A Survey Of Sql Injection Countermeasures

SQL injection has become a predominant type of attacks that target web applications. It allows attackers to obtain unauthorized access to the back-end database to change the intended application-generated SQL queries. Researchers have proposed various solutions to address SQL injection problems. However, many of them have limitations and often cannot address all kinds of injection problems. What’s more, new types of SQL injection attacks have arisen over the years. To better counter these attacks, identifying and understanding existing countermeasures are very important. In this research , I had surveyed existing techniques against SQL injection attacks and analyzed their advantages and disadvantages. In addition, I identified techniques for building secure systems and applied them to my applications and database system, and illustrated how they were performed and the effect of them.

[1]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[2]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[3]  Martin Nystrom,et al.  SQL Injection Defenses , 2007 .

[4]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[5]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[6]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[7]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[8]  Stephen Kost An Introduction to SQL Injection Attacks for Oracle Developers , 2007 .

[9]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[10]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[11]  Ehud Gudes,et al.  Fine-grained access control to web databases , 2007, SACMAT '07.

[12]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[13]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[14]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[15]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.