A Framework for Evaluation of SQL Injection Detection and Prevention Tools

SQLIA is a hacking technique by which the attacker adds Structured Query Language code (SQL statements) through a web application's input fields or hidden parameters to access the resources. By SQL injection an attacker gains access to underlying web application's database and destroys functionality and/or confidentiality. Researchers have proposed different techniques to detect and prevent this vulnerability. In this paper we present SQL injection attack types and also current security tools which detect or prevent this attack and compare them with each other. Finally, we propose a framework for evaluating SQL injection detection or prevention tools in common criteria. In fact, this paper provides information about current tools for researchers and also helps security officers to choose suitable SQL injection detection tools for their web application security.

[1]  Philip P. Purpura Foundations of Security and Loss Prevention , 2013 .

[2]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[3]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[4]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[5]  Mohammad Kazem Akbari,et al.  Estimation-Based Load-Balancing with Admission Control for Cluster Web Servers , 2009 .

[6]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[7]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[8]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[9]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[10]  D. T. Lee,et al.  A testing framework for Web application security assessment , 2005, Comput. Networks.

[11]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[12]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[13]  Paola Velardi,et al.  Quantitative and Qualitative Evaluation of the OntoLearn Ontology Learning System , 2004, COLING.

[14]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[15]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[16]  Suhaimi Ibrahim,et al.  SQL injection detection and prevention techniques , 2011 .

[17]  Atefeh Tajpour,et al.  Evaluation of SQL Injection Detection and Prevention Techniques , 2010, 2010 2nd International Conference on Computational Intelligence, Communication Systems and Networks.

[18]  Beom-Hwan Chang,et al.  PKG-VUL: Security Vulnerability Evaluation and Patch Framework for Package-Based Systems , 2009 .

[19]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[20]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[21]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[22]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[23]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[24]  Suhaimi Ibrahim,et al.  Web application security by SQL injection detection tools , 2012 .

[25]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.