Abstract

The main aim of this paper was to develop and evaluate securely web-based application for construction material testing using object-oriented technology and parameterized queries for SQL command queries. The SQL queries for the web application of construction material testing were modified by adjusting their codes which included connection strings, authorization bypass and execute commands. Detection of SQL injection vulnerability was conducted by expertise and two automatic web vulnerability scanning tools. It was found that the parameterized queries could minimize the SQL injection flaws of the web application significantly.

References

• Ar?oz, O. , et al. 2007. Web-based quality control of ready mixed concrete. Building and Environment. 42, 1465-1470.
• Kost, S. 2007. An Introduction to SQL Injection Attacks for Oracle Developer. White Paper. Integrigy Corporation.
• Strom, D. 2006. An Anatomy of a Web Hack: SQL Injection explained. White Paper. Breach Security Inc.
• Spett, K. 2005. SQL Injection: Are your web applications vulnerable? Technical Report. SPI Dynamics Inc.
• Amirtahmasebi, K. , Jalalinia, S. R. , and Khadem, S. 2009. A survey of SQL injection defense mechanisms. in International Conference for Internet Technology and Secured Transactions, ICITST. London. IEEE.
• Anley. , C. 2002. More Advanced SQL Injection. White Paper. Next Generation Security Software Ltd.
• Bandhakavi, S. , et al. 2007. CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations. in Proceedings of the 14th ACM conference on Computer and communications security. New York. ACM.
• Boyd, S. W. and Keromytis, A. D. 2004. SQLrand: Preventing SQL Injection Attacks. in Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference. Yellow Mountain.
• Nystrom, M. G. 2007. SQL Injection Defenses. Short Cuts. O'Reilly Media.
• Obimbo, C. and Ferriman, B. 2011. Vulnerabilities of LDAP as an Authentication Service. Journal of Information Security. 2, 151-157.
• Sam, M. S. N. 2005. SQL Injection Protection by Variable Normalization of SQL Statement. ; Available from: http://www. securitydocs. com/library/3388.
• Wei, K. , Muthuprasanna, M. , and Suraj, K. 2006. Preventing SQL injection attacks in stored procedures. in Software Engineering Conference. IEEE.
• Fonseca, J. , Vieira, M. , and Madeira, H. 2007. Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks, in PRDC. 13th Pacific Rim International Symposium on Dependable Computing. , IEEE: Melbourne. 365 - 372.
• Fu, X. and Qian, K. 2008. SAFELI: SQL injection scanner using symbolic execution. in Proceedings of the 2008 workshop on Testing, Analysis, and Verification of web services and applications. New York. ACM.
• Khoury, N. , et al. 2011. An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection. in IEEE Third International Conference on Privacy, Security, Risk and Trust (PASSAT) and IEEE Third International Confernece on Social Computing (SocialCom) Boston. IEEE.
• Shinder, D. 2005. Acunetix Web Vulnerability Scanner. Product Review 2005; Available from: www. windowsecurity. com/articles/product-review-acunetix-wvs. html.
• Anon 2008. The Power of AppScan: A Hands-On Review of IBM Rational AppScan Standard Edition. EMA™ IMPACT BRIEF 2008; Available from: www. ibm. com/software/awdtools/appscan/.