Vulnerabilities in web applications allow malicious users to obtain unrestricted access to private and confidential information. SQL injection attacks rank at the top of the list of threats directed at any database-driven application written for the Web. An attacker can take advantages of web application programming security flaws and pass unexpected malicious SQL statements through a web application for execution by the back-end database. This paper proposes a novel specification-based methodology for the detection of exploitations of SQL injection vulnerabilities. The new approach on the one hand utilizes specifications that define the intended syntactic structure of SQL queries that are produced and executed by the web application and on the other hand monitors the application for executing queries that are in violation of the specification.
The three most important advantages of the new approach against existing analogous mechanisms are that, first, it prevents all forms of SQL injection attacks; second, its effectiveness is independent of any particular target system, application environment, or DBMS; and, third, there is no need to modify the source code of existing web applications to apply the new protection scheme to them.
We developed a prototype SQL injection detection system (SQL-IDS) that implements the proposed algorithm. The system monitors Java-based applications and detects SQL injection attacks in real time. We report some preliminary experimental results over several SQL injection attacks that show that the proposed query-specific detection allows the system to perform focused analysis at negligible computational overhead without producing false positives or false negatives. Therefore, the new approach is very efficient in practice.
[1]
Alessandro Orso,et al.
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
,
2005,
ASE.
[2]
Giovanni Vigna,et al.
A Learning-Based Approach to the Detection of SQL Attacks
,
2005,
DIMVA.
[3]
Angelos D. Keromytis,et al.
SQLrand: Preventing SQL Injection Attacks
,
2004,
ACNS.
[4]
Viswanathan Kodaganallur,et al.
Incorporating language processing into Java applications: a JavaCC tutorial
,
2004,
IEEE Software.
[5]
Christopher Krügel,et al.
Noxes: a client-side solution for mitigating cross-site scripting attacks
,
2006,
SAC '06.
[6]
Zhendong Su,et al.
An Analysis Framework for Security in Web Applications
,
2004
.
[7]
Alain J. Mayer,et al.
Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies
,
1998,
USENIX Security Symposium.
[8]
Niklaus Wirth,et al.
What can we do about the unnecessary diversity of notation for syntactic definitions?
,
1977,
Commun. ACM.
[9]
Dan Holtshouse,et al.
Encyclopedia of E‐Commerce, E‐Government, and Mobile Commerce
,
2007
.
[10]
D. T. Lee,et al.
Securing web application code by static analysis and runtime protection
,
2004,
WWW '04.
[11]
Zhendong Su,et al.
The essence of command injection attacks in web applications
,
2006,
POPL '06.
[12]
Benjamin Livshits,et al.
Finding Security Vulnerabilities in Java Applications with Static Analysis
,
2005,
USENIX Security Symposium.
[13]
Bruce W. Weide,et al.
Using parse tree validation to prevent SQL injection attacks
,
2005,
SEM '05.
[14]
Anh Nguyen-Tuong,et al.
Automatically Hardening Web Applications Using Precise Tainting
,
2005,
SEC.