EARLY DETECTION OF SQL INJECTION ATTACKS

SQL Injection (SQLI) is a common vulnerability found in web applications . The starting point of SQLI attack is the client-side (browser). If attack inputs can be detected early at the browse side, then it could be thwarted early by not forwarding th e malicious inputs to the server-side for further processing.This paper presents a client-side approach to detect SQLI attacks 1 . The client-side accepts shadow SQL queries from the server-side and checks any deviation betweenshadow queries with dynamic q ueries generated with user supplied inputs. We measure the deviation of shadow query and dynamic query based on conditional entropy metrics and propose four metrics in this direction. We evaluate the approach with three PHP applications containing SQLI vul nerabilities. The evaluation results indicate that our approach can detect well-known SQLI attacks early at the client -side and impose negligible overhead.

[1]  Taghi M. Khoshgoftaar,et al.  Measuring coupling and cohesion: an information-theory approach , 1999, Proceedings Sixth International Software Metrics Symposium (Cat. No.PR00403).

[2]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[3]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[4]  Giovanni Agosta,et al.  Automated Security Analysis of Dynamic Web Applications through Symbolic Code Execution , 2012, 2012 Ninth International Conference on Information Technology - New Generations.

[5]  Thomas M. Cover,et al.  Elements of information theory (2. ed.) , 2006 .

[6]  Mohammad Zulkernine,et al.  Mitigating program security vulnerabilities: Approaches and challenges , 2012, CSUR.

[7]  Mohammad Zulkernine,et al.  MUSIC: Mutation-based SQL Injection Vulnerability Checking , 2008, 2008 The Eighth International Conference on Quality Software.

[8]  Hayder Radha,et al.  Worm Detection at Network Endpoints Using Information-Theoretic Traffic Perturbations , 2008, 2008 IEEE International Conference on Communications.

[9]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[10]  Yanhui Geng,et al.  An information-theoretic model for resource-constrained systems , 2010, 2010 IEEE International Conference on Systems, Man and Cybernetics.

[11]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[12]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[13]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[14]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[15]  Boris Skoric,et al.  Towards an Information-Theoretic Framework for Analyzing Intrusion Detection Systems , 2006, ESORICS.

[16]  Jin-Cherng Lin,et al.  The Automatic Defense Mechanism for Malicious Injection Attack , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[17]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[18]  Marco Vieira,et al.  Defending against Web Application Vulnerabilities , 2012, Computer.

[19]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[20]  Sangita Roy,et al.  A network based vulnerability scanner for detecting SQLI attacks in web applications , 2012, 2012 1st International Conference on Recent Advances in Information Technology (RAIT).

[21]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[22]  Hossain Shahriar,et al.  Client-Side Detection of SQL Injection Attack , 2013, CAiSE Workshops.

[23]  Mohammad Zulkernine,et al.  Information-Theoretic Detection of SQL Injection Attacks , 2012, 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering.

[24]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[25]  Laurie Williams,et al.  SQLUnitGen: SQL Injection Testing Using Static and Dynamic Analysis , 2006 .

[26]  Laurie A. Williams,et al.  Using Automated Fix Generation to Secure SQL Statements , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[27]  Joachim Posegga,et al.  Secure Code Generation for Web Applications , 2010, ESSoS.

[28]  Jeom-Goo Kim,et al.  Injection Attack Detection Using the Removal of SQL Query Attribute Values , 2011, 2011 International Conference on Information Science and Applications.