulnerabilities; however, this only works on SQL Server 2005 because it is
affects web applications that use MS-SQL the only server that accepts multiple
Server. queries at the same time.
The most common form of this e) SQL injection based on Like.
vulnerability requires an attacker to supply This type of injection is used by
an SQL statement with incorrect input, hackers to impersonate a specific user
which would result in a syntax error, such using the SQL LIKE keyword with a
as supplying a string when the SQL query wildcard (%). For example, an attacker
expects an integer. could enter the input:
For example, the SQL query: "anything OR username, LIKE 'S%'
;# instead of username to get the SQL
Khujakulov Toshtemir Abdikhafizovich1 ,Gaipnazarov Rustam Takhiritdinovich2, Majidova Yulduz Daniyarovna3,
Nurbekov Shuxrat Melisovich4 2024.Vol-2(19)
Bulletin of TUIT: Management and Communication Technologies
query: SELECT * FROM users WHERE injection code Boolean based SQLI, Union
username =' whatever OR username, based SQLI, Error based SQLI, SQLI
LIKE 'S%' ; #”. The LIKE operator Batch Query, SQLI based on Like and
implements a pattern matching XSS, and the function results are
comparison, that is, it matches a string represented as a, b, c, d, e and f,
value with a pattern string containing a respectively. If one of the results returns
wildcard. true, then an injection line is detected in
The query searches the users table the user's input, which runs some
and returns records of users whose functions: block User (), reset HTTP () and
username begins with the letter S. The warning Message () to block the user, reset
wildcard (%) means zero or more the HTTP request and display a warning
characters (S...) and can be used before or message.
after the pattern. Based on the identified patterns, the
f) Hexadecimal/Decimal/Binary filter () function was formulated using the
Variation Attack (Code Injection): In this KMP string matching algorithm. The
type of injection, the hacker uses variation formulated filter () function detects and
of the SQL language by using hexadecimal prevents any form of SQL injection and
or decimal representations of keywords XSS attacks. Each input string is expected
instead of the usual injection code strings to pass through this filter () function. If at
and characters. least one function returns True, the filter ()
The filter () function was designed to function will block that user, reset the
prevent SQL injection and XSS attacks. HTTP request, and display an appropriate
This function contains other functions, warning message. This method was tested
each of which was written to detect a using a test plan consisting of various
specific form of attack. If at least one forms of Boolean-based, union-based,
function returns True, then filter () will error-based, batch query, similar attacks,
block that user, reset the HTTP request, coded SQL injection and cross-site
and display an appropriate warning scripting attacks. Test results show that this
message. The first statement in the method can successfully detect and prevent
algorithm below represents the user input, attacks, log an attack record in the
which is collected from the web form using database, lock the system using its Mac
the POST method and passed to I. filter() address to prevent further attacks, and
then collects the user input and first issue a blocked message. Comparison of
converts any ASCII string found to prevent the proposed method with existing
code injection attack. If there is no any methods showed that the proposed method
ASCII string and it is not empty, then the is more effective as it is not limited to a
user input will be parsed for other specific attack form and can handle various
functions to check if it contains any forms of SQL injection and XSS attacks.

Khujakulov Toshtemir Abdikhafizovich1 ,Gaipnazarov Rustam Takhiritdinovich2, Majidova Yulduz Daniyarovna3,

Nurbekov Shuxrat Melisovich4 2024.Vol-2(19)
Bulletin of TUIT: Management and Communication Technologies
References: 20th IEEE/ACM International Conference
[1]. Dunaev, V.V. Databases. SQL on Automated Software Engineering (pp.
language for students / V.V. Dunaev. – M.: 174-183).
BHV-Petersburg, 2017. – 288 p. [10]. Kirda, E., Kruegel, C., & Vigna, G.
[2]. Price, Jason Oracle Database 11g: (2009). Noxes: A Client-Side Solution for
SQL. SQL statements and PL/SQL Mitigating Cross-Site Scripting Attacks. In
programs / Jason Price. – M.: LORI, Proceedings of the 5th International
[3]. O.K. Abikoy, A.D. Haruna, A. Conference on Detection of Intrusions and
Abubakar, N.O. Akande, E.O. Asani, Malware, and Vulnerability Assessment
Modified Extended Standard Encryption (pp. 25-44).
Algorithm for Information Security, 2019. [11]. Vieira, M., Madeira, H., & Melo, A.
[4]. Ron, Hardman Oracle Database (2010). A survey on automated dynamic
PL/SQL. Expert recommendations / web application testing tools. ACM
Hardman Ron, 2014. Computing Surveys (CSUR), 43(4), 1-29.
[5]. Przhiyalkovsky, V.V. Introduction to [12]. Howard, M., & LeBlanc, D. (2002).
Oracle SQL / V.V. Przyjalkowski. – M.: Writing secure code. Microsoft Press.
Binom. Knowledge Laboratory, Internet [13]. Stuttard, D., & Pinto, M. (2011). The
University of Information Technologies, Web Application Hacker's Handbook:
2016. Finding and Exploiting Security Flaws.
[6]. T.A Khujakulov. The problems of John Wiley & Sons.
information and telecommunication [14]. Soares, L. F., Kim, H., & Chang, C.
technologies. The Republican Scientific K. (2009). Proactive detection of SQL
and Technical Conference" Tashkent 2015. injection and cross-site scripting attacks.
86-88 p. Journal of Network and Computer
[7]. T.A Khujakulov. The problems of Applications, 32(2), 370-383.
information and telecommunication [15]. Wurster, T. (2019). Practical Web
technologies. The Republican Scientific Penetration Testing: Secure web
and Technical Conference " Tashkent applications using Burp Suite, Nmap,
2015. 86-88 p. Metasploit, and more. Packt Publishing
[8]. T.A. Khujakulov., A.Oteniyozov., Ltd.
E.Holikov. "Problems of Integrated Water [16]. T.A. Khujakulov. About one method
Resources Management". Materials of the for increasing warehouse information
International Scientific and Practical security. Radio engineering,
Conference from 190-191. telecommunications va akhborot
[9]. Halfond, W. G. J., Orso, A., & technologylari: Muammolari va kelajak
Manolios, P. (2006). AMNESIA: Analysis rivozhi. 2015 May 21-22, 126 p
and Monitoring for NEutralizing SQL- [17]. T.A. Khujakulov. Representation of
Injection Attacks. In Proceedings of the knowledge in an object-oriented database.

Khujakulov Toshtemir Abdikhafizovich1 ,Gaipnazarov Rustam Takhiritdinovich2, Majidova Yulduz Daniyarovna3,

Nurbekov Shuxrat Melisovich4 2024.Vol-2(19)
Bulletin of TUIT: Management and Communication Technologies
Aloka va ahborotlashtirish sokhasi uchun and recording. Aloka va ahborotlashtirish
kadlar tayorlash sifatini oshirish sokhasi uchun kadlar tayorlash sifatini
muammolari, maruzalar tuplami. 2015, 257 oshirish muammolari, maruzalar tuplami.
p. 2015, 195 p.
[18]. T.A. Khujakulov. Promising
technologies in the field of data storage

Khujakulov Toshtemir Abdikhafizovich1 ,Gaipnazarov Rustam Takhiritdinovich2, Majidova Yulduz Daniyarovna3,

Nurbekov Shuxrat Melisovich4 2024.Vol-2(19)