Diseño e implementación de un sistema de protección contra el ataque de inyección SQL, en un servidor vulnerable utilizando herramientas Open Access.
Fecha
Autor corporativo
Título de la revista
ISSN de la revista
Título del volumen
Editor
Compartir
Director
Altmetric
Resumen
Currently, there is a substantial increase in the use of telecommunications, as well as an increase in investment in technology by organizations, there is also the need to improve and automate processes in different industries or organizations, which leads to having sensitive information on devices and In the net. Due to this, it is essential to find a way to protect information, since there are currently more and more cybercriminals developing and executing new cyber attacks that violate the availability, integrity or confidentiality of computers and personal or corporate information. It is well known that information is a very important asset and can be at risk of being violated all the time (Najar Pacheco & Suárez Suárez, 2015).
After conducting extensive research on the most common and significant attacks these days, it is found that the Open Web Application Security Project (OWASP) which is an international organization whose main objective is to determine and combat computer attacks, has a TOP10 with the The most important computer risks in web applications, the attack that leads this TOP is the attack by SQL injection (Structured Query Language). Given this, the design and implementation of a process that allows the detection and mitigation of the SQL injection attack is proposed, through a set of techniques and Open Access security tools that guide to obtain an efficient and economically viable method to be implemented by whoever required (OWASP, 2017).
The methodology used for the project was as follows, initially some SQL Injection attack scenarios were defined which were executed on the vulnerable DVWA server (Damn Vulnerable Web Application) and through these, sensitive information about the application such as names and quantity was obtained. of database columns, registered users, passwords and version of the same, manual tests were carried out first, that is, by executing the code directly in the ID field of the DVWA web page, a Python script was developed from which carried out a greater number of attacks to the server. After an investigation on the techniques used to mitigate the SQL Injection vulnerability, it was found that the implementation of a WAF (Web Application Firewall) is a very viable and effective solution to minimize the risk of the vulnerability being exploited (ORACLE, 2021 ); so several Open Source WAF solutions were found that could be used among them is Raptor WAF, Octupus WAF and Modsecurity. Taking into account the above, the attack tests were carried out according to the defined scenarios, but this time with each of the active WAFs, the manual attacks were executed, from the Python script and also using the SQLMap tool from which it is detected. and the vulnerability is exploited by executing automatic attacks and finding the information that can be exposed, the test is carried out with each active and inactive WAF to find information from the application database.
Of the three WAFs used for the penetration tests, different results were obtained, in the manual tests two of the three WAFs recognized all the attacks as malicious and blocked them, one of them only recognized half of the attacks as malicious and were blocked, When the attacks were executed from Python, it was possible to show that one of the WAFs stood out among the others since it withstood a large number of simultaneous attacks while another of these was turned off and stopped working after receiving a number of attacks.