Advances in Nonlinear Variational Inequalities

ISSN: 1092-910X
Vol 27 No. 3 (2024)

Web of Threats: A Comprehensive Analysis of Various Injection

Attacks on Web Application Software

R Ravinder Singh1, Mukesh Kumar Gupta2 Dr. Dipak Raghunath Patil 3 Dr. Sarang Maruti
Patil4
1
Department of Computer Engineering, Suresh Gyan Vihar University, Jaipur, India
[email protected]
2
Professor : Department of Electrical Engineering, Suresh Gyan Vihar University Jaipur-302017
Email: [email protected], [email protected]
3
Department of ComputerEngineering, AVCOE Sangamner, India
[email protected]
4
Department of Computer Engineering,SKN Sinhgad Institute of Technology & Science, Lonavala, India,
[email protected]

Article History: Abstract

Received: 05-03-2024 With the ever-increasing reliance on software systems for critical functions
across various domains, the threat landscape has evolved to exploit
Revised: 30-04-2024
vulnerabilities within these systems. This research paper explores the
Accepted: 25-05-2024 clandestine domain of software injection attacks, presenting a comprehensive
analysis of their methodologies and severity. The study begins by providing
an in-depth exploration of various software injection techniques, such as SQL
injection, cross-site scripting (XSS), and code injection etc elucidating the
mechanisms through which attackers exploit vulnerabilities to compromise
the integrity and confidentiality of sensitive data. Through a detailed
examination of Dynamic Application Security Testing reports of different
websites over the past two years, the paper sheds light on the diverse ways in
which software injection attacks have been employed to compromise systems
in different industries. This research paper provides a holistic understanding
of software injection attacks, aiming to raise awareness among developers,
security practitioners, and policymakers about the gravity of this threat. By
elucidating the intricacies of these attacks and proposing effective
countermeasures, the paper contributes to the ongoing efforts to bolster the
resilience of software systems against evolving cyber threats.
Keywords: Cross Site Scripting, SQL Injection, Command Injection,
OWASP Top 10.

1. INTRODUCTION
Software injection attacks, encompassing SQL injection [1], cross-site scripting (XSS) [2], and code
injection, exploit vulnerabilities within web applications, enabling malicious actors to compromise
data integrity, confidentiality, and system functionality. This comprehensive examination seeks to

653
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

unveil the nuances of each attack type, scrutinizing their modes of operation and the diverse ways in
which they can compromise the security posture of web applications.
1.1 Web Application:
A web application is a program accessible to users via a web browser over a network, usually the
internet. Unlike conventional desktop applications, web applications do not require installation on a
user's device; instead, users can access them through a web browser, ensuring platform independence.
Web applications vary widely in functionality and purpose, ranging from simple tools like email and
online shopping carts to more complex systems like social media platforms and collaborative document
editors. Usually, they're constructed utilizing web development technologies like HTML, CSS, and
JavaScript and often rely on server-side scripting languages like PHP, Python, or Ruby to handle
dynamic content and user interactions.
1.2 Security:
Three fundamental principles, referred to as the CIA triad, form the cornerstone of website security:
Confidentiality, Integrity, and Availability. These principles are fundamental to ensuring a robust and
secure online environment. OWASP [3], the Open Web Application Security Project, is an open-source
project focused on improving the security of software.
Confidentiality safeguards sensitive information, restricting access solely to authorized individuals or
entities. Encryption methods, secure authentication mechanisms, and access controls are employed to
protect user data, financial details, and other private information from unauthorized access.
Integrity: The integrity of data guarantees its accuracy and reliability, preventing any unauthorized
alterations or corruption during transmission or storage. Hash functions, digital signatures, and secure
transmission protocols help maintain data integrity. Regular audits and monitoring mechanisms are also
crucial to detect and address any unauthorized changes to the website's content or code.
Availability: Availability provide surety that the website as well as the services are consistently
accessible to users, with minimal downtime or disruptions. Redundancy measures, load balancing, and
distributed server architectures contribute to high availability. Protection against denial-of-service
(DoS) [4] attacks, regular maintenance, and efficient incident response plans are critical for minimizing
downtime.
Achieving a balance between these three principles is essential for comprehensive website security.
Robust security practices involve employing encryption for data in transit, implementing strong access
controls, regularly updating and patching software, conducting security audits, and having contingency
plans for potential disruptions or breaches. Consistent monitoring and rapid incident response are
essential for upholding the security stance of a website.

654
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

Fig 1: Website Security

1.3 Injection Attacks
An injection attack [5] in the context of a website refers to a malicious technique wherein an attacker
inserts or "injects" malicious code or commands into input fields or data streams that a website
processes. These attacks exploit vulnerabilities in the website's code, often allowing the attacker
unauthorized access to the website's database or compromising the security of the site and its users.
Injection attacks pose a substantial threat due to their potential to result in unauthorized access and data
breaches, and the execution of arbitrary code on the web server. Web developers can mitigate these
risks by implementing secure coding practices, validating user inputs, and employing parameterized
queries to prevent SQL injection. Frequent security audits and vigilant monitoring are critical for
identifying and resolving injection vulnerabilities, thereby safeguarding the overall integrity and
security of a website.
1.4 Types of Injection Attacks:
Injection attacks represent a type of cyber-attack wherein dangerous code is injected into a system or
application, frequently exploiting weaknesses in input validation mechanisms. These attacks can target
various types of systems and data. Here are some common types of injection attacks:
1.4.1 SQL Injection
SQL injection is a kind of attack which exploits vulnerabilities within the database of a website by
injecting malicious SQL (Structured Query Language) code into user inputs. This form of attack allows
unauthorized access to a website's database, manipulation of data, and potential compromise of sensitive
information.

Fig 2: SQL Injection

655
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

1.4.1.1 Classic SQL Injection:

Malicious SQL code is directly inserted into user inputs, such as form fields or URL parameters, by
attackers. Ex:
Username: admin' OR '1'='1'; --
Password: [anything]
1.4.1.2 Blind SQL Injection:
Attackers exploit vulnerabilities without receiving direct feedback about the results. They infer success
or failure based on the application's behavior. Ex:
SELECT * FROM users WHERE username = 'admin' AND '1'='1';
1.4.1.3 Time-Based Blind SQL Injection:
Comparable to blind SQL injection, this technique relies on the attacker deducing outcomes from delays
observed in the application's response. Ex:
SELECT * FROM users WHERE username = 'admininstrator' AND IF(1=1, SLEEP(10), 0);
1.4.1.4 Union-Based SQL Injection:
Attackers exploit the UNION SQL operator to merge results from disparate queries extracting
information from other tables. Ex:
SELECT username, password FROM users WHERE username = 'admininstrator' UNION SELECT
null, tabl_name FROM info_schema.tables;
1.4.1.5 Error-Based SQL Injection:
Utilizing database-generated error messages to gain insights into the database structure. Ex:
SELECT * FROM users WHERE username = 'admininstrator' AND 1=CONVERT(int, (SELECT
@@ver));
1.4.1.6 Out-of-Band SQL Injection:
Exploiting alternative channels (e.g., DNS requests or HTTP requests) to retrieve data from the
database. Ex:
SELECT username FROM users WHERE username = 'admin'; EXEC xp_cmdshell('nslookup
example.com');
1.4.1.7 Second-Order SQL Injection:
Initial injection is stored in the database and later executed, potentially by a different user or in a
different context. Ex:
Example: Storing the payload in a comment field to be executed later.
To mitigate the risks posed by SQL injection vulnerabilities, it is crucial to utilize parameterized queries,
validate inputs, and regularly audit and update security measures.

656
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

1.4.2 Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) represents a prevalent security flaw often encountered in a website. When
an attacker inject malicious script within a webpage, subsequently viewed by other use then this type
of vulnerability appears. Typically scripted in JavaScript, these malicious codes execute within the
user's browser environment, enabling a range of harmful actions.

Fig 3: Cross Site Scripting

1.4.2.1 Stored XSS (Persistent XSS):
Malicious scripts are frequently stored on the targeted server, often within a database or file. As other
users visit the compromised page, the stored script is retrieved and executed in their web browsers.
Attacker injects a script into a comment on a forum, and all users who view that comment are impacted.
Ex:
<?php
// Vulnerable code:
$username = $_GET['username'];
echo "Welcome, " . $username . "!";
?>
// Attacker's input:
http://example.com/?username=<script>alert('XSS Attack!')</script>
1.4.2.2 Reflected XSS (Non-Persistent XSS):
The inserted script is reflected on a website, but it is not permanently stored. The script is embedded in
a URL or input field, and the victim must interact with a crafted link to trigger the attack. The attacker
dispatches a phishing email embedded with a link housing a malicious script. Should the recipient click
on the link, the script activates within their browser. Ex:
<form action="search.php" method="GET">
<input type="text" name="query">
<input type="submit" value="Search">
</form>
// Vulnerable code in search.php:

657
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

<?php
echo "Your search query: " . $_GET['query'];
?>
// Attacker's input:
http://xyz.com/search.php?query=<script>alert('XSS Attack!')</script>
1.4.2.3 DOM-based XSS:
The vulnerability manifests within the Document Object Model (DOM) of a web page, where a
malicious script exploits the DOM to accomplish its goals. Attacker injects a script that modifies the
DOM directly through client-side scripting, leading to unintended consequences.
// Vulnerable JavaScript code:
var url = document.location.href;
var parameter = url.substring(url.indexOf("=") + 1);
document.getElementById("result").innerHTML = parameter;
// Attacker's URL:
http://example.com/vulnerable.html#<script>alert('XSS Attack!')</script>
1.4.2.4 Self-XSS (User-Induced XSS):
Exploits a user's trust by tricking them into executing malicious code in their own browser. An attacker
may convince a user to paste and execute malicious code in the browser's developer console under the
guise of a harmless action.
1.4.2.5 Blind XSS:
Similar to blind SQL injection, attackers don't directly see the results of the injected script but infer
success or failure based on the application's behavior. Attacker injects a script, and the success or failure
is determined by monitoring external factors such as DNS requests or HTTP responses.
1.4.3 Link injection
Link injection also known as URL injection or hyperlink injection, is an attack where harmful links are
inserted within web pages, applications, or messages with the intention of redirecting users to fraudulent
or harmful websites. This technique exploits vulnerabilities in a website's code or user inputs to
manipulate the hyperlinks presented to users.
In a link injection attack, an attacker strategically places malicious URLs within a legitimate context,
often disguising them to appear trustworthy. Commonly, attackers leverage this method for phishing
campaigns, where unsuspecting users are tricked into clicking on seemingly harmless links that lead to
malicious websites designed to steal sensitive information, distribute malware, or conduct other illicit
activities. Ex:
<?php

658
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

// Vulnerable code:
$comment = $_POST['comment'];
// Display the comment without proper sanitization:
echo "<p>" . $comment . "</p>";
?>
// Attacker's input:
<a href="http://evil.com/">Click here for a free gift!</a>
1.4.4 LDAP Injection
LDAP ((Lightweight Directory Access Protocol) is a kind of attack that exploits vulnerabilities in
applications that interact with LDAP servers. In LDAP, which is commonly used for user authentication
and directory services, attackers manipulate input fields to inject malicious LDAP queries. These
queries can trick the application into revealing sensitive information, bypassing authentication, or even
modifying directory data. A common target is user authentication systems where attackers attempt to
inject crafted queries to gain unauthorized access. To prevent LDAP injection, developers should
implement proper input validation, use parameterized queries, and apply principle of least privilege.
Regular security audits and awareness about secure coding practices are essential for safeguarding
applications against LDAP injection vulnerabilities. Ex:
import ldap
# Vulnerable code:
user_input = input("Enter your username: ")
password_input = input("Enter your password: ")
# Build the LDAP query using user input (unsafe):
query=f"(&(uid={user_input})(userPassword={password_input}))"
# Connect to the LDAP server:
ldap_connection = ldap.initialize("ldap://localhost:389")
# Perform the search using the vulnerable query:
result= ldap_connection.search_s("dc=example,dc=com", ldap.SCOPE_SUBTREE, query)
# If a result is found, authentication is successful:
if result:
print("Authentication successful!")
else:
print("Invalid username or password.")

659
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

1.4.5 Host Header Injection

Host Header Injection represents a security vulnerability wherein attackers can manipulate the value of
the Host header in an HTTP request to deceive a web application. The Host header is crucial for a web
server to determine which website or web application should handle the incoming request. When an
attacker can control or influence the Host header, they may exploit this vulnerability for various
purposes.
To mitigate Host Header Injection, developers should validate and sanitize input, use a centralized and
secure method for routing decisions, and configure web servers and application frameworks to reject
requests with unexpected or malicious Host headers. Regular security audits and monitoring are
essential for detecting and addressing such vulnerabilities in web applications. Ex:
<?php
// Retrieve the Host header value from the request:
$host = $_SERVER['HTTP_HOST'];
// Generate a password reset link using the Host header:
$reset_link = "https://" . $host . "/reset-password?token=123456";
// Send the password reset link to the user's email:
mail($user_email, "Password Reset", $reset_link);
?>
2. RELATED WORK
Abikoye et. al [6] introduces a novel approach to identifying and thwarting potential threats by
leveraging the Knuth-Morris-Pratt (KMP) string matching algorithm. Specifically, the algorithm is
employed to compare strings input by user against stored patterns of injection strings, enabling the
detection of any malicious code. Implementation is realized through the utilization of the PHP language
in conjunction with the server of Apache XAMPP. To assess the efficacy of the technique, various test
cases encompassing encoded injection, SQLi and XSS attack were conducted. Results demonstrate that
the proposed method effectively identifies and mitigates these threats, recording attack instances in the
database, blocking system access via MAC address, and issuing warning messages. Consequently, the
proposed technique provide better efficacy to detect and prevent SQLi and XSS attacks.
An IPAAS architecture is being introduced to handle SQL injection vulnerability. IPAAS seamlessly
enhances inherently vulnerable web applications by integrating validators that yield substantial and
measurable security enhancements for actual systems. The researcher deployed IPAAS for PHP and
calculated its performance on 5 authentic websites harbouring known SQLi and XSS type weaknesses.
The research denotes that IPAAS could have pre-empted 83% of SQLi and 65% of XSS type
weaknesses without imposing any additional burden on developers. Thus the research elucidates the
prevention of SQL injection vulnerabilities through the ML IPAAS architecture. [7]
Robinson uses a web application firewall to handle the SQLi and XSS weaknesses. The research
introduces the OWASP ModSecurity Core Rule Set as a solution to assist administrators in enhancing

660
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

the security of web servers. OWASP functions by actively blocking IP addresses attempting to breach
security rules, monitoring network traffic, and thwarting suspicious external network requests. [8]
Agarwal et. al [9] presented an approach, a filtering program redirects user input to a proxy server
before it reaches the application server. At the application server, a data cleansing algorithm is triggered
via a sanitization application. This algorithm employs sanitization to examine the user input for any
malicious code. If malicious patterns are detected, the user input request is declined; otherwise, it is
forwarded to the application.
The study aims to enhance website security by effectively mitigating SQL Injection attacks through the
utilization of a proposed Web Application Firewall (WAF). The architecture is specifically crafted for
detecting, monitoring, and thwart various types of SQLi attacks, encompassing Piggy Backed
Queries,Tautologies, Stored Procedures, Union Queries, and Logically Incorrect Queries. To evaluate
the efficacy of the system, testing is conducted using a widely recognized application for identifying
and validating security vulnerabilities on websites. The findings indicate that the proposed system
significantly enhances website security against SQL Injection attacks. [10]
3. METHODOLOGY
Dynamic Application Security Testing (DAST) is a methodology employed to evaluate the security of
web applications by assessing their behavior in real-time. Unlike static analysis, which examines the
application's source code, DAST interacts with the running application to identify vulnerabilities and
weaknesses. The process involves simulating attacks by sending crafted input to the application and
observing its responses. This approach mimics how attackers exploit vulnerabilities in real-world
scenarios, providing a comprehensive assessment of the application's security posture.
DAST tools typically employ various techniques such as fuzzing, where malformed input is injected to
provoke unexpected behavior, and automated scanning of web application interfaces to identify
common security flaws like injection attacks, XSS, and insecure authentication mechanisms.
Advantages of DAST include its ability to assess the application's security in its operational state,
identifying vulnerabilities that may not be evident in the source code alone. However, DAST may
produce false positives and struggle with certain types of vulnerabilities, requiring supplementary
testing methodologies for comprehensive security assessment.

Fig 4: DAST Methodology

The Fig 4 describe the DAST methodology, the tester employs a DAST tool to scrutinize the security
posture of a web application comprehensively. The process initiates with the DAST tool spidering
through the web application, systematically traversing its pages and functionalities. As the spidering

661
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

progresses, the tool injects various inputs, simulating potential attack vectors to uncover vulnerabilities.
Subsequently, the response analyzer component meticulously inspects the application's reactions to
these inputs, discerning anomalies and potential security weaknesses. Based on predefined policies and
heuristic analysis, the tool categorizes detected vulnerabilities according to their severity. Finally, the
DAST tool compiles detailed reports summarizing the findings, complete with actionable insights and
recommendations for remediation, empowering developers and security teams to fortify the web
application against potential threats.
We are currently scrutinizing the DAST reports generated by the HCl Appscan from the past two years,
focusing particularly on the injection vulnerabilities prevalent in the current timeframe. This analysis
entails a thorough examination of the historical data to identify patterns and trends in vulnerability
occurrences over time. By delving into the reports spanning the preceding years, we aim to gain valuable
insights into the evolution and persistence of injection vulnerabilities within our systems. This
retrospective analysis serves as a foundation for understanding the changing landscape of security
threats and vulnerabilities affecting our web applications. Furthermore, it enables us to assess the
effectiveness of past mitigation efforts and determine areas that require additional attention or
reinforcement. Through this ongoing review process, we strive to enhance our proactive measures for
identifying and addressing injection vulnerabilities, thereby bolstering the overall security posture of
our applications.
4. RESULTS AND DISCUSSION
This paper conducts a thorough investigation, delving into the identification of vulnerabilities, their
respective severity levels, and proposed remediation strategies for 12 distinct user logins. Emphasizing
the examination of various injection vulnerabilities, the research aims to shed light on the types of
injection-related vulnerabilities prevalent in web applications, along with assessing the severity of their
impact on web application security. The CVSS score is computed by assessing base, temporal, and
environmental metrics of vulnerabilities detected during web application scans.
Base metrics evaluate intrinsic vulnerability qualities like attack vector and impact. Temporal metrics
consider factors such as exploit availability and remediation level. Environmental metrics account for
unique system circumstances.

These metrics are then algorithmically combined to derive a CVSS score typically falls within the range
of 0 to 10, where higher scores signify increased severity. This score aids users in prioritizing and

662
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

addressing security issues, though human validation is often necessary for accurate assessment. As per
the National Vulnerability Database (NVD) of National Institute of Standards and Technology(NIST)
website, the CVSS Version 3.0 ratings are as follows:
Vulnerability CVSS Score
Severity
None 0.0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0
Table 1: CVSS Score Vs Vulnerability Severity
A high vulnerability has been identified in the system, compromising its security integrity. This flaw
poses a significant risk, potentially allowing unauthorized access, data breaches, or system
manipulation. Immediate attention and remediation are imperative to mitigate potential damages.
Failure to address this vulnerability promptly Could result in significant repercussions, such as financial
ramifications, damage of reputational image, and penalties by regulatory bodies. Swift action must be
taken to patch the vulnerability, bolstering defences and safeguarding sensitive assets against
exploitation. Regular vulnerability assessments and robust security protocols are crucial to prevent
similar vulnerabilities from arising and ensure ongoing protection against evolving threats. Our analysis
has revealed a total of 156 issues concerning Blind Remote Command Execution through Bash,
constituting approximately 35% of all identified issues. Additionally, we detected 52 instances of
Reflected Cross-Site Scripting, accounting for 18% of the total issues, and 25 cases of Link Injection,
representing 6% of the total issues uncovered
Similarly, A medium vulnerability has been detected within the system, indicating a moderate level of
risk to its security posture. While not as critical as high-severity issues, this vulnerability still demands
prompt attention and remediation efforts to prevent potential exploitation. Failure to address it
adequately could lead to unauthorized access, data exposure, or service disruptions. Timely patching
and implementation of security measures are essential to mitigate the risk associated with this
vulnerability. Additionally, ongoing monitoring and proactive security measures are necessary to
prevent similar vulnerabilities from emerging and to maintain a resilient security posture in the face of
evolving threats. In our assessment, we have identified Host Header Injection and Blind Xpath Injection
as medium-level vulnerabilities. Specifically, we've noted 107 cases of Host Header Injection and 5
instances of Blind Xpath Injection. These figures represent 24% and 1% of the total vulnerabilities
identified, respectively.
A low vulnerability has been identified within the system, signalling a minimal risk to its overall
security. Although less critical than higher-severity issues, it still necessitates attention and remediation
to maintain a robust security posture. While the potential impact may be limited, neglecting to address
this vulnerability could leave the system susceptible to exploitation or compromise over time.

663
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

Therefore, timely mitigation measures, such as applying patches or configuration adjustments, are
recommended to reduce the risk further. Consistent monitoring and proactive maintenance help ensure
that even low-severity vulnerabilities are addressed promptly, fortifying the system against potential
threats and vulnerabilities. Our analysis reveals a concerning absence of low vulnerability, indicating
the severity of injection attacks. It is imperative that we treat these attacks with the utmost seriousness
and take proactive measures to address them effectively.
The following table outlines the severity levels of Injection vulnerabilities affecting the website,
distinguishing between those with significant impact and those with lesser impact.
Vulnerability CVSS
Score
Blind 10
MongoDB
NoSQL
Injection
Blind Remote 10
Command
Execution
through Bash
Blind SQL 10
Injection
(Time Based)
Blind 10
Parameter
System Call
Code
Injection
SMTP MX 10
Injection
Server-Side 10
JavaScript
Denial of
Service
Blind SQL 9.7
Injection
SQL Injection 9.7
Reflected 9.4
XSS
Stored XSS 9.4
Blind LDAP
9
Injection

664
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

Link Injection 8.9

(facilitates
Cross-Site
Request
Forgery)
Microsoft 8.4
Windows
MHTML
Cross-Site
Scripting
Cross-Site 7.5
Scripting
Blind Xpath
6.4
Injection
Host Header
5
Injection
Table 2: Injection Vulnerabilities with CVSS score
5. CONCLUSION
A thorough examination of various injection attacks targeting web application software is provided in
this research. Through an extensive analysis of different types of injection attacks such as Command
Injection, SQLi and XSS we have highlighted their potential risks and consequences for web
applications. By identifying common Injection attack vectors, techniques, and severity, this study offers
valuable insights for developers, security professionals, and Organizations striving to bolster the
security stance of their web applications. It emphasizes the significance of implementing strong security
protocols, such as input validation, parameterized queries, and output encoding, to effectively reduce
the risks posed by injection attacks
Moreover, this research emphasizes the significance of continuous monitoring, security testing, and
keeping current with the newest security patches and implementing best practices for defense against
evolving injection attack techniques. By understanding the underlying mechanisms of injection attacks
and implementing proactive security measures, organizations can significantly reduce the likelihood of
successful exploitation, safeguard sensitive data, and preserve the integrity and availability of their web
applications in today's increasingly hostile digital landscape.
REFERENCES
[1] Vugar Abdullaye, Dr. Alok Singh Chauhan, SQL Injection Attack: Quick View, Mesopotamian journal of
Cybersecurity Vol.2023, pp. 30–34
[2] Priyanshi Panwar, Himani Mishra, Ritambhara Patidar, An Analysis of the Prevention and Detection of Cross Site
Scripting Attack, International Journal of Emerging Trends in Engineering Research, Volume 11, No.1, January 2023
[3] OWASP: Available at https://owasp.org/www-project-top-ten. OWASP Top Ten Project, 2021
[4] Sura Abdulmunem Mohammed Al-Juboori, Firas Hazzaa1, Zinah Sattar Jabbar, Sinan Salih, Hassan Muwafaq Gheni,
Man-in-the-middle and denial of service attacks detection using machine learning algorithms, Bulletin of Electrical
Engineering and Informatics Vol. 12, No. 1, February 2023

665
https://internationalpubls.com
Advances in Nonlinear Variational Inequalities
ISSN: 1092-910X
Vol 27 No. 3 (2024)

[5] Santiago Ibarra-Fiallos1, Javier Bermejo Higuera, Monserrate Intriago-Pazmiño, Juan Ramón Bermejo Higuera, Juan
Antonio Sicilia Montalvo , And Javier Cubo, Effective Filter for Common Injection Attacks in Online Web
Applications, IEEE AccessSpecial Section On Emerging Approaches To Cyber Security, January 2021
[6] Oluwakemi Christiana Abikoye, Abdullahi Abubakar, Ahmed Haruna Dokoro, Oluwatobi Noah Akande and
Aderonke Anthonia Kayode, “A novel technique to prevent SQL injection and cross-site scripting attacks using
Knuth-Morris-Pratt string match algorithm” EURASIP Journal on Information Security (2020) 2020:14
[7] Vivek Thoutam, SQL Injection Vulnerabilities Prevention through ML IPAAS Architecture, Internatinal Journal of
Novel Research and Development (IJNRD), Volume 7, Issue 3 March 2022, ISSN: 2456-4184
[8] Robinson, Memen Akbar, Muhammad Arif Fadhly Ridha, SQL Injection and Cross Site Scripting Prevention Using
OWASP web Application Firewall, International Journal On Informatics Visualization, Vol 2 (2018) No 4
[9] Raj Agarwal, Sumedha Sirsikar, An Efficient Technique for finding SQL Injection using Reverse Proxy Server,
International Research Journal of Engineering and Technology (IRJET), Volume: 06 Issue: 09, Sep 2019
[10] Jeklin Harefa, Gredion Prajena, Alexander, Abdillah Muhamad, Edmundus Valin Setia Dewa, Sena Yuliandry, SEA
WAF: The Prevention of SQL Injection Attacks on Web Applications, Advances in Science, Technology and
Engineering Systems Journal Vol. 6, No. 2, 405-411 (2021)

666
https://internationalpubls.com