Paper Review

Title page:
SQLI-XSS Attack (How to Detect and Countermeasures)
Adam Waluyo, M.Zhilal Agrayasa, Noni fauziah
Janury 8, 2020

Abstract: SQL Injection (SQLI) and Cross-site scripting (XSS) attacks pose serious security
threats that are used to sneak into web applications today. These attacks can lead to total breach of
security to the privacy of the clients of a particular web site. As web applications become more
prevalent, web security becomes more and more important. The increasing dependence on web
applications has made them a natural target for attackers. Among these attacks SQL Injection
Attacks (SQLIA) and Cross-site scripting vulnerability abbreviated as XSS is a kind of common
injection web vulnerability. A SQL injection attack consists of insertion or "injection" of a SQL
query via the input data from the client to the application. A successful SQL injection exploit can
read sensitive data from the database, modify database data (Insert/Update/Delete). And the
exploitation of XSS vulnerabilities can hijack users' sessions, modify, read and delete business
data of web applications, place malicious codes in web applications, and control victims to attack
other targeted servers. This paper review will discusses about SQLI-XSS attack, countermeasures,
and how to recovery it based on several international papers that we have read.
Keywords — SQL Injection (SQLI)Attacks, Cross-site scripting attack, Web security

Introduction: The security of web applications has become increasingly important in the last
decade. More and more web based enterprise applications deal with sensitive financial and medical
data, which, if compromised, in addition to downtime can mean millions of dollars in damages. It
is crucial to protect these applications from hacker attacks. The Survey of Open Source Web
Application Security Project (OWASP) states that SQLI and XSS attack are the ones that are most
widely performed. SQL injection (SQLI) attack occurs when malicious SQL code is inserted into
the input submitted by user. Thus SQLI executes if the input is not properly validated. Through
SQLI queries or script attacker can gain unauthorized access of database, execute queries and then
perform data manipulation operation on databases. For injecting attack queries can be dynamically
constructed as the part of input. Apart from SQL injection attack the other common attack found
is XSS attack. This type of exploits target the HTML output function that sends data to the browser.
The basic idea behind XSS injection is to use special characters which would cause Web browser
interpreters to switch from data context to code context. These special characters includes the
<script> tag using which the attacker can invoke java-script interpreter. Thus, attacker can perform
exploits on webpage‟s like web content manipulation, hacking user cookies etc. The input source
that is manipulated by attacker mainly includes HTML forms, cookies and outgoing webpage‟s.
These attacks may hamper the security aspect that is CIAA.
2. Body (subtopics being addressed):
I. SQL Injection Types :
1) UNION ATTACK:
By this technique, attackers join injected
query to the safe query by the word UNION and then
can get data about other tables from the application.
Suppose for our examples that the query executed
from the server is the following: SELECT Name,
Phone FROM Users WHERE Id=$id By injecting the
following Id value: $id= 1 UNION ALL SELECT
credit Card Number, 1 FROM Credit Car Table We
will have the following query: SELECT Name, Phone
FROM Users WHERE Id= 1 UNION ALL SELECT
creditCardNumber, 1 FROM CreditCarTable which
will join the result of the original query with all the
credit card users.
2) BLIND INJECTION:
Sometimes developers hide the error details
which help attackers to compromise the database. In
this situation attacker face to a generic page provided
by Developer, instead of an error message. So the
SQLIA would be more difficult but not impossible. An
attacker can still steal data by asking a series of
True/False questions through SQL statements.
Consider two possible injections into the login field:
SELECT accounts FROM users WHERE login='doe'
and1 =0 -- AND pass = AND pin=O SELECT
accounts FROM users WHERE login='doe' and1 = 1 -
- AND pass = AND pin=O.
If the application is secured, both queries
would be unsuccessful, because of input validation.
But if there is no input validation, the attacker can try
the chance. First the Attacker submit the first query
and receives an error message because of "1=0". So
the attacker does not understand the error is for input
validation or for logical error in query. Then attacker
submits the second query which always true. If there
is no login error message, then the attacker finds the
login field vulnerable to injection.
3) ERROR-BASED ATTACK:
An Error based exploitation technique is useful when
the tester for some reason can’t exploit the SQL
injection vulnerability using other technique such as
UNION. The Error based technique consists in forcing
the database to perform some operation in which the
result will be an error. The point here is to try to extract
some data from the database and show it in the error
message. This exploitation technique can be different
from DBMS to DBMS. Consider the following SQL
query: SELECT * FROM products WHERE
id_product=$id_product Consider also the request to a
script who executes the query above:
http://www.example.com/product.php?id=10 The
malicious request would be (e.g. Oracle
10g):http://www.example.com/product.php?id=10||U
TL_INADDR.GET_HOST_NAME( (SELECT user
FROM DUAL) )--
In this example, the tester is concatenating
the value 10 with the result of the function
UTL_INADDR.GET_HOST_NAME. This Oracle
function will try to return the host name of the
parameter passed to it, which is other query, the name
of the user. When the database looks for a host name
with the user database name, it will fail and return an
error message like: ORA-292257: host SCOTT
unknown.
II. The Classification of XSS Vulnerabilities
According to untrusted user supplied data is
included in an HTTP response generated by the server
or is somewhere in the DOM of HTML pages, XSS
vulnerabilities could be divided into server-side
vulnerabilities and client-side vulnerabilities. The
server-side XSS vulnerability mainly includes
reflected XSS and stored XSS. The client-side
vulnerability refers to DOM Based XSS.
A. DOM BASED XSS
DOM Based XSS is also known as type-
0 XSS. It is caused by unsafe client-side code
rather than server-side code. This sort of
vulnerability may occur on pages containing
JavaScript code such as document.write() or
eval(). The attacker creates a link with malicious
JS code and sends it to the victim. When the
victim clicks on the link, he will get a response
without malicious code. The malicious code
executes at the client side and the attacker can
obtain sensitive information from the victim.
The detailed process is as follows and shown in
Figure 1.
Conclusions: You should develop the conclusion by briefly restating the rationale for
your review and the purpose of the article, then discussing the conclusions you have
drawn. You should also discuss the implications of your review findings and where you
think research in this field should go from here.

Literature Cited: Use a standardized referencing system. A widely used one in the
medical literature is the AMA style.

http://jama.ama-assn.org/site/misc/ifora.xhtml#References

http://library.aecom.yu.edu/resources/bms/EndNoteAgreement.htm

Information in this Guide was obtained from:

http://www.ugresearchsci.ucla.edu/pdfs/USJ%20Submission%20Guidelines%20for%20
Review%20Articles%202013-2014.pdf