In case you've never heard or need a refresher on SQL Injections or XSS

• Context

• SQL Material

• Training

• Demo

As SQL injections simply are strings, ML model(NLP based) was trained to classify between valid user requests and user requests consisting of SQL injections or XSS attacks

Trained model is embedded into a Flask Server before a user request is used to run the SQL query server validates or sanitizes the user request by sending it to the model which then classifies thus protecting Web-Apps from malicious attacks

Material Used in the seminar is present in SQL_practise in markdown format

Code for model trained in the seminar along with the dataset are present in train

• Flask-App used in the demo, was specifically built to test SQL injections and is borrowed from Jason (with permission to use it)

• To test the demo website without the model you can fire up the server by navigating to the deploy folder and run

  python  vul.py

  Open the web app in the browser and try to get sensitive information through SQL injections, a few examples are given below

  • For printing out all the elements present in the table

  %'--;
  

  
  
  • For Checking if you can actually Penetrate into the system query the master_table

  juice' UNION SELECT 1,2,3 from sqlite_master WHERE type="table"; --
  

  
  
  • For printing out all the tables

  juice' UNION SELECT name,sql,3 from sqlite_master WHERE type="table"; --
  

  
  
  • Getting the information out of required table

  juice' UNION SELECT username,password,3 from employees;--
  

• After witnessing the possible exploits, Stop the current server and test it with server equipped with ML model

  python mlFirewall.py