XML-based authentication to handle SQL injection

Abstract

Structured Query Language (SQL) injection is one of themost devastating vulnerabilities to impact a business, as it can lead to the exposure of sensitive information stored in an application’s database. SQL injection can compromise usernames, passwords, addresses, phone numbers, and credit card details. It is the vulnerability that results when an attacker achieves the ability to influence SQL queries that an application passes to a back-end database. The attacker can often leverage the syntax and capabilities of SQL, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database to compromise the web application. In this article we demonstrate two non-web-based SQL injection attacks one of which can be carried out by executing a stored procedure with escalating privileges. We present XML-based authentication approach which can handle this problem in some way.