TECS-17124 Camera Ready.pdf

Page 1 of 25

Transactions on Engineering and Computing Sciences - Vol. 12, No. 3

Publication Date: June 25, 2024

DOI:10.14738/tecs.123.17124.

Bassani, M. & Bagui, S. (2024). A Review of Database Attacks. Transactions on Engineering and Computing Sciences, 12(3). 101-

125.

Services for Science and Education – United Kingdom

A Review of Database Attacks

Matteo Bassani

Depatment of Computer Science, University of West Florida, United States

Sikha Bagui

Depatment of Computer Science, University of West Florida, United States

ABSTRACT

In today’s world, where organizations heavily rely on databases to store and access

critical information, database security is a major concern. This paper provides an

overview of recent trends and popular threats in database security, as well as an

organized literature review of database attacks and related security methods. The

primary objectives of this review are to analyze the current state of database

attacks, highlight effective defense techniques, and identify research gaps and

future directions. The paper categorizes the reviewed literature into various

sections, including general database attacks, SQL Injection attacks, Cross-Site

Scripting (XSS) attacks, Denial of Service (DoS) attacks, mixed attacks, other types

of attacks, and concludes with database encryption techniques. By examining the

merits and demerits of existing approaches, this review aims to contribute to a

better understanding of database attacks and their related countermeasures.

Finally, the findings of this paper can help researchers improve their understanding

of the topic and make progress in the study of techniques to address threats to data

availability, confidentiality, and integrity.

Keywords: Database, Database Security, Database Attacks, SQL Injection, Machine

Learning, Survey.

INTRODUCTION

A database is an organized collection of structured data [1]. Nowadays companies and

organizations strongly rely on databases as a means to store, organize, access, and manipulate

data easily [2]. Typically, databases are structured in relational tables that allow for an easy

modeling of different types of entities and relationships between them. These are known as

relational databases and represent one of the most common and widely used types of databases

[3]. Contrarily, non-relational databases do not adhere to the general relational structure, and

their architecture depends strictly on the type of data that needs to be stored [4].

A user interface to a database is provided by a Database Management System (DBMS). This type

of software allows an easier interaction between an authorized user or an application and the

database [3]. Additionally, it helps in the fast retrieval of data by building indices on the most

important tables. Moreover, it builds transaction logs to recover data in the event of a soft or

hard fault and provides various methods to handle concurrency.

Page 2 of 25

102

Transactions on Engineering and Computing Sciences (TECS) Vol 12, Issue 3, June - 2024

Services for Science and Education – United Kingdom

The significant role that data plays in the modern world is evident to everyone, as many

organizations heavily rely on digitized information that can be stored and accessed easily,

thanks to the low cost of memory storage and the significant development of internet

infrastructure. In particular, data or database security is regarded as the process of protecting

digital information stored in databases throughout its entire lifecycle to safeguard it from

accidental or intentional threats such as data corruption, unauthorized access, or theft [2].

The basic requirements of data security are [5,6]:

• Data availability: Information must always be accessible to authorized users or

applications.

• Data confidentiality: Information should be accessible only to authorized users and must

not be disclosed by an unauthorized user.

• Data integrity: Information should be preserved without any unauthorized deletion or

modification.

Database attacks are defined as any possible malicious threats that can compromise these

fundamental data security requirements. While data security aims at ensuring data

confidentiality, availability, and integrity in any circumstance (such as memory storage faults),

a database attack specifically refers to malicious activity or unauthorized attempt to

compromise these properties [7].

To classify an incident as a database attack, there must be an intention to gain unauthorized

access, steal or modify data, or disrupt the normal functioning of the database. In 2022 alone,

the number of data compromises in the United States reached 1802 cases. Over 422 million

individuals were affected in the same year by data compromises, including data breaches, leaks,

and exposures [8].

The purpose of this paper is to:

1. Present and discuss the most recent and popular threats that can affect database

security and present an overview of possible solutions to these attacks.

2. Provide an organized literature review on recent trends regarding database attacks and

related security methods.

3. Discuss these papers and highlight their merits/demerits in order to find the most

suitable defense techniques for each type of attack.

4. Explore the gaps and suggest future research directions for this topic.

Ultimately, this review aims to analyze the current situation of database attacks and security

methods in order to understand the direction of research and highlight areas that require

further work. This paper is organized as follows: Section 2 presents database attack methods,

discussing briefly their most popular security measures; Section 3 focusses on the main

literature review; Section 3.1 covers general review papers about database attacks; Section 3.2

focuses on SQL Injection attacks; Section 3.3 focuses on Cross-Site Scripting (XSS) attacks;

Section 3.4 focuses on Denial of Service (DoS) attacks; Section 3.5 focuses on mixed attacks;

Section 3.6 focuses on other types of attacks; Section 3.7 focuses on database encryption

Page 3 of 25

103

Bassani, M. & Bagui, S. (2024). A Review of Database Attacks. Transactions on Engineering and Computing Sciences, 12(3). 101-125.

URL: http://dx.doi.org/10.14738/tecs.123.17124

techniques; Section 4 provides a discussion about the papers, and Section 5 presents the

conclusion.

ATTACK METHODS

The attack methods discussed in this work are: SQL Injection, Cross Site Scripting, Denial of

Service, Excessive Privileges, DB Vulnerabilities/Bad Configuration, Weak Audit Trail and

Backup Exposure.

SQL Injection

The great majority of web applications are structured in a three-tier architecture [9]:

• The presentation layer: responsible for presenting and displaying information to the

user.

• The application layer: which implements the logical functionalities of the software.

• The data layer: the backend responsible for managing database access.

SQL (Structured Query Language) is the de facto standard programming language for database

access and manipulation [10]. SQL Injection Attacks (SQLIA) are a classical example of attacks

on a database that originates from the front-end and directly targets the back-end by exploiting

knowledge of the popular SQL language and vulnerabilities in the application layer (which

theoretically should properly validate any input inserted by the user). SQLI attacks consist of

injecting maliciously crafted SQL commands (or parts of them) into forms used by the

presentation layer to access the data [11]. The attacker needs to identify the input fields

associated with the generation of the SQL queries and understand how the database tables are

organized. These types of attacks can also be executed by directly injecting malicious code into

the argument values of the website URL [9].

Two main forms of SQLIA are identified [12]:

• Direct attacks, which aim to insert the code into the user input variables of the SQL

command in order to execute them and produce undesirable effects.

• Indirect attacks, which aim to insert permanently malicious code directly into the

database table, allowing them to be executed at subsequent moments.

SQLIA is widely considered the most dangerous type of threat to a database since it can

compromise the main database security services: confidentiality, integrity, authentication, and

authorization [11].

In fact, a successful SQL Injection attack can [13]:

• Expose sensitive user data by displaying certain database rows or tables.

• Permanently change or delete data.

• Allow login into a protected system without any credentials.

• Alter critical data without the appropriate permissions.

Different types of SQLI attacks can be identified based on the general structure of the query.

Some of the most popular ones are [11,13]: