2023 International Conference on Research Methodologies in Knowledge Management, Artificial Intelligence and Telecommunication Engineering (RMKMATE) | 979-8-3503-0570-8/23/$31.
00 ©2023 IEEE | DOI: 10.1109/RMKMATE59243.2023.10368777
Detection and Analysis of Port Scanning and SQL
Injection Vulnerabilities with correlating factors in Web
Applications to Enhance secure Data Transmission
A Sheik Abdullah
School of Computer Science and School of Computer Science and
Engineering
Vellore Institute of Technology, Chennai Vellore Institute of Technology, Chennai
Chennai, TamilNadu, India
aa.sheikabdullah@gmail.com aravindshankar.r2021@vitstudent.ac.in
ABSTRACT- The increasing use of web applications has
led to a rise in vulnerabilities, with SQL injection being
one of the most prevalent and harmful attacks. Attackers
exploit flaws in how web applications handle user input to
manipulate database queries and gain unauthorized access
to sensitive data or perform destructive actions. This
article aims to explore the working of SQL injection
attacks and highlight the role of port scanning in such
attacks. By understanding the causes and mechanisms
behind SQL injection, we can better comprehend the
importance of proper input validation and parameter
handling in securing web applications. The study reveals
that web applications vulnerable to SQL injection can be
exploited through port scanning to identify open or closed
ports, like MySQL's default port 3306. Attracting
malicious SQL code into user input fields can alter
database queries and potentially compromise the
application's security. SQL injection remains a significant
threat to web applications due to poor input validation and
inadequate handling of parameters in SQL queries. Proper
security measures, such as input validation and
parameterization, are crucial to mitigate the risk of SQL
injection attacks and enhance overall application security.
Keywords – SQL injection attacks, Web security, Port
Scanning, Vulnerabilities, Web Applications, Data
Analysis
I. INTRODUCTION
SQL injection is one among the most common attacks on
a system. Understanding and remediating SQL injection
vulnerabilities is critical to the security and integrity of
web applications. By implementing proactive measures
and being vigilant with continuous security testing,
developers and organizations can effectively protect
themselves against this pervasive security threat [1].
Web application security is a major concern, especially
considering SQL injection vulnerabilities (one of the most
common attacks on a web application), which can allow
unauthorized access to and alteration of sensitive data.
Techniques such as port scanning are frequently used to
look through open ports on target systems to find potential
attack vectors. The relationship between port scanning
methods and the existence of SQL injection vulnerabilities
Authorized licensed use limited to: University of the West of England. Downloaded on March 12,2024 at 10:58:40 UTC from IEEE Xplore. Restrictions apply.
Aravind Shankar R Pratiksha Mohapatra
School of Computer Science and
Engineering Engineering
Vellore Institute of Technology, Chennai
Chennai, TamilNadu, India Singrauli, Madhya Pradesh, India
pratiksha.mohapatra2021@vitstudent.a
c.in
in online applications hasn't been sufficiently investigated,
though [2]. This study intends to close this knowledge gap
between port scanning and SQL injection flaws and offer
insights into them in online applications, thereby helping
in the development of better web applications and
increasing security.
II. LITERATURE SURVEY
The engagement of users in critical online transactions has
opened up opportunities for attackers to manipulate and
counterfeit transaction data. Among the commonly
employed methods for web attacks, SQL Injection stands
out as a prevalent approach used by attackers to illicitly
acquire sensitive information from organizations. [1]
When user inputs are considered as separate lexical
elements, their lack of proper sanitization can lead the
web application to produce unintended results. This
situation is referred to as a command injection attack, a
significant hazard to the security of web applications.[2]
An SQL Injection Attack (SQLIA) occurs when an
unauthorized person alters the intended result of an SQL
query by adding extra SQL keywords or operators to the
query.
Injection through user input: In this particular scenario,
the attackers engage in the act of injecting SQL commands
by strategically manipulating the user input they provide.
In the majority of SQL injection attacks (SQLIAs) that
specifically aim at Web applications, the input provided by
users is commonly sourced from form submissions. These
inputs are transmitted to the Web site through HTTP GET
or POST requests.[3]
Injection through cookies: Cookies are information-
containing files generated by web applications and stored
on the user's device to retain specific state details. If a web
application uses the data from cookies to build SQL
queries, there is a potential security weakness that
attackers could take advantage of by inserting harmful
code directly into the cookie. [4]
Injection through server variables: Server variable
injection: Server variables constitute a collection of
elements encompassing HTTP, network headers, and
environment-related specifics. These variables are utilized precautionary step taken by network administrators to
by web applications for various objectives, such as evaluate network security.[8,9,10]
recording usage metrics and recognizing browsing trends.
Nonetheless, if these variables are stored in a database III. IMPLEMENTATION FOR PORT SCANNING
without undergoing appropriate cleansing, it can result in As we know, Port scanning is an information gathering
the manifestation of a susceptibility to SQL injection. [5] attack which finds out the ports which are open in other
Various forms of SQL injection attacks exist, devices. We use Metasploit framework for this
differentiated by the attacker's intent, objectives, or implementation as the port scanning is built-in for port
distinctive traits [6]. scanning. NMAP is used to scan for open ports in the
Some types of attacks are: - Metasploit: Nmap -v -sV 192.168.1.0/24 -oA subnet_1;
oA is used to save the results in the file named subnet_1,
1. Identifying vulnerable input fields This above scan was a SYN scan. There are 3 outcomes
2. Recognizing the database system for this scan
3. Analysing the database system
4. Modifying data 1. ACK received: meaning the port is open
5. Carrying out Denial-of-Service attacks and 2. RST (reset): Meaning port is closed
more. 3. No response: Meaning the port is covered by
a firewall
Strategies to prevent and mitigate SQL injection
vulnerabilities include implementing secure coding This method is used here as it is faster and has much
practices such as input validation, parameterized queries, better stealth. We use the SYN module from auxiliary to
and proper sanitization of user input. The proposed find the open ports
Methodology is given in Figure 1.
1. Use auxiliary/scanner/portscan/syn
The purpose of port scanning is to identify open ports 2. Set INTERFACE eth0
within a system, which attackers can leverage to carry out 3. Set PORTS 21
4. Set RHOSTS 192.168.1.0/24
different attacks and exploits. Many tools are designed for
5. Set THREADS 50
uncovering open ports, whereas the options for identifying
6. Run
attempts at port scanning are more restricted.6]
This will give the open ports on the IP addresses.
Certain perspectives consider port scanning not as a
network intrusion, but rather as a technique utilized to 1. Use auxiliary/scanner/portscan/tcp
discover potential vulnerabilities within a system.[7] 2. Set RHOSTS 192.168.56.1
3. Run
There are 4 types of port scanning: -
For the implementation of this attack, we will use two
1. TCP Connect Scan: This procedure entails tools such as PORTSWIGGER LABS, OWASP JUICE
attempting to create a complete TCP connection SHOP (SQLi TESTING WEBSITE)
with the ports of the target system. A successful
connection implies an open port if it is made. IV. IMPACT OF A SUCCESSFUL INJECTION
2. SYN/Stealth Scan: Often known as a half-open ATTACK
scan, this method entails dispatching SYN
An SQL injection attack, if executed successfully, can
packets to the target's ports. If a SYN-ACK
result in unauthorised access to sensitive data,
response is received, it signifies that the port is
encompassing passwords, credit card numbers, and
accessible. The goal of this scan is to reduce
personal user information. In recent years, a considerable
detection by bypassing the completion of the
number of well recognised instances of data breaches have
TCP handshake process.
been attributed to SQL injection attacks, leading to
3. Idle Scan: This strategy includes performing the
detrimental consequences such as damage to reputation
port scan through an intermediary, generally an
and the imposition of financial penalties by regulatory
idle zombie host. An attacker can avoid detection
bodies. Furthermore, it is possible for malicious actors to
and traceability by taking advantage of the trust
uncover a concealed ingress point within an entity's
relationship between the zombie host and the
information systems.
victim.
4. UDP Scan: This scan, unlike TCP Scan, is DETECTION OF SQLi MANUALLY
connection less. It involves sending UDP packets
to the ports to analyse the status of the port. 1. Executing the input of a single quotation
character ' and then observing for errors or
Differentiating between instances of harmful port irregularities.
scanning and legitimate port scanning can present a 2. Transmitting SQL-targeted syntax that
complex task. Often, a port scan could signify either an contrasts the initial entry value with another
effort by attackers to explore vulnerabilities or a value, and then scrutinizing the application's
responses for any systematic anomalies.

Authorized licensed use limited to: University of the West of England. Downloaded on March 12,2024 at 10:58:40 UTC from IEEE Xplore. Restrictions apply.
 3. Dispatching Boolean conditions like OR 1=1
and OR 1=2 as inputs, and afterward
assessing divergences or distinctions in the
application's responses.
4. Sending payloads crafted to introduce delays
during SQL query execution, followed by
comparing response times to detect any
variations. The Figure 2 and Figure 3
provides the home page before and after
attack. For example, let’s say there is a
shopping website with a certain URL:
https://shopping- website.com/products?items=Blenders
V. EXPERIMENTAL RESULTS
This is an online shopping website which shows 12
products initially. When we mount an attack by modifying
the URL by adding the string +OR+1=1--. Here, the plus
is for string concatenation in a URL and the OR 1=1-- is a
Boolean expression which always returns true always.
The double hyphen stands for comment in SQL. When
this URL is entered, the condition variable which hides the
hidden products is commented. Hence, we get access to 8
more products.

This URL as query looks like

SELECT * FROM equipment WHERE items = ‘Blenders’

AND hidden =0

(Here we can use a condition hidden to differentiate

between the retrieved products and the hidden products)
There are different types of SQLi attacks

https://shopping-website.com/products?items=Blenders’--

This query is processed as: SELECT * FROM equipment

WHERE items = 'Blenders'--' AND hidden = 0; We know Fig 2: The Home page before the attack
that -- is a comment in SQL and as a result the hidden is
commented which leads to retrieval of all the products. In
this way, an attacker can retrieve all the hidden products
also.

LOGIN BREACH:

This is another common type of Breach where an attacker

can login using the SQL comment keyword --. An
authorized user can log in using their credentials, resulting
in the creation of the corresponding SQL query

SELECT * FROM users WHERE user = 'Aravind'

AND pass = 'Pratiksha' Fig 3: The Home page after the attack
An attacker can give a Query in this form which will help Here, we can bypass the password condition by adding a
him bypass the password check. comment key in the username. As the input is not properly
SELECT * FROM users WHERE user = 'admin'--' validated and the input is directly injected into the
AND pass = '. database, we are able to skip the password. The username
to access the admin login is ‘administrator’. The Figure 4
provides the my account details.

Fig 4. My Account Page

Fig 1: Proposed Methodology of research As we can see we have logged in to the admin account
and are able to modify the account email details.

Authorized licensed use limited to: University of the West of England. Downloaded on March 12,2024 at 10:58:40 UTC from IEEE Xplore. Restrictions apply.
When we run this Nmap tool, we find the open ports in
this particular subnet. This gives us information on which
port can be accessed. In case of MySQL, it runs on port
3306, a payload can be created to exploit this particular
port and get user access into the particular organization:
Nmap -v -sV 192.168.1.0/24 -oA subnet_1.
Fig 5. Execution mode
Next, we create SYN attack using one of the auxiliary
modules. This will give us information on the TCP ports
that are open and help us reduce the attack surface.
Fig. 6 Connection establishment
VI. CONCLUSION
The conclusion summarizes the research paper's main
results and insights. It emphasizes how crucial it is for
cybersecurity practices to address SQL injections and port
scanning vulnerabilities. In order to reduce the risks
brought on by these vulnerabilities, the conclusion
emphasizes the need for organizations to establish strong
security measures, such as secure coding practices, input
validation, and network monitoring. Additionally, it
emphasizes the value of continual training and awareness
campaigns to help system administrators and developers
be alert to new hazards.
This research paper delves into the real-world utilization
of SQL injection and port scanning techniques,
demonstrating how an attacker can employ these methods
to target a website. The execution and connection
establishment is depicted in Figure 5 and Figure 6.
This research paper aims to provide a deeper
understanding of how this attack occurs and serves as a
helpful guide for implementing SQL injection and port
scanning security measures. Based on the findings of the
survey, which encompassed a global sample of 300,000
Authorized licensed use limited to: University of the West of England. Downloaded on March 12,2024 at 10:58:40 UTC from IEEE Xplore. Restrictions apply.
attacks occurring within a specific month, it was observed
that about 24.6% of these attacks were attributed to SQL
injections. According to the 2014 Global Threat
Intelligence Report published by NTT Corporation, it
highlighted a harsh reality: the mean post-incident costs
associated with a minor-scale SQL injection assault
perpetrated by an organisation typically surpasses
$196,000 (equivalent to over 1.2 million yuan). [9]
SQL injection attacks will not stop in a short period of
time, and will continue to exist along with the
development cycle of computer technology.
Therefore, establishing a thorough defense plan to counter
web application attacks, with specific emphasis on
thwarting SQL injection attacks, holds paramount
importance as a fundamental security precaution. This
vital effort plays a central role in ensuring the protection
of both corporate data and the personal details of users.
This article [10] focuses on the basic implementation.
Researchers can build upon this by focusing on more
advanced methods and algorithms and detecting and
preventing SQL injections. One such way can be a
Machine learning or a Neural Network Model which has
good scope in detection of SQL injection.
There is a huge need for automated assessment of web
security and network infrastructures which prevent SQL
vulnerabilities.
Future work can focus on promoting secure coding
practices and providing comprehensive training for
developers to prevent SQL injections. This can include the
development of guidelines, best practices, and secure
coding frameworks that incorporate mechanisms to
prevent injection vulnerabilities from occurring in the first
place.
Research can investigate the integration of SQL injection
and port scanning detection mechanisms with Security
Operation Centres (SOCs).
REFERENCES
[1] S. Kini, A. P. Patil, M. Pooja, and A. Bala Subramanyam, "SQL
Injection Detection and Prevention using Aho-Corasick Pattern Matching
Algorithm," 2022 3rd International Conference for Emerging Technology
(INCET), Belgaum, India, 2022, pp. 1-6, doi:
10.1109/INCET54531.2022.9825040.
[2]Z. Su and G. Wassermann. The Essence of Command Injection
Attacks in Web Applications. In The 33rd Annual Symposium on
Principles of Programming Languages (POPL 2006), Jan. 2006.
[3]Halfond, William G., Jeremy Viegas, and Alessandro Orso. "A
classification of SQL-injection attacks and countermeasures." In
Proceedings of the IEEE international symposium on secure software
engineering, vol. 1, pp. 13-15. IEEE, 2006.
[4]T. M. D. Network. Request.servervariables collection. Technical
report, Microsoft Corporation, 2005.
[5] J. Gadge and A. A. Patil, "Port scan detection," 2008 16th IEEE
International Conference on Networks, New Delhi, India, 2008, pp. 1-6,
doi: 10.1109/ICON.2008.4772622.
[6]U. Kanlayasiri, “A Rule-based Approach for Port Scanning
Detection,” Electrical and Electronic Engineering Conference (EECON-
23), Thailand, pp.148-153, 2000.

[7]Monowar H. Bhuyan and others, Surveying Port Scans and Their

Detection Methodologies, The Computer Journal, Volume 54, Issue 10,
October 2011, Pages 1565–1581.

[8]Peng Tang, Weidong Qiu, Zheng Huang, Huijuan Lian, Guozhen Liu,
Detection of SQL injection based on artificial neural network,
Knowledge-Based Systems, Volume 190, 2020, 105528, ISSN 0950-
7051, https://doi.org/10.1016/j.knosys.2020.105528

[9] S Neelakandan, (2019) “An automated exploring and learning model

for data prediction using balanced CA-SVM” Journal of Ambient
Intelligence and Humanized Computing (Springer) 12 (5), 4979-4990,
DOI: 10.1007/s12652-020-01937-9
[10] S. Ancy, Handling Imbalanced Data With Concept Drift By
Applying Dynamic Sampling And Ensemble Classification Model,
Computer Communications, 153, Pp 553-560 2020

Authorized licensed use limited to: University of the West of England. Downloaded on March 12,2024 at 10:58:40 UTC from IEEE Xplore. Restrictions apply.