On Preventing SQL Injection Attacks

In this paper, we propose three new approaches to detect and prevent SQL Injection Attacks (SQLIA), as an alternative to the existing solutions namely: (i) Query Rewriting-based approach, (ii) Encoding-based approach, and (iii) Assertion-based approach. We discuss in detail the benefits and shortcomings of the proposals w.r.t. the literature.

[1]  Cheng-Hsiung Liu,et al.  An Automatic Mechanism for Adjusting Validation Function , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[2]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[3]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[4]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[5]  Jay Ligatti,et al.  Defining code-injection attacks , 2012, POPL '12.

[6]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[7]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[8]  G. Aghila,et al.  Combinatorial Approach for Preventing SQL Injection Attacks , 2009, 2009 IEEE International Advance Computing Conference.

[9]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[10]  Justin Clarke,et al.  SQL Injection Attacks and Defense , 2009 .

[11]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[12]  Lambert Ntagwabira,et al.  Use of Query tokenization to detect and prevent SQL injection attacks , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[13]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[14]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[15]  Vitaly Shmatikov,et al.  Diglossia: detecting code injection attacks with precision and efficiency , 2013, CCS.

[16]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[17]  Shih-Jen Chen,et al.  TransSQL: A Translation and Validation-Based Solution for SQL-injection Attacks , 2011, 2011 First International Conference on Robot, Vision and Signal Processing.

[18]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[19]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[20]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[21]  Giorgio Levi,et al.  Assertion based Inductive Verification Methods for Logic Programs , 2000, Electron. Notes Theor. Comput. Sci..

[22]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[23]  Justin Clarke Blind SQL Injection Exploitation , 2009 .

[24]  Supriya Madan Shielding against SQL Injection Attacks Using ADMIRE Model , 2009, 2009 First International Conference on Computational Intelligence, Communication Systems and Networks.

[25]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[26]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[27]  Sabrina De Capitani di Vimercati,et al.  Guest Editorial: Special Issue on Computer and Communications Security , 2008, TSEC.

[28]  B. B. Meshram,et al.  Analysis of different technique for detection of SQL injection , 2011, ICWET.

[29]  Agostino Cortesi,et al.  Obfuscation-based analysis of SQL injection attacks , 2010, The IEEE symposium on Computers and Communications.

[30]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[31]  George M. Mohay,et al.  Evaluation of Anomaly Based Character Distribution Models in the Detection of SQL Injection Attacks , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[32]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.