{"product_id":"information-systems-security-somesh-jha-9783642177132","title":"Information Systems Security: 6th International Conference, Iciss 2010, Gandhinagar, India, December 17-19, 2010","description":"2.1 Web Application Vulnerabilities Many web application vulnerabilities havebeenwell documented andthemi- gation methods havealso beenintroduced [1]. The most common cause ofthose vulnerabilities isthe insu?cient input validation. Any data originated from o- side of the program code, forexample input data provided by user through a web form, shouldalwaysbeconsidered malicious andmustbesanitized before use.SQLInjection, Remote code execution orCross-site Scriptingarethe very common vulnerabilities ofthattype [3]. Below isabrief introduction toSQL- jection vulnerability though the security testingmethodpresented in thispaper is not limited toit. SQLinjectionvulnerabilityallowsanattackertoillegallymanipulatedatabase byinjectingmalicious SQL codes into the values of input parameters of http requests sentto the victim web site. 1: Fig.1. An example of a program written in PHP which contains SQL Injection v- nerability Figure 1 showsaprogram that uses the database query function mysql query togetuserinformationcorrespondingtothe userspeci?edby the GETinput- rameterusername andthen printtheresultto the clientbrowser.Anormalhttp request with the input parameter username looks like http: \/\/example.com\/ index.php?username=bob . The dynamically created database query at line2 is SELECT * FROM users WHERE username= bob AND usertype= user . Thisprogram is vulnerabletoSQLInjection attacks because mysql query uses the input value of username without sanitizingmalicious codes. A malicious code can be a stringthatcontains SQL symbols ork- words.Ifan attacker sendarequest with SQL code ( alice ) - jected http: \/\/example.com\/index.php?username=alice, the query becomes SELECT* FROM users WHERE username= alice -- AND usertype= user .\"\u003cbr\u003e\u003cbr\u003e\u003cb\u003eAuthor:\u003c\/b\u003e Somesh Jha\u003cbr\u003e\u003cb\u003eISBN-10:\u003c\/b\u003e 3642177131\u003cbr\u003e\u003cb\u003eISBN-13:\u003c\/b\u003e 9783642177132\u003cbr\u003e\u003cb\u003ePublisher:\u003c\/b\u003e Springer\u003cbr\u003e\u003cb\u003eLanguage:\u003c\/b\u003e English\u003cbr\u003e\u003cb\u003ePublished:\u003c\/b\u003e 12\/02\/2010\u003cbr\u003e\u003cb\u003ePages:\u003c\/b\u003e 261\u003cbr\u003e\u003cb\u003eFormat:\u003c\/b\u003e Paperback\u003cbr\u003e\u003cb\u003eWeight:\u003c\/b\u003e 0.92lbs\u003cbr\u003e\u003cb\u003eSize:\u003c\/b\u003e 9.20h x 6.10w x 0.60d","brand":"Somesh Jha","offers":[{"title":"Paperback","offer_id":48486987923711,"sku":"9783642177132","price":54.99,"currency_code":"USD","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0662\/2982\/9887\/files\/img_7e0ab797-b65e-4c6e-82a8-01f0f0168292.jpg?v=1778057599","url":"https:\/\/www.whiterainbookhouse.com\/products\/information-systems-security-somesh-jha-9783642177132","provider":"WR Book House","version":"1.0","type":"link"}